How do the latest best practices on IT Governance, CoBit and Business Service Management impact your Business Continuity Methodology?

Transcription

1 How do the latest best practices on IT Governance, CoBit and Business Service impact your Business Continuity Methodology? Lillibett Machado 06/14/2005 1

2 Enterprise & IT Governance 2

3 Enterprise Governance... Enterprise governance is the set of responsibilities and practices exercise by the board and executive management with the goal of: providing strategic directions ensuring that objectives are achieved ascertaining that risk are managed appropriately verifying that the enterprises resources are used responsibly Source: 3

4 Enterprise Governance... Enterprise governance is the system by which companies are directed and controlled and which drives and sets IT Governance. Source: 4

5 IT Governance... IT governance is the responsibility of the Board of Directors and executive management. IT is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives. Source: 5

6 Source: 6

7 CoBit Framework Model CoBit Reference Models Business Requirements Quality Requirement : Quality, Cost & Delivery IT Processes IT Resources Fiduciary Requirements (COSO): Effectiveness sand Efficiency of operations, Reliability of Information, Compliance with laws and regulations Security Requirements: Confidentiality, Integrity, and Availability Source: 7

8 CoBit Control Objectives - Summary Table effectiveness efficiency confidentiality integrity availability Control Objectives - Summary Table Domain: Planning & Organization PO1 Define a Strategic Plan P S PO2 Define the Information Architecture P S S S PO3 Determine Technology Direction P S PO4 Define IT Organization and relationships P S PO5 Managing the IT Investment P P S PO6 Communicating aims and direction P S PO7 Managing Human Resources P P PO8 Ensure Compliance with external requirements P P S PO9 Assess risks P S P P P S S PO10 Manage Projects P P PO11 Manage Quality P P P S Domain: Acquisition & Implementation AI1 Identify Automated solution P S AI2 Acquire and maintain Application Software P P S S S AI3 Acquire and maintain Technology Infrastructure P P S AI4 Develop and maintain Procedures P P S S S AI5 Install and Accredit Systems P S S AI6 Manage Changes P P P P S Domain: Delivery and Support DS1 Define and Manage Service Levels P P S S S S S DS2 Manage Third Party Services P P S S S S S DS3 Manage Performance and Capacity P P S DS4 Ensure Continuous Services P S P DS5 Ensure System Security P P S S S DS6 Identifying and allocating cost P P DS7 Educating and Training users P S DS8 Assisting and Advising Customers P P DS9 Managing the configuration P S S DS10 Manage Problems and Incidents P P S DS11 Managing Data P P DS12 Managing Facilities P P DS13 Manage Operations P P S S compliance reliability people applications technology facilities data Domain: Monitoring M1 Monitoring the process P P S S S S S M2 Assess internal control adequacy P P S S S P S M3 Obtain independant assurance P P S S S P S M4 Provide for independant audit P P S S S P S Source: CoBit Governance, Control and Audit for Information and Related Technology - Audit Guidelines IT Governance Institute 8

9 Business Continuity 9

10 DS4 Ensure Continuous Service Control Objectives IT Continuity Framework - defines the roles and responsibilities, the risk approach to be adapted, the rules to document and approve the continuity plan IT Continuity Plan Strategy and Philosophy should ensure that the IT continuity plan is in line with the overall business continuity plan to ensure consistency IT Continuity Plan Contents IT management should ensure that a written plan is developed Minimizing IT Continuity Requirements IT management should establish procedures and guidelines for minimizing the continuity requirements with regard to IT resources Testing the IT Continuity Plan To have an effective continuity plan, management needs to assess its adequacy on a regular basis or upon major changes to the business or IT infrastructure IT Continuity Plan Training Assure that all concerned parties receive regular training sessions regarding procedures to follow in case of an incident or disaster 10

11 Continuity Controls (cont d...) IT Continuity Plan Distribution Given the sensitive nature of information in continuity plan, sections of the plan need to be distributed on a need-to-know basis. User Department Alternative Processing Back-up Procedures The continuity methodology should ensure that departments establish alternative processing procedures until IT function is restored. Critical IT Resources Critical data and operations should be identified, documented, prioritized, and approved by the business process owners, incorporation with IT management. Back-up Site and Hardware The continuity methodology must incorporate alternatives regarding back-up site and hardware. Off-site Back-up Storage Off-site storage of critical back-up media, documentation and other IT resources should be established to support recovery and business continuity plans. The off-site storage facility should be environmentally appropriate resources stored and provide a level of security for unauthorized access, theft or damage. Off-site arrangement should also be assessed at least annually for contents, environmental protection, and security. Wrap-up Procedures IT management should establish procedures or assessing the adequacy of the plan and update the plan accordingly. 11

12 ITIL Information Technology Infrastructure Library 12

13 ITIL Facts Developed in 1980 s and has become the world-wide defacto standard on Business Service (BSM). Started as a guide for the UK government, the framework has proven to be useful to organizations in all sectors through its adoption by many Service companies. Documents industry best practice guidance. As a framework it describes the Service model showing the goals, general activities, inputs and outputs of the various processes, which can be incorporated with IT organization. It focuses on providing high quality services with a particular focus on Customer relationships. 13

14 Service Support Problem Incident Change ICT Infrastructure Release Configuration Information Source: 2004 DIYmonde Solutions Inc STAY Technologies. 14

15 Service Design & Delivery Service Level Capacity Availability Service Design & Development IT Continuity Financial Information Security Source: 2004 DIYmonde Solutions Inc STAY Technologies. 15

16 IT Service Continuity ITSCM The scope of ITSCM in an organization is determined by the organization s structure, culture and strategic direction both business and technology ITSCM focuses on critical IT Services required to support the critical business processes. The impact of a business process, such as financial loss, damage to reputation, regulatory breach and others are measured through a BUSINESS IMPACT ANALYSIS (BIA) which determines the minimum critical requirements ITSCM must be an integral part of the overall business process specially if the business is highly IT dependant 16

17 IT Service Continuity Potential lower insurance policies Capability of meeting regulatory requirements Increase of IT Business Relationship Positive marketing.. enabler for the organization to provide our Clients higher service levels Organizational Credibility to retain customer confidence Competitive Advantage 17

18 IT Service Continuity Requirements and Strategy Business Impact Analysis Risk Assessment Business Continuity Strategy Implementation Stand By Arrangements Develop Recovery Plans Implement Risk Reduction Measures Develop Procedures Perform Testing Operational Education and Awareness Review and Audit Testing Change Training Assurance 18

19 19

20 References

21 Questions Contact Information: Lillibett Machado, MBA, CISM, CBCP Telephone:

22 Thank You... 22