SB13: Leveraging IT Best Practice Toolkits for Business Continuity Planning. Derek Lonsdale and Glen Willis, PA Consulting Group

Transcription

1 SB13: Leveraging IT Best Practice Toolkits for Business Continuity Planning Derek Lonsdale and Glen Willis, PA Consulting Group

2 Agenda Overview of the common IT best practice toolkits ITIL COBIT ISO Specific guidance in the area of Business Continuity Management from each toolkit Critical Success Factors Synergies and Integration concepts will be discussed throughout.

3 ITIL Overview The Information Technology Infrastructure Library (ITIL) An integrated, process based, best practice framework ITIL provides global standard framework for IT infrastructure management that is dependent on IT Service Management processes Accepted in the early 1990 s as the world de facto standard framework for Service Management Concentrates on delivering a Service Quality and Customer Orientated approach Industry forums now drive updates to ITIL ITIL v3 released in the summer of 2007

4 ITIL in context Management Customer Business Relationship Mgmt. Service Level Mgmt Corporate policy & strategy Strategic decision making Human Resource Management Service Delivery Financial Mgmt Capacity Mgmt Availability Mgmt Service Support Infrastructure / Architecture Continuity Mgmt Quality Mgmt / Program Mgmt Development Service Design Service Build & Test Supplier Service Desk User Incident Mgmt Problem Mgmt Change Mgmt Release Mgmt Supplier Management Configuration Management Performance Management

5 COBIT Overview Control Objectives for Information and related Technology (COBIT) A control and management framework for IT Four high level domains Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate Consists of 34 high level control objectives and 215 detailed control objectives for IT Applicable to all activities within an IT organization Owned and supported by the IT Governance Institute

6 The COBIT Structure 34 high level control objectives 215 detailed control objectives

7 All ITIL Processes align with one or more COBIT control objectives Plan and Organize PO5 Manage the IT Investment aligns with >>>> PO9 Assess and Manage IT Risks Acquire and Implement AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver and Support DS1 Define and Manage Service Levels DS3 Manage Performance and Capacity DS4 Ensure Continuous Services aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> DS6 Identify and Allocate Costs aligns with >>>> IT Financial Management DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems Monitor and Evaluate ME1Monitor and Evaluate IT Performance aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> IT Financial Management ITIL Process IT Service Continuity Management Change Management Release Management Service Level Management Capacity Management ITIL Process ITIL Process Availability Mgt & IT Service Continuity Mgt Release Management Incident Management and Service Desk Configuration Management Problem Management All ITIL processes ITIL Process

8 12 of the 34 Control Objectives are Highly Aligned with ITIL Plan and Organize PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Process, Organization and Direction PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire and Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver and Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Services DS5 Ensure System Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor and Evaluate ME1Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance

9 What is ISO 20000? - The standard merges Capacity Management Service Continuity and Availability Management Release Processes QMS ideas and ITIL best practices Release Management Management system Planning and implementing service management Planning and implementing new and changed services Service Delivery Processes Service Level Management Service Reporting Control Processes Configuration Management Change Management Resolution Processes Incident Management Problem Management Information Security Management Budgeting and Accounting for IT services Relationship Processes Business Relationship Management Supplier Management

10 ITIL IT Service Continuity Management The primary goal of the IT Service Continuity Management process is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales. Office of Government Commerce (2000)

11 ITIL Why Service Continuity Management? Manages the organization s ability to continue to provide a pre-determined and agreed level of IT services following an interruption to the business Ensures business survival by reducing the impact of a disaster or major failure Reduces the vulnerability and risk to the business by effective risk analysis and risk management Helps to prevent the loss of Customer or User confidence during a major incident Produce an IT Recovery plan that is integrated with and fully supports the organisations overall Business Continuity Plan

12 Process Description ITIL Stage 1 Initiation Initiate BCM Stage 2 Requirements & Strategy Business Impact Analysis Risk Assessment Business Continuity Strategy Stage 3 Implementation Organization & Implementation Planning Implement Standby Arrangements Develop Recovery Plans Implement Risk Reduction Measures Develop Procedures Initial Testing Stage 4 Operational Management Education & Awareness Review & Audit Testing Change Management Training Assurance

13 ITIL Business Impact Analysis An ITIL BIA identifies Critical business processes Potential damage or loss resulting from loss of service The form that the damage or loss may take e.g. lost income, additional costs, damaged reputation How the level of damage will escalate after a service disruption The staffing, skills, facilities and service levels needed to enable critical business operations to continue The time for minimum levels of staff and services to be recovered The time for all required business processes, staff and services to be fully recovered

14 ITIL Business Continuity Strategy Options Do Nothing Manual Working Reciprocal Arrangement Gradual Recovery ( Cold Standby ) Intermediate Recovery ( Warm Standby ) Immediate Recovery ( Hot Standby ) Rarely used as few businesses can function effectively without any IT services Can be effective as an interim measure until the IT service is resumed Organizations agree to back each other up in an emergency, rarely used now except for off-site storage because of practical difficulties e.g. limited excess IT capacity Usually consists of an empty computer room where an organization can install it s own equipment. May be used where a business can wait for a period of 72 hours or more without IT services. Can be internal or external, fixed or portable. Typically consists of a computer room, containing recovery IT equipment that would need to be configured to support the business within a hour period. Can be internal or external, fixed or portable and would normally be focused on critical systems and services. Would involve the use of an alternative site with continuous mirroring of live equipment and data. Can be internal or external and is the most expensive option. Would only be used for critical business services where loss of service would cause an immediate business impact.

15 ITIL Testing an IT Service Continuity Plan When? As a section is completed When the whole plan is completed At times of change e.g. staff, 3 rd party providers, infrastructure On a regular basis e.g. at least once a year How? Announced and unannounced Full and partial Why? To ensure that it works! Time and cost Staff and 3 rd party preparedness Completeness and clarity

16 ITIL Key Considerations Invocation Who can invoke the plan? e.g. 2 out of 3 Board Members When can it be invoked? e.g. Pre-agreed scenarios, automatically invoke if certain conditions are met What can it be invoked? e.g. Pre-agreed scenarios, automatically invoke if certain conditions are met Return to normal Once the disaster has struck the plan is invoked but then it s time to think about how we go home If using 3rd parties data needs to be removed or deleted securely from all systems Has the technology changed or been updated during invocation Not as simple as running a plan in reverse

17 ITIL Roles and Responsibilities Roles in Normal Operation Roles in Crisis Situation BOARD LEVEL Initiate BCM, Define Policy Allocate Responsibilities, Direct & Authorize Crisis Management, Corporate Decisions, External Affairs SENIOR MANAGEMENT Integrate ITSCM with BCM, Communicate & Maintain awareness Co-ordination & Arbitration, Resource authorization JUNIOR MANAGEMENT Undertake Risk Analysis, Define deliverables, Manage testing & Assurance Leading Teams, Site Management, Liaison & Reporting SUPERVISORS & STAFF Develop procedures, Perform testing, Develop & Operate processes & procedures Implement the plan, Team Membership, liaison

18 COBIT: Ensure Continuous Service (DS4) Process Requirement Focus Achieved by Measured by Ensure continuous service Ensuring minimum business impact in the event of an IT service interruption Building resilience into automated solutions and developing, maintaining and testing IT continuity plans Developing, maintaining and improving IT contingency Number of hours lost per user per month due to unplanned outages Number of business critical

19 COBIT Detailed Control Objectives ID DS 4.1 DS 4.2 DS 4.3 DS 4.4 DS 4.5 DS 4.6 DS 4.7 DS 4.8 DS 4.9 DS 4.10 Control Objective IT Continuity Framework: Based upon the BCP, identify resiliency requirements and develop framework to satisfy those requirements. IT Continuity Plans: Based upon the requirements, develop plans ensure the necessary resiliency through methods such as real-time replication, alternative processing, etc. Critical IT Resources: Develop prioritization of what infrastructure should be recovered most quickly and which recovery plans should be reviewed and validated most frequently. Maintenance of the IT Continuity Plan: Develop and implement a change control plan for the Continuity plans so that changes to Business Continuity Plans are reflected in updates to the IT Continuity Plans. Testing of the IT Continuity Plan: Test organization s ability to execute the test plans on a periodic basis to ensure the validity, identify and remediate shortcoming and accomplish continuing education with IT staff. IT Continuity Plan Training: Accomplish frequent training with all staff to ensure familiarity with processes, roles and responsibilities, etc. Distribution of the IT Continuity Plan: Define and implement a repeatable plan to ensure that appropriate parties maintain current versions of the relevant continuity plans. IT Services Recovery and Resumption: Plan the actions that should place while IT is working on recovering critical systems (manual workarounds, customer communications, etc.) Offsite Backup Storage: Ensure data storage backup and restorability procedures reflect the requirements of the continuity plans. Post-resumption Review: Define a plan to review performance after the real-world execution of a continuity plan to ensure lessons learned are captured and actioned.

20 COBIT Key Performance Indicators Elapsed time between IT continuity plan tests Number of continuity training hours per employee % of critical infrastructure components with automated availability monitoring % of availability SLA s met # of critical business processes not covered by the IT continuity plan* % of tests that achieve recovery objectives Frequency of service interruption of critical systems # of hours lost per user per month due to unplanned outages

21 ISO20000 The objective of ISO20000 is to provide a foundation for effective quality IT Service Management via repeatable, documented processes which are essential to improving IT Service Delivery.

22 ISO20000 What is ISO 20000? - The standard is structured in two parts ISO is an International Standard on Best practices for ensuring quality of IT service management processes. It is based on the tradition of ITIL and BS and structured in two parts: Part 1 specifies IT service management according to ISO Part 2 gives further explanations, examples and best practices Part 1- specification Part 2- code of practice ISO/IEC /2:2005: The International Service Management Standard Colette Elcacho / PA Consulting Group October 2006

23 ISO20000 What is ISO 20000? - The quality model enables achieving the objective Chapter 4 Plan-Do-Check-Act methodology for service management processes Repeatable, documented processes are essential to improving IT service delivery and management. The ISO framework provides an effective foundation for quality IT service management. objective

24 ISO20000 ISO20000 Service Continuity and Availability Objective: To ensure that agreed service continuity and availability commitments to customers can be met in all circumstances Service continuity management defines: Maximum acceptable periods of lost service Maximum acceptable periods of degraded service Document, data and software backups for service restoration Staff and instruction of staff necessary for service restoration Backups of service continuity documents at secure remote locations

25 Critical Success Factors for any IT Toolkit Implementation Business Engagement An IT Continuity Plan that exists in the absence of a BCP has little if any worth IT Executive Support Many executive views any spend on DR and continuity initiatives to be sunk cost Budget Support The continued relevance of an IT Continuity Plan requires year-over-year budget support Resource Support IT Staff will need to be periodically engaged in planning and testing initiatives, SME s are especially critical to have involved Categorization and Prioritization Most DR and Continuity Initiatives failures are caused by an inability to convince lines of business that all business processes are not the highest priority or by an inability to identify which infrastructure components support the critical business processes Customer Focus

26 Thank You Derek Lonsdale PA Consulting Group One Memorial Drive Cambridge Massachusetts Direct Dial: Mobile: Glen Willis PA Consulting Group 4601 N Fairfax Drive Suite 600 Arlington, Va Direct dial: Mobile: