Leveraging the IT Service Continuity Management framework Gord Novoselnik Business Continuity Office Enterprise Solutions Division 1 MTS Allstream Inc. proprietary. Use pursuant to company instructions./
IT Service Continuity Management Goal of ITSCM Support the overall Business Continuity Management (BCM) process by ensuring that the required IT technical and services facilities can be recovered within required, and agreed, business timescales. Scope of ITSCM ITSCM focuses on the IT Services required to support the critical business processes. The Impact of a loss of a business process are measured through a Business Impact analysis, which determines the minimum critical requirements. 2
Key Considerations ITSCM is a sub-set of the Business Continuity Management program, and it utilizes the Business Continuity Management framework Minimum business requirements must be well-defined before scope of ITSCM can be defined BCM should already exist to enable ITSCM to efficiently meet the needs of the business ITSCM uses the data generated by the BCM program IT is a key stakeholder of the Corporate BCM program 3
ITIL BCM Framework* *Mitigation and prevention only. Where is Crisis Management? 4
Points of Leverage DRI / BCI OGC - ITIL Business Continuity Management Business Impact Analysis Risk Assessments Exercising Crisis Management IT Service Continuity Management Business focus but also serves IT IT focus but also serves the business 5
Our Business Continuity Office Accountability Statement Provide knowledge, guidance and planning methodologies needed to ensure that MTS Allstream remains an industry leader in the performance, reliability and recoverability of its business and services delivery, under any operating condition.considering a holistic management process (Business Continuity Management - BCM) that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capacity for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities 6
Business Continuity Objective Business Continuity Program objective is to ensure the Corporation is prepared to deal with infrastructure failures and process disruptions which impact how MTS Allstream does business and delivers services everyday Key elements that should be preserved Health and Safety of our workforce Infrastructure Integrity Customer Service Revenue 7
Delivery Infrastructure Adapted DRI BCM Planning Framework Business Continuity Planning Process Finance/ Customer Product / Service Sales & Corporate Services Delivery Marketing Employees & Work Centers -BUSINESS -BUSINESS IMPACT IMPACT ANALYSIS- ANALYSIS- What What processes processes are are important important to to my my department? department? Applications Data -PLAN -PLAN UPDATES- UPDATES- Learn Learn from from exercise exercise and and update update the the plan plan -RISK -RISK ASSESSMENT- ASSESSMENT- What What risks risks can can affect affect these these critical critical processes? processes? Network -EXERCISING- -EXERCISING- Put Put the the plan plan to to to to the the test! test! -STRATEGY -STRATEGY DEVELOPMENT- DEVELOPMENT- What What can can we we do do to to protect protect these these processes? processes? Platforms -PLAN -PLAN DEVELOPMENT- DEVELOPMENT- Document Document the the recovery recovery strategies strategies and and other other important important information information 8
Business Impact Analysis Issued Corporate BIA questionnaire Process-centric view with 250 unique processes, division-wide Centralized, web-based interface, centralized database BIA Data will be used to: Perform gap analysis on existing Business Continuity Plans Define priorities for Corporate Security policies nationally Assess business impacts during disaster situations Identify and asses dependencies on key resources People key staff members, incl IT staff members Process inter- and intra-departmental dependencies, vendors, Technology infrastructure, applications and systems 9
BIA Data for IT Closer Look BCO worked closely with IT to define requirements for BIA data collection for 75 strategic IT systems and applications Recovery Time Objectives with standard time intervals 0-2hrs, 2 hrs-1day, 2-4 days, 5 days or more Is the business unit able to adopt workarounds in the absence of IT systems? Recovery Point Objectives with standard time intervals <4 hrs, <24 hrs, <3 days, <7 days, >7 days Is the business able to reconstruct data on affected IT systems when system is restored? 10
RPO and RTO 11
More BIA data - for IT BIA also collects broader IT application dependency data from all business processes. Over 250 IT applications and systems across the company Adobe Acrobat VPN Client Software Allows IT to interlace a process layer into a CMDB (if desired) Process Service IT Component mapping Provides process-centric Desktop/Workstation requirements and enables improved IT recovery strategies for desktop infrastructure Improved focus on most critical processes first Extensive list of IT requirements for each process. 12
Risk Assessment Risk Assessments conducted by department leaders across the entire company annually 89 Departments across Enterprise Solutions Division (ESD) Numerous IT-related Risks considered: Loss of Email, loss of LAN/WAN, loss of other key internal systems Rating system used for each Risk Rate Probability of failure (based on past experience) Rate Business Impacts on department Identify and Rate effectiveness of controls and countermeasures Overall Risk Weighting established Departments document their Risk assumptions 13
Risk Assessment data - for IT Departmental data gathered on Controls and countermeasures IT able to assess and validate the controls identified Review recommendation of future controls Consider additional controls to reduce uncertainty Allows IT to focus on largest Risks Prioritized Risk Register (Highest Risk Weighting Lowest Risk Weighting) Allows IT to validate assumptions made by the business Quality of Service, effectiveness of controls 14
Exercising (Testing) All departments exercise their own plans Scenario and objectives Site Loss, Key IT system loss, Document finding and incorporate lessons learned into business continuity plans Gaps communicated to IT Forms of Departmental Exercises Table top exercise Integrated table top exercise Departments encouraged to bring IT to the table Simulation IT conducting DR test with Sungard for key IT systems 15
Exercising (Testing) Additional Corporate Exercises Lifeboat 1 in 07 200 Wellington St W site loss simulation Key staff redirected to Sungard recovery site Recovery of desktop infrastructure Pandemic Exercise in 07 Test capability of each business unit (including IT) on business resumption capabilities with 40-50% staff reductions Currently planning for Lifeboat 2 Another 200 Wellington St W site loss simulation Sungard NOT available IT coordinating alternate location across GTA 16
ITSCM Crisis Management Structure Multi-tiered support structure during crisis Primary Coordination layer with Senior mgt Operational level task execution 17
Our Crisis Management Accountability Statement Provide a framework for the collection and assessment of information during a crisis in support of the organizations efforts in response to logistical coordination needed to: Ensure employee health and safety Protect assets, including infrastructure Preserve service to our customers. Minimize financial impacts 18
Department/ Business Unit Operational Management ECT (Senior Management) ESD BCO Executive 19
Crisis Management Corporate Emergency Coordination Team Internal IT is a key member of the Crisis Management Team Representing their own interests (IT business processes) Representing all IT interests across the organization Internal IT is a key stakeholder for Crisis Management: During event assessment Assessing IT availability and resiliency During plan execution Achieving required service standards of the business (RPO, RTO, IT resource availability) Business may have changing needs on IT infrastructure during crisis Availability of IT staff to support special needs of the business 20
Summary ITSCM should be viewed as integral to Corporate BCM Internal IT is a key consumer of data generated by Corporate BCM Internal IT can mitigate business risk through effective implementation of technology Increased involvement of internal IT during planning improves resumption capabilities 21
Questions? 22
Full BCM Framework ITIL BCM Framework 23