SB13: Leveraging IT Best Practice Toolkits for Business Continuity Planning. Derek Lonsdale and Glen Willis, PA Consulting Group

Similar documents
BCP and DR. P K Patel AGM, MoF

Business Continuity Planning and Disaster Recovery Planning

The Value of ITIL to IT Audit

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Management

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

BUSINESS CONTINUITY POLICY

External Supplier Control Requirements BCM

Business Continuity (Policy & Procedure)

Proposal for Business Continuity Plan and Management Review 6 August 2008

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Documentation. Disclaimer

SR Take Home Messages. *Information Technology Infrastructure Library

Unit Guide to Business Continuity/Resumption Planning

The Role of Internal Audit In Business Continuity Planning

Overview of Service Support & Service

Business Continuity Policy and Business Continuity Management System

VICTOR KHANYE LOCAL MUNICIPALITY PLAASLIKE MUNISIPALITEIT. ICT Business Continuity Plan. DRAFT v0.1 Page 1 of 9

Service Improvement. Part 3 The Strategic View. Robert.Gormley@ed.ac.uk

Checklist of ISO Mandatory Documentation

Business Continuity Plan Toolkit

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Disaster Recovery Policy

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Company Management System. Business Continuity in SIA

ITIL: What is it? How does ITIL link to COBIT and ISO 17799?

IT Service Continuity Management PinkVERIFY

Business Continuity Management Framework

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

Western Intergovernmental Audit Forum

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Business Continuity Planning. A guide to loss prevention

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

IT Service Management Practitioner: Plan & Improve (based on ITIL ) (IPPI.EN)

IT Disaster Recovery Plan Template

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Contingency Planning Guide

Business Continuity Management

Sample Exam. IT Service Management Foundation based on ISO/IEC 20000

Business Continuity Planning (800)

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy Business Continuity Policy Statement 2015

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

Incident Management Get Your Basics Right

D2-02_01 Disaster Recovery in the modern EPU

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

Business Continuity Planning

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Information Technology Infrastructure Library -ITIL. IT Governance CEN 667

IT Organisation in Change

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Temple university. Auditing a business continuity management BCM. November, 2015

ITIL Essentials Study Guide

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Business Continuity Management Emerging Trends

CISM Certified Information Security Manager

ITIL Introducing service design

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

BUSINESS CONTINUITY MANAGEMENT POLICY

PART II ITIL FOUNDATIONS FOR SNIA CERTIFICATION SERVICE DELIVERY & STORAGE MANAGEMENT. Dr. D. Akira Robinson, Dept of Navy American ITIL, Ltd.

A Managed Storage Service on a Hybrid Cloud

Blackboard Managed Hosting SM Disaster Recovery Planning Document

Business Continuity Management Policy

Offsite Disaster Recovery Plan

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

Business Continuity Planning

Module 7. Business Continuity Management

Why Should Companies Take a Closer Look at Business Continuity Planning?

Protecting your Enterprise

Domain 1 The Process of Auditing Information Systems

How to measure your business resiliency

Guideline - Business Continuity Plan

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

Disaster Recovery. Hendry Taylor Tayori Limited

Business Continuity Management (BCM) Policy

Business Continuity Plan

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Regulatory Requirements for Disaster Recovery/Business Continuity Programs

Business Continuity and Disaster Recovery Planning

Finding the areas for improvement in plans, processes and procedures to protect shareholder value Performance driven. Quality assured.

Overview. Service Description: BCP & DR Strategy (L6)

An ITIL Perspective for Storage Resource Management

What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)?

HA / DR Jargon Buster High Availability / Disaster Recovery

PAPER-6 PART-4 OF 5 CA A.RAFEQ, FCA

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

State of South Carolina Policy Guidance and Training

DRAFT Disaster Recovery Policy Template

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Statement of Guidance

Information Services IT Security Policies B. Business continuity management and planning

Tips and techniques a typical audit programme

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

MHA Consulting. Business Continuity Management 101

Transcription:

SB13: Leveraging IT Best Practice Toolkits for Business Continuity Planning Derek Lonsdale and Glen Willis, PA Consulting Group

Agenda Overview of the common IT best practice toolkits ITIL COBIT ISO 20000 Specific guidance in the area of Business Continuity Management from each toolkit Critical Success Factors Synergies and Integration concepts will be discussed throughout.

ITIL Overview The Information Technology Infrastructure Library (ITIL) An integrated, process based, best practice framework ITIL provides global standard framework for IT infrastructure management that is dependent on IT Service Management processes Accepted in the early 1990 s as the world de facto standard framework for Service Management Concentrates on delivering a Service Quality and Customer Orientated approach Industry forums now drive updates to ITIL ITIL v3 released in the summer of 2007

ITIL in context Management Customer Business Relationship Mgmt. Service Level Mgmt Corporate policy & strategy Strategic decision making Human Resource Management Service Delivery Financial Mgmt Capacity Mgmt Availability Mgmt Service Support Infrastructure / Architecture Continuity Mgmt Quality Mgmt / Program Mgmt Development Service Design Service Build & Test Supplier Service Desk User Incident Mgmt Problem Mgmt Change Mgmt Release Mgmt Supplier Management Configuration Management Performance Management

COBIT Overview Control Objectives for Information and related Technology (COBIT) A control and management framework for IT Four high level domains Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate Consists of 34 high level control objectives and 215 detailed control objectives for IT Applicable to all activities within an IT organization Owned and supported by the IT Governance Institute

The COBIT Structure 34 high level control objectives 215 detailed control objectives

All ITIL Processes align with one or more COBIT control objectives Plan and Organize PO5 Manage the IT Investment aligns with >>>> PO9 Assess and Manage IT Risks Acquire and Implement AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver and Support DS1 Define and Manage Service Levels DS3 Manage Performance and Capacity DS4 Ensure Continuous Services aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> DS6 Identify and Allocate Costs aligns with >>>> IT Financial Management DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems Monitor and Evaluate ME1Monitor and Evaluate IT Performance aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> aligns with >>>> IT Financial Management ITIL Process IT Service Continuity Management Change Management Release Management Service Level Management Capacity Management ITIL Process ITIL Process Availability Mgt & IT Service Continuity Mgt Release Management Incident Management and Service Desk Configuration Management Problem Management All ITIL processes ITIL Process

12 of the 34 Control Objectives are Highly Aligned with ITIL Plan and Organize PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Process, Organization and Direction PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire and Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Deliver and Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Services DS5 Ensure System Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor and Evaluate ME1Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance

What is ISO 20000? - The standard merges Capacity Management Service Continuity and Availability Management Release Processes QMS ideas and ITIL best practices Release Management Management system Planning and implementing service management Planning and implementing new and changed services Service Delivery Processes Service Level Management Service Reporting Control Processes Configuration Management Change Management Resolution Processes Incident Management Problem Management Information Security Management Budgeting and Accounting for IT services Relationship Processes Business Relationship Management Supplier Management

ITIL IT Service Continuity Management The primary goal of the IT Service Continuity Management process is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales. Office of Government Commerce (2000)

ITIL Why Service Continuity Management? Manages the organization s ability to continue to provide a pre-determined and agreed level of IT services following an interruption to the business Ensures business survival by reducing the impact of a disaster or major failure Reduces the vulnerability and risk to the business by effective risk analysis and risk management Helps to prevent the loss of Customer or User confidence during a major incident Produce an IT Recovery plan that is integrated with and fully supports the organisations overall Business Continuity Plan

Process Description ITIL Stage 1 Initiation Initiate BCM Stage 2 Requirements & Strategy Business Impact Analysis Risk Assessment Business Continuity Strategy Stage 3 Implementation Organization & Implementation Planning Implement Standby Arrangements Develop Recovery Plans Implement Risk Reduction Measures Develop Procedures Initial Testing Stage 4 Operational Management Education & Awareness Review & Audit Testing Change Management Training Assurance

ITIL Business Impact Analysis An ITIL BIA identifies Critical business processes Potential damage or loss resulting from loss of service The form that the damage or loss may take e.g. lost income, additional costs, damaged reputation How the level of damage will escalate after a service disruption The staffing, skills, facilities and service levels needed to enable critical business operations to continue The time for minimum levels of staff and services to be recovered The time for all required business processes, staff and services to be fully recovered

ITIL Business Continuity Strategy Options Do Nothing Manual Working Reciprocal Arrangement Gradual Recovery ( Cold Standby ) Intermediate Recovery ( Warm Standby ) Immediate Recovery ( Hot Standby ) Rarely used as few businesses can function effectively without any IT services Can be effective as an interim measure until the IT service is resumed Organizations agree to back each other up in an emergency, rarely used now except for off-site storage because of practical difficulties e.g. limited excess IT capacity Usually consists of an empty computer room where an organization can install it s own equipment. May be used where a business can wait for a period of 72 hours or more without IT services. Can be internal or external, fixed or portable. Typically consists of a computer room, containing recovery IT equipment that would need to be configured to support the business within a 24 72 hour period. Can be internal or external, fixed or portable and would normally be focused on critical systems and services. Would involve the use of an alternative site with continuous mirroring of live equipment and data. Can be internal or external and is the most expensive option. Would only be used for critical business services where loss of service would cause an immediate business impact.

ITIL Testing an IT Service Continuity Plan When? As a section is completed When the whole plan is completed At times of change e.g. staff, 3 rd party providers, infrastructure On a regular basis e.g. at least once a year How? Announced and unannounced Full and partial Why? To ensure that it works! Time and cost Staff and 3 rd party preparedness Completeness and clarity

ITIL Key Considerations Invocation Who can invoke the plan? e.g. 2 out of 3 Board Members When can it be invoked? e.g. Pre-agreed scenarios, automatically invoke if certain conditions are met What can it be invoked? e.g. Pre-agreed scenarios, automatically invoke if certain conditions are met Return to normal Once the disaster has struck the plan is invoked but then it s time to think about how we go home If using 3rd parties data needs to be removed or deleted securely from all systems Has the technology changed or been updated during invocation Not as simple as running a plan in reverse

ITIL Roles and Responsibilities Roles in Normal Operation Roles in Crisis Situation BOARD LEVEL Initiate BCM, Define Policy Allocate Responsibilities, Direct & Authorize Crisis Management, Corporate Decisions, External Affairs SENIOR MANAGEMENT Integrate ITSCM with BCM, Communicate & Maintain awareness Co-ordination & Arbitration, Resource authorization JUNIOR MANAGEMENT Undertake Risk Analysis, Define deliverables, Manage testing & Assurance Leading Teams, Site Management, Liaison & Reporting SUPERVISORS & STAFF Develop procedures, Perform testing, Develop & Operate processes & procedures Implement the plan, Team Membership, liaison

COBIT: Ensure Continuous Service (DS4) Process Requirement Focus Achieved by Measured by Ensure continuous service Ensuring minimum business impact in the event of an IT service interruption Building resilience into automated solutions and developing, maintaining and testing IT continuity plans Developing, maintaining and improving IT contingency Number of hours lost per user per month due to unplanned outages Number of business critical

COBIT Detailed Control Objectives ID DS 4.1 DS 4.2 DS 4.3 DS 4.4 DS 4.5 DS 4.6 DS 4.7 DS 4.8 DS 4.9 DS 4.10 Control Objective IT Continuity Framework: Based upon the BCP, identify resiliency requirements and develop framework to satisfy those requirements. IT Continuity Plans: Based upon the requirements, develop plans ensure the necessary resiliency through methods such as real-time replication, alternative processing, etc. Critical IT Resources: Develop prioritization of what infrastructure should be recovered most quickly and which recovery plans should be reviewed and validated most frequently. Maintenance of the IT Continuity Plan: Develop and implement a change control plan for the Continuity plans so that changes to Business Continuity Plans are reflected in updates to the IT Continuity Plans. Testing of the IT Continuity Plan: Test organization s ability to execute the test plans on a periodic basis to ensure the validity, identify and remediate shortcoming and accomplish continuing education with IT staff. IT Continuity Plan Training: Accomplish frequent training with all staff to ensure familiarity with processes, roles and responsibilities, etc. Distribution of the IT Continuity Plan: Define and implement a repeatable plan to ensure that appropriate parties maintain current versions of the relevant continuity plans. IT Services Recovery and Resumption: Plan the actions that should place while IT is working on recovering critical systems (manual workarounds, customer communications, etc.) Offsite Backup Storage: Ensure data storage backup and restorability procedures reflect the requirements of the continuity plans. Post-resumption Review: Define a plan to review performance after the real-world execution of a continuity plan to ensure lessons learned are captured and actioned.

COBIT Key Performance Indicators Elapsed time between IT continuity plan tests Number of continuity training hours per employee % of critical infrastructure components with automated availability monitoring % of availability SLA s met # of critical business processes not covered by the IT continuity plan* % of tests that achieve recovery objectives Frequency of service interruption of critical systems # of hours lost per user per month due to unplanned outages

ISO20000 The objective of ISO20000 is to provide a foundation for effective quality IT Service Management via repeatable, documented processes which are essential to improving IT Service Delivery.

ISO20000 What is ISO 20000? - The standard is structured in two parts ISO 20000 is an International Standard on Best practices for ensuring quality of IT service management processes. It is based on the tradition of ITIL and BS 15000 and structured in two parts: Part 1 specifies IT service management according to ISO 20000 Part 2 gives further explanations, examples and best practices Part 1- specification Part 2- code of practice ISO/IEC 20000-1/2:2005: The International Service Management Standard Colette Elcacho / PA Consulting Group October 2006

ISO20000 What is ISO 20000? - The quality model enables achieving the objective Chapter 4 Plan-Do-Check-Act methodology for service management processes Repeatable, documented processes are essential to improving IT service delivery and management. The ISO 20000 framework provides an effective foundation for quality IT service management. objective

ISO20000 ISO20000 Service Continuity and Availability Objective: To ensure that agreed service continuity and availability commitments to customers can be met in all circumstances Service continuity management defines: Maximum acceptable periods of lost service Maximum acceptable periods of degraded service Document, data and software backups for service restoration Staff and instruction of staff necessary for service restoration Backups of service continuity documents at secure remote locations

Critical Success Factors for any IT Toolkit Implementation Business Engagement An IT Continuity Plan that exists in the absence of a BCP has little if any worth IT Executive Support Many executive views any spend on DR and continuity initiatives to be sunk cost Budget Support The continued relevance of an IT Continuity Plan requires year-over-year budget support Resource Support IT Staff will need to be periodically engaged in planning and testing initiatives, SME s are especially critical to have involved Categorization and Prioritization Most DR and Continuity Initiatives failures are caused by an inability to convince lines of business that all business processes are not the highest priority or by an inability to identify which infrastructure components support the critical business processes Customer Focus

Thank You Derek Lonsdale PA Consulting Group One Memorial Drive Cambridge Massachusetts 02142 Direct Dial: 1-617-225-2700 Mobile: 1-617-733-7437 Glen Willis PA Consulting Group 4601 N Fairfax Drive Suite 600 Arlington, Va 22203 Direct dial: 571-227-9011 Mobile: 770-883-8084

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information