ITSCM at SAP Best practices

ITSCM at SAP Best practices

ITSCM - Goals and scope ITSCM helps to establish Business Continuity it Management related processes within Global IT as one of SAP Lines of Business (LOB s ) ITSCM assists to support critical business processes for other LOB s outside of IT (focusing on other departments) ITSCM fully supports all Crisis management topics

ITSCM as a part of BCM Busines ss Contin nuity Man nagemen t De etectio on IT Service Con ntinuity Man nagemen nt Emergency Response (Life Safety) Crisis Management (Strategic Response) Business Process Continuity (Process Recovery Activities) Re ecove ery Minutes Hours Weeks IT Resiliency (Automatic switch to redundant systems) Disaster Recovery (IT related recovery)

1. Initiation Emergency Management End-2-End daily operations, MOD can raise SAPCON level up to 3 IT Support Center IT Applic Services Lines MOD notification Emergency Management process Data IT Field center IT IT COO Infrastr. Operations Services Area SAPCon 1 2 3 4 5 Senior Management De-Escalation Board CIO VP Enterprise Architecture VP IT Infrastructure Services VP It Application Services 4. Initial Information 6. regular Update, De-Escalation De-Escalation Manager 2. MOD Evaluation The DM is selected according the principle of follow-the-sun, depending on the region the emergency situation occurs 5. Configure Task Force 6 Task Force Temporary available until incident is fixed. Situational Composition MOD Manager on Duty DM De-Escalation manager SAPCON internal criticality level measurement equivalent to DEFCON as required to solve the current incident. Global IT specialists Infra Infra Infra Infra Infra Infra Infra COO Infra Infra Infra Appl.

About SAP 53500+ employees at 200+ locations in 120 countries in 300+ buildings Walldorf EMEA CMT-R Global CMT Philadelphia AMERICAS CMT-R Singapore APJ CMT-R CMT: Crisis Management Team CMT-R: regional CMT

Why Business Continuity & Crisis Management Crisis Management (CM) and Business Continuity Planning (BCP) enable locations and global lines of business to respond to any crisis situation and keep their most critical processes up and running during any kind of crisis: Natural disaster Man-made crisis (bomb threat/ attack, rape, ) Political unrest, strike, war, Pandemic In the event of a crisis the accountable management will often have to coordinate diverse efforts to respond to the crisis and make several decisions quickly. BC plans created for the critical processes of each Line of Business, ensure that operations continue without business consequences. The objective of this project is to train local management as part of a global framework The objective of this project is to train local management as part of a global framework for organizational resilience, safeguarding the interests of SAP s key stakeholders, reputation, brand and value-creating activities.

Crisis Management Team Default functions represented in the CMT Function Name Deputy Top Management (e.g. MD, CFO) Communications HR Facility Management IT Management Risk/Security Manager (GRC)

BIA creating dependency maps

BIA Identifying critical business processes

Creating Business Continuity Plan for critical processes

ITSCM - Key components Clearly l defined d ITSCM directive Infrastructure and people Well defined processes ITSCM Plans for critical services and systems Performance assessments and disaster simulation exercises Management reviews Awareness and training sessions

ITSCM Directive ITSCM Directive is applicable to all SAP employees, contractors and visitors to SAP facilities ITSCM Directive provides framework to be applied to all IT services supporting critical business processes. Review of the directive is performed on the annual basis

ITSCM - People and Infrastructure t ITSCM is relevant to all Global IT departments supporting critical services and landscapes Critical service owners are requested to develop and maintain ITSCM plans Critical systems and landscapes must have sufficient redundancy d measures so they can sustain satisfactory t operations during the disaster Critical data must be stored and processed securely, and it must be backed up or mirrored on the regular basis

ITSCM Process Formal process is stored in the portal and available for review It has 3 main steps: Planning-Requirement Analysis /Strategy definition Implementation Operations education, awareness, training, testing, change control

ITSCM Plan ITSCM plan created as a generic template applicable to most IT services The main goal is to create short document containing key information related to the service, and reference to other information storage points The document is expected to be stored online and offline, and be available to service owner during the disaster. It has 3 sections: Change Management section to reflect updates/changes Generic section to reflect common requirements such as frequency of the update, relationship with crisis management and Emergency management etc. Service-specific section to reflect service specific points such as contact information, service description, resiliency approach, recovery process etc.

Disaster planning approach ITSCM plan is based on All Hazards approach It means that it should be applicable to any disaster, and consider generic unavailability. In general, rather then prepare to the specific disasters, the efforts should be focused on the mitigation of impacts Unavailability of infrastructure Unavailability of people (human resources) Unavailability of facilities (Offices, data centers) Unavailability of 3 rd parties (Vendors / suppliers) Every disaster brings one or more of these impacts

Performed every year Disaster simulation exercises Coordinated with Crisis management teams Very specific realistic scenarios are preparedp Two varieties technical and non tecnhnical Technical exercise is focusing on technical issues and coordination between technical resources Non-technical exercise is focusing on processes review and improvements Different regions run the exercise. Valuable lessons are learned as a result of the exercise, and improvement areas are identified.

Disaster simulation exercises 2011-2012 Crisis Management exercise (in coordination with CM team) Participants global CM team members Simulated Nuclear Plant disaster Development team exercise (TIP) Participants TIP critical team members Simulated Earthquake affecting SAP Labs Sofia office Regional IT team exercises (Singapore, Japan, China, Australia) Participants respective IT critical team members Simulated generic systems shutdown and recovery Global IT team exercise (Walldorf) Participants Global IT critical service owners Simulated system virus affecting SAP systems

Notable disasters 2011-2012 2012 affecting global l IT Japan Earthquake March 2011 Successful switch to remote operations Use of BYOD to ensure that employees are safe Copenhagen flooding July 2011 Immediate switch to alternative servers (in Germany) Use of WTS (Windows Terminal Server) for customer training Contracts with vendors allowing quick replacements of the hardware.

Training and Awareness Live Emergency management sessions to all Global IT relevant employees, Next presentation is targeted for November 2012 ITSCM and EM training sessions are available in IT academy All managers have monthly reminder in the calendar to update IT contacts and hotlines This reminder contains necessary links to the process.

2012 Achievements Introduced ITSCM plans to Application services While continuity plans existed for all critical systems already, ITSCM helped to use the same standard approach and templates for all systems Improved BIA approach Identification of critical processes within global l IT and other LOB s (with help of GRC department and global process office) Formal ITSCM directive document to meet new ISO standard requirements

ISO Re-certification i 2012 Triple Certification ISO 9001 Quality Management ISO 27001 Security Management ISO 22301 Business Continuity Management First company in Germany to be certified by ISO 22301

Thank You! Contact information: Alex Guitman - Global Head IT Business Continuity Management alex.guitman@sap.com

2012 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

2012 SAP AG. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli und Informix sind Marken oder eingetragene Marken der IBM Corporation. Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen Ländern. Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder eingetragene Marken von Adobe Systems Incorporated in den USA und/oder anderen Ländern. Oracle und Java sind eingetragene g Marken von Oracle und/oder ihrer Tochtergesellschaften. UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc. HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C, World Wide Web Consortium, Massachusetts Institute of Technology. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork und weitere im Text erwähnte SAP-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern. Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text erwähnte Business-Objects-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Business Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG. Sybase und Adaptive Server, ianywhere, Sybase 365, SQL Anywhere und weitere im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc. Sybase ist ein Unternehmen der SAP AG. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen. Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher Genehmigung durch SAP AG gestattet.