Our process model for IT Service Continuity Management is based on our many years of project experience and the best practice models in the industry. On the following pages, we describe the individual stages of the model, which aims at an established ITSCM in your company.
A life without today's information and communications technology (ICT) is hard to imagine. Yet time and again IT outages occur, some of which are perceived by the public, for example, when ATMs breakdown, check-in at the airport is delayed, incorrect interest calculations are sent, or mobile phone conversations are impossible.
The aim of the ITSCM process is to make it possible for an organisation to provide – after an outage of IT services based on an IT emergency – an IT service level that has been determined and agreed (upon) in advance(,) which supports the minimum requirements of the business. Since 2011 an international standard for IT emergency planning (ITSCM) has been available in ISO 27031. Its title alone “Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity” already indicates that a close cooperation should exist between the BCM and the ITSCM disciplines within an enterprise.
We take these interface problems into account in our ITSCM process model. Our ITSCM process model aims to define a project of establishing the ITSCM process within an enterprise. Apart from our experience *that *bases on* (of/ that is built upon) more than 20 years of consultancy activity, the concepts of our model are continually reviewed against requirements from the process descriptions of ITIL's “ITSCM”, from information security (especially from ISO 27001) and from standards such as the German BSI Standard 100-4 “Emergency Management”.
The initiation is the foundation of a successful IT emergency planning project. With an ITSCM Policy, management instructs the IT department to establish ITSCM in the company (in the form of an ITSCM Policy). The necessary steps to the process are documented in an ITSCM Guideline. Additionally, measures for the maintenance of the ITSCM process, its monitoring and its continuous improvement are documented.
Analysis and Concept
“Analysis and Concept” deals with establishing the goals and solutions for the recovery plans.
During the analysis phase the target requirements for the availability of IT services (IT applications) should be taken from BCM and be compared to the currently implemented possibilities for IT emergency preparation. The main criterion for the availability in emergency mode is the recovery time objective (RTO) of an IT service. This can be determined from a Business Impact Analysis or from Service Level Agreements. In some IT areas the documentation required for the analysis will not be available. In these cases we will use proven alternative methods to create this data.
ITSC Solution Concept
The ITSC solution concept describes the selected solution options. These solution options serve as the basis for creating the ITSC plans.
During the Implementation Phase, the agreed (upon) measures are put into practice.
IT Preventative Measures
In the context of preventative measures for IT one could, for example, set up additional data backups, create WAN connections, build clustered systems, organise backup work spaces or even rent a new data centre location. Priority during the implementation goes towards those measures that result in improvements to the IT service availability of many different systems, and also measures that mitigate risks with a high damage potential.
Crisis and ITSCM Organisation
For use during an emergency, an independent crisis and ITSCM organisational structure (shadow organisation) must be set up. The aim of this organisational form is to enable arriving at precise and quick decisions in critical situations based on fewer levels of hierarchy. Additionally, a separate escalation process will be defined for this emergency organisation.
ITSCM Processes and Interfaces
After the conclusion of the project, management processes must be defined in order to integrate the regularly recurring tasks into normal daily operations.
Within the Planning phase the IT Emergency Manual is created. This can consist of various documents, depending on the size and number of data centres. In any case, equally applicable procedures for the IT Crisis Management must be described for all scenarios.
Per outage scenario (e.g., Outage DC Room 1, Outage WAN, etc.) a scenario manual should exist. This should contain detailed technical descriptions on the recovery of IT services. These descriptions must be in agreement with the coordination plans for Business Continuity Management and the plans of the IT Service Providers.
Regularly executing relevant IT continuity tests is crucial in estimating the effectiveness of the IT emergency plans. In this way, one can judge whether the provided redundant resources and the recovery plans would allow for the management of a real emergency.
A test and exercise strategy specifies the commitments in the ITSCM policy regarding the frequency and scope of IT continuity tests and exercises that are to be performed. To simplify the test plans test types are defined (e.g. Functional test and real test).
How each IT resource is to be tested is specified in the form of test concepts (type of switch-off or switch-over, risks during test execution, etc).
During the test planning, dates are established for each precise test to be executed within a year including the initial test, and their test goals are defined.
Before moving the ITSCM project into operational mode a Initial Test must be performed. The scope of the test is determined by the previously agreed upon test planning. It is important for this initial test that all planned activities are executed in relation to the test:
Determine test aims
Planning test preparations
Planning test execution
Planning analysis of test results and of wrap-up