Module: ITIL2

Worksheet of Session3: Continuity Management CNET Department

Sana’a Community College 2nd Year

Name: _Qaed Ahmed Qaed Azzan__

1. Define the following terms:

 Disaster: - an event that affects a service or system such that significant effort is required to restore
the original performance level.
 Business Continuity Management: covers risk analysis and management so that the organization
can ensure the minimum required production capacity or provision of service at all times. The BCM
aims to reduce risks to an acceptable level and develops plans for restoring business activities if they
are interrupted by a disaster.
 IT Service Continuity Management (ITSCM) - is the process of dealing with disasters affecting IT
services and maintaining services to allow the business to continue to operate.
 Recovery Plan: it is a plan that include all elements relevant to restoring the business activities and
IT services.
2. What are the Recovery Options which may be used to ensure the business continuity?
 Do nothing
 Return to a manual (paper-based) system
 Reciprocal Agreements
 Gradual recovery (cold stand-by)
 Intermediate recovery (warm stand-by)
 Immediate recovery (hot start, hot stand-by)
 Combinations of options
3. Objectives of Continuity Management
 To support the overall Business Continuity Management (BCM) by ensuring that required IT
infrastructure and IT services, including support and the Service Desk, can be restored within specified
time limits after a disaster.
 ITSCM can have a number of different aims. As ITSCM is an integral part of BCM, the scope of
ITSCM should be defined on the basis of the business objectives.
 When assessing the risks it can then be decided if they are within or outside the scope of the ITSCM
process.

4. Activities of Continuity Management

4.1 Defining the scope of ITSCM
 Defining the policy .
 Defining the scope and relevant areas .
 Allocating resources
 Setting up the project organization.
4.2 Business Impact Analysis
 Potential reasons include:
 Protecting business processes
 Rapid service recovery
 Surviving competition
 Maintaining market share
 Maintaining profitability
  Protecting the reputation perceived by customer

 Sub-activities include:
 Service analysis
 Infrastructure analysis
4.3 Risk assessment
 A risk analysis can help identify the risks a business is exposed to.

 Risk Analysis
5 First, the relevant IT components (assets) must be identified, such as buildings, systems, data, etc. Effective
asset identification means that the owner and purpose of each component must be documented.
6 The next step is to analyze the threats and dependencies and to estimate the likelihood (high, medium, low)
that a disaster will occur, for example a combination of an unreliable main power supply and an area with many
storms and thunderstorms.
7 Next, the vulnerabilities are identified and classified (high, medium, and low). A lightning conductor will provide
some protection against lightning strikes, but they can still seriously affect the network and the computer
systems.
8 Finally, the threats and vulnerabilities are evaluated in the context of the IT components, to provide an estimate
of the risks.
4.4 IT Service Continuity Strategy
 Most businesses will aim to strike a balance between risk reduction and recovery planning.
Recovery Options:
 Do nothing
 Return to a manual (paper-based) system
 Reciprocal Agreements
 Gradual recovery (cold stand-by)
 Intermediate recovery (warm stand-by):
 Immediate recovery (hot start, hot stand-by)
 Combinations of options:
4.5 Organization and implementation planning
there should be an overall plan addressing the following issues:
 Emergency response plan
 Damage assessment plan
 Recovery plan
 Vital records plan (what to do with data, including paper records)
4.6 Prevention measures and recovery options: this is when the prevention measures and recovery options
identified earlier are put into practice.
4.7 Developing plans and procedures for recovery
 Recovery plan: The recovery plan should include all elements relevant to restoring the business activities and IT
services, including:
 Routing List
 Recovery Initiation
 Specialist sections (Administration, IT infrastructure, Personnel, Security, Recovery sites, and Restoration)
 Procedures: It is essential to develop effective procedures, such that anyone can undertake the recovery by following
the procedures. These should address:
 Installing and testing hardware and network components
 Restoring applications, databases, and data
5 Restoring applications, databases, and data
6 These and other relevant procedures are attached to the recovery plan.
4.8 Initial testing
 Initial testing is a critical aspect of ITSCM. Tests should be performed initially, then following major changes, and
then at least annually.
4.9 Training and awareness
 Effective training of IT and other personnel and awareness by all personnel and the organization are essential to the
success of any IT Services Continuity process.
 IT personnel will have to train non-IT personnel in business recovery teams to ensure that they are familiar with the
issues so that they can provide support during the recovery operations.
4.10 Review and audit
 It should be verified regularly if the plans are still up-to-date. This concerns all aspects of ITSCM.
 In the IT area, such an audit will have to be undertaken every time there is a significant change to the IT
infrastructure, such as the introduction of new systems, networks and service providers.
 Audits must also be carried out if there is any change to the strategy of the IT department or the business.
4.11 Testing
 The Recovery plan must be tested regularly, rather like an emergency drill on a ship.
 If everyone has to study the plan when a disaster happens then there are likely to be many problems. The test can
also identify weaknesses in the plan or changes that were overlooked.
4.12 Change Management
 Change Management plays an important role in keeping all the plans current.
 The impact of any change to the Recovery plan has to be analyzed.
4.13 Assurance
 Assurance means verifying if the quality of the process (procedures and documents) is adequate to meet the
business needs of the company.
5. Critical Success Factors
 The success of IT Service Continuity Management depends on:
 An effective Configuration Management process.
 Support and commitment throughout the organization.
 Up-to-date, effective tools.
 Dedicated training for anyone involved in the process.
 Regular, unannounced tests of the recovery plan.

6. Performance Indicators
 Performance indicators include:
 Number of identified shortcomings of the recovery plans.
 Revenue lost further to a disaster.
 Cost of the process.
7. Reports
 In the event of a disaster there will be reports about its cause and effect, and how successfully it was dealt with.
 Any observed weaknesses will be addressed in improvement plans.
 The management reports from this process also include evaluation reports of recovery plan tests. These are used for
assurance.
 The process also reports about the number of changes to recovery plans as a result of significant changes
elsewhere.
 Reports may also be issued about new threats.
8. Roles and Responsibilities
Role Responsibilities during normal conditions Responsibilities during crisis conditions

Board • Initiating BCM • Crisis management

• Allocating personnel and resources • Taking corporate/business
• Defining policies decisions
• Defining process authority

Senior • Managing the ITSCM process Coordinating and arbitrating

management • Accepting plans, test reports, etc. Providing personnel, resources and
• Communicating and maintaining funding
awareness
• Integrating ITSCM within BCM
Management • Undertaking risk analysis • Invoking recovery and continuity
• Defining deliverables mechanisms
• Drafting contracts • Leading teams
• Managing tests, evaluations and reports • Reporting
Team leaders and Developing deliverables • Implementing the recovery plan
team members Negotiating services
• Implementing tests, evaluations
and reports
• Developing and implementing
procedures

9. Costs and Problems

 The major costs associated with the introduction of IT Service Continuity Management are:
 Time and costs for initiating, developing and implementing ITSCM.
 Investment associated with the introduction of risk management and resulting additional hardware, these
costs can be reduced if the measures are considered within the scope of Availability Management at the
time of designing new configurations.
 Continuing costs of the recovery arrangements that depend on the selected option, such as fees for external
hot start contracts, cost of test arrangements, and the period during which the recovery facilities are
available.
 Returning operational costs of ITSCM, such as testing, auditing, and updating the plan.
 These costs may only be incurred after making a considered choice, and comparing the potential costs associated
with not having a recovery plan.
 Although the costs of maintaining a recovery plan may appear to be high, they are often reasonable compared with
the overall expenditure on fire and theft insurance. Furthermore, effective ITSCM may reduce the cost of
insurance.

Problems
 When implementing the process, the following potential problems should be considered:
 Resources - the organization will have to provide additional capacity for a project team to develop and test
the plan.
 Commitment - the annual costs must be included in the organization‘s budgets, which requires
commitment.
 Access to recovery facilities - all options discussed above requires regular testing of the recovery facilities.
Thus, the contracts will have to provide the IT organization with regular access to the recovery facilities.
 Estimating the damage - certain damage, such as lost reputation, can-not be financially quantified.
 Budgeting - the need for expensive contingency facilities is not always understood, or the plans are cut
back.