Professional Documents
Culture Documents
Continity Management Worksheet
Continity Management Worksheet
Sub-activities include:
Service analysis
Infrastructure analysis
4.3 Risk assessment
A risk analysis can help identify the risks a business is exposed to.
Risk Analysis
5 First, the relevant IT components (assets) must be identified, such as buildings, systems, data, etc. Effective
asset identification means that the owner and purpose of each component must be documented.
6 The next step is to analyze the threats and dependencies and to estimate the likelihood (high, medium, low)
that a disaster will occur, for example a combination of an unreliable main power supply and an area with many
storms and thunderstorms.
7 Next, the vulnerabilities are identified and classified (high, medium, and low). A lightning conductor will provide
some protection against lightning strikes, but they can still seriously affect the network and the computer
systems.
8 Finally, the threats and vulnerabilities are evaluated in the context of the IT components, to provide an estimate
of the risks.
4.4 IT Service Continuity Strategy
Most businesses will aim to strike a balance between risk reduction and recovery planning.
Recovery Options:
Do nothing
Return to a manual (paper-based) system
Reciprocal Agreements
Gradual recovery (cold stand-by)
Intermediate recovery (warm stand-by):
Immediate recovery (hot start, hot stand-by)
Combinations of options:
4.5 Organization and implementation planning
there should be an overall plan addressing the following issues:
Emergency response plan
Damage assessment plan
Recovery plan
Vital records plan (what to do with data, including paper records)
4.6 Prevention measures and recovery options: this is when the prevention measures and recovery options
identified earlier are put into practice.
4.7 Developing plans and procedures for recovery
Recovery plan: The recovery plan should include all elements relevant to restoring the business activities and IT
services, including:
Routing List
Recovery Initiation
Specialist sections (Administration, IT infrastructure, Personnel, Security, Recovery sites, and Restoration)
Procedures: It is essential to develop effective procedures, such that anyone can undertake the recovery by following
the procedures. These should address:
Installing and testing hardware and network components
Restoring applications, databases, and data
5 Restoring applications, databases, and data
6 These and other relevant procedures are attached to the recovery plan.
4.8 Initial testing
Initial testing is a critical aspect of ITSCM. Tests should be performed initially, then following major changes, and
then at least annually.
4.9 Training and awareness
Effective training of IT and other personnel and awareness by all personnel and the organization are essential to the
success of any IT Services Continuity process.
IT personnel will have to train non-IT personnel in business recovery teams to ensure that they are familiar with the
issues so that they can provide support during the recovery operations.
4.10 Review and audit
It should be verified regularly if the plans are still up-to-date. This concerns all aspects of ITSCM.
In the IT area, such an audit will have to be undertaken every time there is a significant change to the IT
infrastructure, such as the introduction of new systems, networks and service providers.
Audits must also be carried out if there is any change to the strategy of the IT department or the business.
4.11 Testing
The Recovery plan must be tested regularly, rather like an emergency drill on a ship.
If everyone has to study the plan when a disaster happens then there are likely to be many problems. The test can
also identify weaknesses in the plan or changes that were overlooked.
4.12 Change Management
Change Management plays an important role in keeping all the plans current.
The impact of any change to the Recovery plan has to be analyzed.
4.13 Assurance
Assurance means verifying if the quality of the process (procedures and documents) is adequate to meet the
business needs of the company.
5. Critical Success Factors
The success of IT Service Continuity Management depends on:
An effective Configuration Management process.
Support and commitment throughout the organization.
Up-to-date, effective tools.
Dedicated training for anyone involved in the process.
Regular, unannounced tests of the recovery plan.
6. Performance Indicators
Performance indicators include:
Number of identified shortcomings of the recovery plans.
Revenue lost further to a disaster.
Cost of the process.
7. Reports
In the event of a disaster there will be reports about its cause and effect, and how successfully it was dealt with.
Any observed weaknesses will be addressed in improvement plans.
The management reports from this process also include evaluation reports of recovery plan tests. These are used for
assurance.
The process also reports about the number of changes to recovery plans as a result of significant changes
elsewhere.
Reports may also be issued about new threats.
8. Roles and Responsibilities
Role Responsibilities during normal conditions Responsibilities during crisis conditions
Problems
When implementing the process, the following potential problems should be considered:
Resources - the organization will have to provide additional capacity for a project team to develop and test
the plan.
Commitment - the annual costs must be included in the organization‘s budgets, which requires
commitment.
Access to recovery facilities - all options discussed above requires regular testing of the recovery facilities.
Thus, the contracts will have to provide the IT organization with regular access to the recovery facilities.
Estimating the damage - certain damage, such as lost reputation, can-not be financially quantified.
Budgeting - the need for expensive contingency facilities is not always understood, or the plans are cut
back.