DS04 Service Continuity Management

DS04: Service Continuity Management

1. Description

Operational and tested IT continuity plan which is in line with the overall business continuity plan and its related business requirements.

2. Control Objectives

IT Continuity Framework - create a continuity framework which defines the roles, responsibilities, the risk based approach/methodology to be adopted, and the rules and structures to document the plan as well as the approval procedures
IT Continuity Plan Strategy and Philosophy - ensure that the information technology continuity plan is in line with the overall business continuity plan to ensure consistency. Furthermore, the information technology continuity plan should take account of the information technology long- and medium-range plans to ensure consistency. The disaster recovery/contingency plan should minimize the effect of disruptions
IT Continuity Plan Contents - ensure that a written plan is developed containing the following:
- Guidelines on how to use the continuity plan;
- Emergency procedures to ensure the safety of all affected staff members;
- Response procedures meant to bring the business back to the state it was in before the incident or disaster;
- Recovery procedures meant to bring the business back to the state it was in before the incident or disaster;
- Procedures to safeguard and reconstruct the home site;
- Co-ordination procedures with public authorities;
- Communication procedures with stakeholders: employees, key customers, critical suppliers, stockholders and management; and
- Critical information on continuity teams, affected staff, customers, suppliers, public authorities and media.
Minimising IT Continuity Requirements - establish procedures and guidelines for minimising the continuity requirements with regard to personnel, facilities, hardware, software, equipment, forms, supplies and furniture
Maintaining the IT Continuity Plan - provide for change control procedures in order to ensure that the continuity plan is up-to-date and reflects actual business requirements. This requires continuity plan maintenance procedures aligned with change and management and human resources procedures
Testing the IT Continuity Plan - assess Continuity Plan adequacy on a regular basis; this requires careful preparation, documentation, reporting test results and, according to the results, implementing an action plan
IT Continuity Plan Training - ensure that all concerned parties receive regular training sessions regarding the procedures to be followed in case of an incident or disaster
IT Continuity Plan Distribution - distribution on Plan only to authorised personnel and proper safeguarding against unauthorised disclosure. Consequently, sections of the plan need to be distributed on a need - to - know basis
User department alternative processing backup procedures - Continuity methodology
User Department Alternative Processing Back-up Procedures - ensure that the user departments establish alternative processing procedures that may be used until the information services function is able to fully restore its services after a disaster or event
Critical Information Technology Resources - identify the critical application programmes, third-party services, operating systems, personnel and supplies, data files and time frames needed for recovery after a disaster occurs
Back-up Site and Hardware - ensure that the continuity methodology incorporates an identification of alternatives regarding the back-up site and hardware as well as a final alternative selection. If applicable, a formal contract for these type of services should be concluded
Offsite backup storage - Support recovery and business continuity plans, periodic assessment
Wrap-up Procedures - ensure that the continuity methodology incorporates an identification of alternatives regarding the back-up site and hardware as well as a final alternative selection. If applicable, a formal contract for these type of services should be concluded

3. Key Goal Indicators

No incidents causing public embarrassment
Number of critical business processes relying on IT that have adequate continuity plans
Regular and formal proof that the continuity plans work
Reduced downtime
Number of critical infrastructure components with automatic availability monitoring

4. Key Performance Indicators

Number of outstanding continuous service issues not resolved or addressed
Number and extent of breaches of continuous service, using duration and impact criteria
Time lag between organisational change and continuity plan update
Time to diagnose an incident and decide on continuity plan execution
Time to normalise the service level after execution of the continuity plan
Number of proactive availability fixes implemented
Lead time to address continuous service shortfalls
Frequency of continuous service training provided
Frequency of continuous service testing

5. Critical Success Factors

A no-break power system is installed and regularly tested
Potential availability risks are proactively detected and addressed
Critical infrastructure components are identified and continuously monitored
Continuous service provision is a continuum of advance capacity planning, acquisition of high-availability components, needed redundancy, existence of tested contingency plans and the removal of single points of failure
Action is taken on the lessons learned from actual downtime incidents and test executions of contingency plans
Availability requirements analysis is performed regularly
Service level agreements are used to raise awareness and increase co-operation with suppliers for continuity needs
The escalation process is clearly understood and based on a classification of availability incidents
The business costs of interrupted service are specified and quantified where possible, providing the motivation to develop appropriate plans and arrange for contingency facilities

6. Service Maturity Variations

0 Non-existent	There is no understanding of the risks, vulnerabilities and threats to IT operations or the impact of loss of IT services to the business. Service continuity is not considered as needing management attention.
1 (Initial/Ad Hoc)	IResponsibilities for continuous service are informal, with limited authority. Management is becoming aware of the risks related to and the need for continuous service. The focus is on the IT function, rather than on the business function. Users are implementing work-arounds. The response to major disruptions is reactive and unprepared. Planned outages are scheduled to meet IT needs, rather than to accommodate business requirements.
2 (Repeatable but Intuitive)	Responsibility for continuous service is assigned. The approaches to continuous service are fragmented. Reporting on system availability is incomplete and does not take business impact into account. There are no documented user or continuity plans, although there is commitment to continuous service availability and its major principles are known. A reasonably reliable inventory of critical systems and components exists. Standardisation of continuous service practices and monitoring of the process is emerging, but success relies on individuals.
3 (Defined Process)	Accountability is unambiguous and responsibilities for continuous service planning and testing are clearly defined and assigned. Plans are documented and based on system criticality and business impact. There is periodic reporting of continuous service testing. Individuals take the initiative for following standards and receiving training. Management communicates consistently the need for continuous service. High-availability components and system redundancy are being applied piecemeal. An inventory of critical systems and components is rigorously maintained.
4 (Managed and Measurable)	Responsibilities and standards for continuous service are enforced. Responsibility for maintaining the continuous service plan is assigned. Maintenance activities take into account the changing business environment, the results of continuous service testing and best internal practices. Structured data about continuous service is being gathered, analysed, reported and acted upon. Training is provided for continuous service processes. System redundancy practices, including use of high-availability components, are being consistently deployed. Redundancy practices and continuous service planning influence each other. Discontinuity incidents are classified and the increasing escalation path for each is well known to all involved.
5 Optimized	Integrated continuous service processes are proactive, self-adjusting, automated and self-analytical and take into account benchmarking and best external practices. Continuous service plans and business continuity plans are integrated, aligned and routinely maintained. Buy-in for continuous service needs is secured from vendors and major suppliers. Global testing occurs and test results are fed back as part of the maintenance process. Continuous service cost effectiveness is optimised through innovation and integration. Gathering and analysis of data is used to identify opportunities for improvement. Redundancy practices and continuous service planning are fully aligned. Management does not allow single points of failure and provides support for their remedy. Escalation practices are understood and thoroughly enforced.