IT Service Continuity Management
Organisation and Planning
Once the scope of ITSCM has been decided, the risks and vulnerabilities analysed, and prevention and recovery strategies defined, it is necessary to assign and organise the necessary resources. With this goal in mind, IT Service Continuity Management needs to draw up a series of documents, including:
- A risk prevention plan.
- An emergency management plan.
- A recovery plan.
Risk prevention plan
The main objective of the risk prevention plan is to minimise the impact of a disaster on the IT infrastructure.
Commonly used measures include:
- Distributed data storage.
- Back-up electricity power supply systems.
- Data back-up policies.
- Duplication of critical systems.
- Passive security systems.
Emergency management plan
Crises often cause panic. This can be counterproductive and may at times be even more damaging than the original incident. It is therefore essential to ensure that staff roles and responsibilities in an emergency, as well as the relevant protocols for action, are clearly defined
Emergency management plans therefore need to take into account aspects such as:
- Evaluating the impact of the contingency on the IT infrastructure.
- Assigning emergency roles to IT service personnel.
- Informing users and customers of a serious interruption or service degradation.
- Procedures for contact and collaboration with the suppliers concerned.
- Protocols for putting the relevant recovery plan into action.
When an interruption to service is inevitable the time to put the recovery procedures into action has arrived.
The recovery plan needs to include everything necessary to:
- Reorganise the staff involved.
- Re-establish the hardware and software systems necessary.
- Recover the data and restart the IT service.
The recovery procedures may depend on the importance of the contingency and the associated recovery option (cold or hot stand-by), but in general they involve:
- Assigning personnel and resources.
- Alternative hardware facilities.
- Security plans guaranteeing the integrity of the data.
- Data recovery procedures.
- Cooperation agreements with other organisations.
- Protocols for informing customers.
When a recovery plan is brought into action there is no room for improvisation. Any decisions made can have serious consequences both for the way the organisation is perceived by customers and the costs associated with the process.
Although it may seem paradoxical, a "disaster" can be a good opportunity to show your customers the solidity of your IT organisation and thus increase their confidence in you. As they say, "every cloud has a silver lining.".