Leveraging the IT Service Continuity Management framework

Transcription

Leveraging the IT Service
Continuity Management
framework
Gord Novoselnik
Business Continuity Office
Enterprise Solutions Division
1
MTS Allstream Inc. proprietary. Use pursuant to company instructions./
Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société.
IT Service Continuity Management
Goal of ITSCM

Support the overall Business Continuity Management (BCM)
process by ensuring that the required IT technical and services
facilities can be recovered within required, and agreed, business
timescales.
Scope of ITSCM

2
ITSCM focuses on the IT Services required to support the critical
business processes. The Impact of a loss of a business process
are measured through a Business Impact analysis, which determines
the minimum critical requirements.
TM MC
MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./
Key Considerations
3

ITSCM is a sub-set of the Business Continuity Management program,
and it utilizes the Business Continuity Management framework

Minimum business requirements must be well-defined before scope of
ITSCM can be defined

BCM should already exist to enable ITSCM to efficiently meet the needs
of the business

ITSCM uses the data generated by the BCM program

IT is a key stakeholder of the Corporate BCM program
TM MC
ITIL BCM
Framework*
*Mitigation and
prevention only.
Where is Crisis
Management?
4
TM MC
Points of Leverage
DRI / BCI
Business
Continuity
Management
OGC - ITIL
Business Impact Analysis
Risk Assessments
Exercising
IT Service
Continuity
Management
Crisis Management
Business focus but also
serves IT
5
IT focus but also serves
the business
TM MC
Our Business Continuity Office
Accountability Statement
Provide knowledge, guidance and planning methodologies needed
to ensure that MTS Allstream remains an industry leader in the
performance, reliability and recoverability of its business and
services delivery, under any operating condition
…….Considering a holistic management process (Business
Continuity Management - BCM) that identifies potential impacts
that threaten an organization and provides a framework for
building resilience with the capacity for an effective response that
safeguards the interests of its key stakeholders, reputation, brand
and value creating activities
6
TM MC
Business Continuity Objective
Business Continuity Program objective is to ensure the Corporation is
prepared to deal with infrastructure failures and process disruptions which
impact how MTS Allstream does business and delivers services everyday
Key elements that should be preserved

Health and Safety of our workforce

Infrastructure Integrity

Customer Service

7
Revenue
TM MC
Adapted DRI BCM Planning
Framework
Delivery
Infrastructure
Business Continuity Planning Process
Finance/
Corporate
Customer
Services
Employees &
Work Centers
Product / Service
Delivery
Sales &
Marketing
-BUSINESSIMPACT
IMPACTANALYSISANALYSIS-BUSINESS
What
processes
are
What processes are
important
to
my
department?
important to my department?
Applications
-PLAN
-PLANUPDATESUPDATESLearn
Learnfrom
fromexercise
exercise
and
andupdate
updatethe
theplan
plan
-RISKASSESSMENTASSESSMENT-RISK
Whatrisks
riskscan
canaffect
affect
What
these
critical
these critical
processes?
processes?
Data
Network
-STRATEGYDEVELOPMENTDEVELOPMENT-STRATEGY
What
can
wedo
dototo
What can we
protectthese
theseprocesses?
processes?
protect
-EXERCISING-EXERCISINGPut
Putthe
theplan
plantoto
totothe
test!
the test!
Platforms
8
-PLAN
-PLANDEVELOPMENTDEVELOPMENTDocument
Documentthe
therecovery
recovery
strategies
and
strategies andother
other
important
importantinformation
information
TM MC
Business Impact Analysis

Issued Corporate BIA questionnaire

Process-centric view with 250 unique processes, division-wide

Centralized, web-based interface, centralized database
BIA Data will be used to:

Perform gap analysis on existing Business Continuity Plans

Define priorities for Corporate Security policies nationally

Assess business impacts during disaster situations

Identify and asses dependencies on key resources
• People – key staff members, incl IT staff members
• Process – inter- and intra-departmental dependencies, vendors,
• Technology – infrastructure, applications and systems
9
TM MC
BIA Data for IT – Closer Look

BCO worked closely with IT to define requirements for BIA
data collection for 75 strategic IT systems and applications

Recovery Time Objectives – with standard time intervals
• 0-2hrs, 2 hrs-1day, 2-4 days, 5 days or more

Is the business unit able to adopt workarounds in the absence
of IT systems?

Recovery Point Objectives – with standard time intervals
• <4 hrs, <24 hrs, <3 days, <7 days, >7 days

10
Is the business able to reconstruct data on affected IT systems
when system is restored?
TM MC
RPO and RTO
11
TM MC
More BIA data - for IT

BIA also collects broader IT application dependency data
from all business processes.

Over 250 IT applications and systems across the company
• Adobe Acrobat ÆVPN Client Software

Allows IT to interlace a process layer into a CMDB (if desired)
• ProcessÆServiceÆIT Component mapping

Provides process-centric Desktop/Workstation requirements and
enables improved IT recovery strategies for desktop infrastructure
• Improved focus on most critical processes first
• Extensive list of IT requirements for each process.
12
TM MC
Risk Assessment

Risk Assessments conducted by department leaders
across the entire company annually

Numerous IT-related Risks considered:

Loss of Email, loss of LAN/WAN, loss of other key internal systems
Rating system used for each Risk

13
89 Departments across Enterprise Solutions Division (ESD)
Rate Probability of failure (based on past experience)
Rate Business Impacts on department
Identify and Rate effectiveness of controls and countermeasures

Overall Risk Weighting established

Departments document their Risk assumptions
TM MC
Risk Assessment data - for IT

Departmental data gathered on Controls and
countermeasures

IT able to assess and validate the controls identified

Review recommendation of future controls

Consider additional controls to reduce uncertainty
Allows IT to focus on largest Risks

Allows IT to validate assumptions made by the business

14
Prioritized Risk Register (Highest Risk Weighting ÆLowest Risk
Weighting)
Quality of Service, effectiveness of controls
TM MC
Exercising (Testing)

All departments exercise their own plans

Scenario and objectives
• Site Loss, Key IT system loss,

Document finding and incorporate lessons learned into business
continuity plans
• Gaps communicated to IT

Forms of Departmental Exercises

Table top exercise

Integrated table top exercise
• Departments encouraged to ‘bring IT to the table’

Simulation
• IT conducting DR test with Sungard for key IT systems
15
TM MC
Exercising (Testing)

Additional Corporate Exercises

Lifeboat 1 in ‘07
• 200 Wellington St W site loss simulation
• Key staff redirected to Sungard recovery site
• Recovery of desktop infrastructure

Pandemic Exercise in ‘07
• Test capability of each business unit (including IT) on business
resumption capabilities with 40-50% staff reductions

Currently planning for Lifeboat 2
• Another 200 Wellington St W site loss simulation
• Sungard NOT available
• IT coordinating alternate location across GTA
16
TM MC
ITSCM Crisis Management Structure
17

Multi-tiered support
structure during crisis

Primary Coordination
layer with Senior mgt

Operational level task
execution
TM MC
Our Crisis Management
Accountability Statement
Provide a framework for the collection and assessment of
information during “a crisis” in support of the
organizations efforts in response to logistical coordination
needed to:

Ensure employee health and safety
Protect assets, including infrastructure

Preserve service to our customers.

18
Minimize financial impacts
TM MC
Executive
ESD BCO
ECT
(Senior
Management)
Operational
Management
Department/
Business Unit
19
TM MC
Crisis Management

Corporate Emergency Coordination Team

Internal IT is a key member of the Crisis Management Team
• Representing their own interests (IT business processes)
• Representing all IT interests across the organization

Internal IT is a key stakeholder for Crisis Management:

During event assessment
• Assessing IT availability and resiliency

During plan execution
• Achieving required service standards of the business (RPO, RTO, IT
resource availability)
• Business may have changing needs on IT infrastructure during crisis
• Availability of IT staff to support special needs of the business
20
TM MC
Summary
21

ITSCM should be viewed as integral to Corporate BCM

Internal IT is a key consumer of data generated by
Corporate BCM

Internal IT can mitigate business risk through effective
implementation of technology

Increased involvement of internal IT during planning
improves resumption capabilities
TM MC
Questions?
22
TM MC
Full BCM Framework
ITIL BCM Framework
23
TM MC