Leveraging the IT Service Continuity Management framework
Transcription
Leveraging the IT Service Continuity Management framework
Leveraging the IT Service Continuity Management framework Gord Novoselnik Business Continuity Office Enterprise Solutions Division 1 MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. IT Service Continuity Management Goal of ITSCM Support the overall Business Continuity Management (BCM) process by ensuring that the required IT technical and services facilities can be recovered within required, and agreed, business timescales. Scope of ITSCM 2 ITSCM focuses on the IT Services required to support the critical business processes. The Impact of a loss of a business process are measured through a Business Impact analysis, which determines the minimum critical requirements. TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Key Considerations 3 ITSCM is a sub-set of the Business Continuity Management program, and it utilizes the Business Continuity Management framework Minimum business requirements must be well-defined before scope of ITSCM can be defined BCM should already exist to enable ITSCM to efficiently meet the needs of the business ITSCM uses the data generated by the BCM program IT is a key stakeholder of the Corporate BCM program TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. ITIL BCM Framework* *Mitigation and prevention only. Where is Crisis Management? 4 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Points of Leverage DRI / BCI Business Continuity Management OGC - ITIL Business Impact Analysis Risk Assessments Exercising IT Service Continuity Management Crisis Management Business focus but also serves IT 5 IT focus but also serves the business TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Our Business Continuity Office Accountability Statement Provide knowledge, guidance and planning methodologies needed to ensure that MTS Allstream remains an industry leader in the performance, reliability and recoverability of its business and services delivery, under any operating condition …….Considering a holistic management process (Business Continuity Management - BCM) that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capacity for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities 6 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Business Continuity Objective Business Continuity Program objective is to ensure the Corporation is prepared to deal with infrastructure failures and process disruptions which impact how MTS Allstream does business and delivers services everyday Key elements that should be preserved Health and Safety of our workforce Infrastructure Integrity Customer Service 7 Revenue TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Adapted DRI BCM Planning Framework Delivery Infrastructure Business Continuity Planning Process Finance/ Corporate Customer Services Employees & Work Centers Product / Service Delivery Sales & Marketing -BUSINESSIMPACT IMPACTANALYSISANALYSIS-BUSINESS What processes are What processes are important to my department? important to my department? Applications -PLAN -PLANUPDATESUPDATESLearn Learnfrom fromexercise exercise and andupdate updatethe theplan plan -RISKASSESSMENTASSESSMENT-RISK Whatrisks riskscan canaffect affect What these critical these critical processes? processes? Data Network -STRATEGYDEVELOPMENTDEVELOPMENT-STRATEGY What can wedo dototo What can we protectthese theseprocesses? processes? protect -EXERCISING-EXERCISINGPut Putthe theplan plantoto totothe test! the test! Platforms 8 -PLAN -PLANDEVELOPMENTDEVELOPMENTDocument Documentthe therecovery recovery strategies and strategies andother other important importantinformation information TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Business Impact Analysis Issued Corporate BIA questionnaire Process-centric view with 250 unique processes, division-wide Centralized, web-based interface, centralized database BIA Data will be used to: Perform gap analysis on existing Business Continuity Plans Define priorities for Corporate Security policies nationally Assess business impacts during disaster situations Identify and asses dependencies on key resources • People – key staff members, incl IT staff members • Process – inter- and intra-departmental dependencies, vendors, • Technology – infrastructure, applications and systems 9 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. BIA Data for IT – Closer Look BCO worked closely with IT to define requirements for BIA data collection for 75 strategic IT systems and applications Recovery Time Objectives – with standard time intervals • 0-2hrs, 2 hrs-1day, 2-4 days, 5 days or more Is the business unit able to adopt workarounds in the absence of IT systems? Recovery Point Objectives – with standard time intervals • <4 hrs, <24 hrs, <3 days, <7 days, >7 days 10 Is the business able to reconstruct data on affected IT systems when system is restored? TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. RPO and RTO 11 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. More BIA data - for IT BIA also collects broader IT application dependency data from all business processes. Over 250 IT applications and systems across the company • Adobe Acrobat ÆVPN Client Software Allows IT to interlace a process layer into a CMDB (if desired) • ProcessÆServiceÆIT Component mapping Provides process-centric Desktop/Workstation requirements and enables improved IT recovery strategies for desktop infrastructure • Improved focus on most critical processes first • Extensive list of IT requirements for each process. 12 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Risk Assessment Risk Assessments conducted by department leaders across the entire company annually Numerous IT-related Risks considered: Loss of Email, loss of LAN/WAN, loss of other key internal systems Rating system used for each Risk 13 89 Departments across Enterprise Solutions Division (ESD) Rate Probability of failure (based on past experience) Rate Business Impacts on department Identify and Rate effectiveness of controls and countermeasures Overall Risk Weighting established Departments document their Risk assumptions TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Risk Assessment data - for IT Departmental data gathered on Controls and countermeasures IT able to assess and validate the controls identified Review recommendation of future controls Consider additional controls to reduce uncertainty Allows IT to focus on largest Risks Allows IT to validate assumptions made by the business 14 Prioritized Risk Register (Highest Risk Weighting ÆLowest Risk Weighting) Quality of Service, effectiveness of controls TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Exercising (Testing) All departments exercise their own plans Scenario and objectives • Site Loss, Key IT system loss, Document finding and incorporate lessons learned into business continuity plans • Gaps communicated to IT Forms of Departmental Exercises Table top exercise Integrated table top exercise • Departments encouraged to ‘bring IT to the table’ Simulation • IT conducting DR test with Sungard for key IT systems 15 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Exercising (Testing) Additional Corporate Exercises Lifeboat 1 in ‘07 • 200 Wellington St W site loss simulation • Key staff redirected to Sungard recovery site • Recovery of desktop infrastructure Pandemic Exercise in ‘07 • Test capability of each business unit (including IT) on business resumption capabilities with 40-50% staff reductions Currently planning for Lifeboat 2 • Another 200 Wellington St W site loss simulation • Sungard NOT available • IT coordinating alternate location across GTA 16 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. ITSCM Crisis Management Structure 17 Multi-tiered support structure during crisis Primary Coordination layer with Senior mgt Operational level task execution TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Our Crisis Management Accountability Statement Provide a framework for the collection and assessment of information during “a crisis” in support of the organizations efforts in response to logistical coordination needed to: Ensure employee health and safety Protect assets, including infrastructure Preserve service to our customers. 18 Minimize financial impacts TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Executive ESD BCO ECT (Senior Management) Operational Management Department/ Business Unit 19 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Crisis Management Corporate Emergency Coordination Team Internal IT is a key member of the Crisis Management Team • Representing their own interests (IT business processes) • Representing all IT interests across the organization Internal IT is a key stakeholder for Crisis Management: During event assessment • Assessing IT availability and resiliency During plan execution • Achieving required service standards of the business (RPO, RTO, IT resource availability) • Business may have changing needs on IT infrastructure during crisis • Availability of IT staff to support special needs of the business 20 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Summary 21 ITSCM should be viewed as integral to Corporate BCM Internal IT is a key consumer of data generated by Corporate BCM Internal IT can mitigate business risk through effective implementation of technology Increased involvement of internal IT during planning improves resumption capabilities TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Questions? 22 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société. Full BCM Framework ITIL BCM Framework 23 TM MC MTS Allstream Inc. MTS Allstream Inc. proprietary. Use pursuant to company instructions./ Information exclusive à MTS Allstream Inc. Utiliser conformément aux directives de la société.