Securing your IT continuity

Many organisations are dangerously unaware of the risks of not having an IT continuity plan in the event of disaster


Many organisations are operating under the dangerous illusion that they will never suffer a major loss of IT systems, or that such a loss will have a relatively low impact, research from the British Standards Institute has warned.

BSI's Publicly Available Specification (PAS) advisory paper, IT Service Continuity Management Code of Practice (reference 77:2006), paints a grim picture of the potential disaster facing ill-prepared organisations. It cautions that while many firms believe that they have invested in adequate systems resilience, in reality most do not have adequate plans to protect themselves from natural disasters or human error.

Financial directors may be forgiven for believing that the risks posed by inadequate IT disaster recovery have been overstated recently. For some time now they have been subjected to a steady stream of doom-laden reports initiated by technology vendors, but this report takes the form of guidance and recommendations.

BSI stresses that the tome should not be regarded as a British standard, nor should it be viewed as a step-by-step guide to implementing IT service continuity management (ITSCM). What it does offer is comprehensive advice on the aspects of ITSCM that organisations should consider when investing in this area. The report points out that, while major events such as bombs, fires and floods make headline news, the majority of IT related incidents fall into the category of 'quiet calamities' that only affect an individual or a small subset of an organisation.

Examples of such common incidents include the theft of a mobile workers laptop, the failure of a business application and corruption of important or confidential data. These incidents have the potential to damage an organisations' brand and reputation, as well as its revenues and customer service.

BSI advises enterprises to ensure that they link their IT strategy and IT architectures with IT service continuity (ITSC) plans and ITSC strategies. IT strategy should define an organisations' key policies and direction regarding information technology, systems and services. From this, the ITSC strategy can be defined to ensure that the policies and standards for ITSC directly and explicitly support the objectives set out in the IT strategy. This then enables the organisation to define its IT architecture based upon the requirements and objectives set out in the IT strategy and ITSC strategy.

Once the architecture is defined, an organisation can define viable ITSC plans for each element of the architecture. ITSC is not just a technical issue, though, and must be defined as a collection of policies, standards, processes and tools through which organisations can improve their ability to respond when major system failures occur, as well as their resilience to major incidents. It should be undertaken with a complete and thorough understanding of the organisations' policies, standards, processes and supporting services for: business continuity management (BCM); major incident and crisis management; corporate governance and risk management; IT governance; and information security and data protection. ITSC management should also have a significant influence on IT strategy, to identify information systems and services that require high levels of resilience, availability and capacity.

Before commencing any ITSC programme there should be an understanding of potential risks and impacts. It is necessary to conduct a business criticality and risk assessment to identify critical activities, with the degree these are dependent on IT.

BSI advises that BCM must be able to manage these risks to ensure that an organisation can continue operating to a pre-determined minimum level at all times. The BCM process involves reducing the risk to an acceptable level and planning for the recovery of business processes should a risk materialise and a disruption to the business occur.

ITSC management should be a part of the overall business continuity plan and not dealt with in isolation. An ITSC strategy should define the direction and high-level methods that should meet IT service-level objectives. It should ensure a business is never compromised by a lack of IT availability, beyond acceptable, predefined and regularly reviewed levels of uptime and performance. This ITSC strategy should be agreed at board level and be fully endorsed by the CEO. A board member should be accountable for the strategy and be referred to when deciding on new business initiatives including mergers and acquisitions, directional change and any decision that could have an impact on ITSC. When formulating ITSC plans, organisations are advised to aim for a simple, clear, unambiguous and all-encompassing set of documents that define the actions required to restore IT services in the event of an incident.

To complicate matters further, BSI advises that ITSC plans must be constantly rehearsed, updated, modified and improved. The advisory cautions that even organisations that address all elements of its service continuity code of practice can expect no respite. BSI notes that business is, by its very nature, dynamic and ever-changing. With these changes come dangers; not only risk of failure, but the risk of destabilising existing policies and strategies. Therefore, effective ITSC strategies and plans must be resilient to change, pragmatic and adaptable.

END

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.