AdSlot 1 (Leaderboard)

Securing your IT continuity

Many organisations are operating under the dangerous illusion that they will
never suffer a major loss of IT systems, or that such a loss will have a
relatively low impact, research from the British Standards Institute has warned.

BSI’s Publicly Available Specification (PAS) advisory paper, IT Service
Continuity Management Code of Practice
(reference 77:2006), paints a grim
picture of the potential disaster facing ill-prepared organisations. It cautions
that while many firms believe that they have invested in adequate systems
resilience, in reality most do not have adequate plans to protect themselves
from natural disasters or human error.

Financial directors may be forgiven for believing that the risks posed by
inadequate IT disaster recovery have been overstated recently. For some time now
they have been subjected to a steady stream of doom-laden reports initiated by
technology vendors. It is also fair to point out that the BSI’s code of practice
has been produced in partnership with Adam Continuity, Dell Corporation, Unisys
and SunGard.

Guidance and advice
But this is no vendor hard-sell. The report takes the form of guidance and
recommendations. BSI stresses that the tome should not be regarded as a British
standard, nor should it be viewed as a step-by-step guide to implementing IT
service continuity management (ITSCM). What it does offer is comprehensive
advice on the aspects of ITSCM that organisations should consider when investing
in this area.

Disaster recovery
The report points out that, while major events such as bombs, fires and floods
make headline news, the majority of IT related incidents fall into the category
of ‘quiet calamities’ that only affect an individual or a small subset of an
organisation. Examples of such common incidents include the theft of a mobile
worker’s laptop, the failure of a business application and corruption of impo
rtant or confidential data. These incidents have the potential to damage an
organisation’s brand and reputation, as well as its revenues and customer

BSI advises enterprises to ensure that they link their IT strategy and IT
architectures with IT service continuity (ITSC) plans and ITSC strategies. IT
strategy should define an organisation’s key policies and direction regarding
information technology, systems and services. From this, the ITSC strategy can
be defined to ensure that the policies and standards for ITSC directly and
explicitly support the objectives set out in the IT strategy. This then enables
the organisation to define its IT architecture based upon the requirements and
objectives set out in the IT strategy and ITSC strategy. Once the architecture
is defined, an organisation can define viable ITSC plans for each element of the

ITSC is not just a technical issue, though, and must be defined as a
collection of policies, standards, processes and tools through which
organisations can improve their ability to respond when major system failures
occur, as well as their resilience to major incidents. It should be undertaken
with a complete and thorough understanding of the organisation’s policies,
standards, processes and supporting services for: business continuity management
(BCM); major incident and crisis management; corporate governance and risk
management; IT governance; and information security and data protection.

ITSC management should also have a significant influence on IT strategy, to
identify information systems and services that require high levels of
resilience, availability and capacity. Before commencing any ITSC programme
there should be an understanding of potential risks and impacts.

Risk assessment
It is necessary to conduct a business criticality and risk assessment to
identify critical activities, with the degree these are dependent on IT.

BSI advises that BCM must be able to manage these risks to ensure that an
organisation can continue operating to a pre-determined minimum level at all
times. The BCM process involves reducing the risk to an acceptable level and
planning for the recovery of business processes should a risk materialise and a
disruption to the business occur. ITSC management should be a part of the
overall business continuity plan and not dealt with in isolation.

An ITSC strategy should define the direction and high-level methods that
should meet IT service-level objectives. It should ensure a business is never
compromised by a lack of IT availability, beyond acceptable, predefined and
regularly reviewed levels of uptime and performance. This ITSC strategy should
be agreed at board level and be fully endorsed by the CEO. A board member should
be accountable for the strategy and be referred to when deciding on new business
initiatives including mergers and acquisitions, directional change and any
decision that could have an impact on ITSC.

When formulating ITSC plans, organisations are advised to aim for a simple,
clear, unambiguous and all-encompassing set of documents that define the actions
required to restore IT services in the event of an incident. To complicate
matters further, BSI advises that ITSC plans must be constantly rehearsed,
updated, modified and improved.

The advisory cautions that even organisations that address all elements of
its service continuity code of practice can expect no respite. BSI notes that
business is, by its very nature, dynamic and ever-changing. With these changes
come dangers; not only risk of failure, but the risk of destabilising existing
policies and strategies. Therefore, effective ITSC strategies and plans must be
resilient to change, pragmatic and adaptable.

Related reading