IT Continuity Framework

Develop a framework for IT continuity to support enterprise wide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans. The framework should address the organisational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes that create the rules and structures to document, test and execute the disaster recovery and IT contingency plans.

The plan should also address items such as the identification of critical resources, noting key dependencies, the monitoring and reporting of the availability of critical resources, alternative processing, and the principles of backup and recovery.

Value Drivers

•    Continuous service across IT

•    Consistent, documented IT continuity plans

•    Governed services for business needs

•    Achieved short- and long-range objectives supporting the organisation’s objectives

Risk Drivers

•    Insufficient continuity practices

•    IT continuity services not managed properly

•    Increased dependency on key individuals

Control Practice

·       Assign responsibility for and establish an enterprise wide business continuity management process. This process should include an IT continuity framework to ensure that a business impact analysis (BIA) is completed and IT continuity plans support business strategy, a prioritised recovery strategy, necessary operational support based on these strategies and any compliance requirements.

·       Ensure that the continuity framework includes:

o   The conditions and responsibilities for activating and/or escalating the plan

o   Prioritised recovery strategy, including the necessary sequence of activities

o   Minimum recovery requirements to maintain adequate business operations and service levels with diminished resources

o   Emergency procedures

o   Fallback procedures

o   Temporary operational procedures

o   IT processing resumption procedures

o   Maintenance and test schedule

o   Awareness, education and training activities

o   Responsibilities of individuals

o   Regulatory

o   Critical assets and resources and up-to-date personnel contact information needed to perform emergency, fallback and resumption procedures

o   Alternative processing facilities as determined within the plan

o   Alternative suppliers for critical resources

o   Chain of communications plan

o   Key resources identified

·       Ensure that the IT continuity framework addresses:

o   Organisational structure for IT continuity management as a liaison to organisational continuity management

o   Roles, tasks and responsibilities defined by SLAs and/or contracts for internal and external service providers

o   Documentation standards and change management procedures for all IT continuity-related procedures and tests

o   Policies for conducting regular tests

o   The frequency and conditions (triggers) for updating the IT continuity plans

o   The results of the risk assessment process (PO9)