Develop a framework for IT continuity to support enterprise wide
business continuity management using a consistent process. The objective of the
framework should be to assist in determining the required resilience of the
infrastructure and to drive the development of disaster recovery and IT
contingency plans. The framework should address the organisational structure
for continuity management, covering the roles, tasks and responsibilities of
internal and external service providers, their management and their customers,
and the planning processes that create the rules and structures to document,
test and execute the disaster recovery and IT contingency plans.
The plan should also address items such as the identification of
critical resources, noting key dependencies, the monitoring and reporting of
the availability of critical resources, alternative processing, and the
principles of backup and recovery.
Value Drivers
•
Continuous service across IT
•
Consistent, documented IT continuity plans
•
Governed services for business needs
•
Achieved short- and long-range objectives
supporting the organisation’s objectives
Risk Drivers
•
Insufficient continuity practices
•
IT continuity services not managed properly
•
Increased dependency on key individuals
Control Practice
·
Assign responsibility for and establish an
enterprise wide business continuity management process. This process should
include an IT continuity framework to ensure that a business impact analysis
(BIA) is completed and IT continuity plans support business strategy, a
prioritised recovery strategy, necessary operational support based on these
strategies and any compliance requirements.
· Ensure that
the continuity framework includes:
o The
conditions and responsibilities for activating and/or escalating the plan
o Prioritised
recovery strategy, including the necessary sequence of activities
o Minimum
recovery requirements to maintain adequate business operations and service
levels with diminished resources
o Emergency
procedures
o Fallback
procedures
o Temporary
operational procedures
o IT
processing resumption procedures
o Maintenance
and test schedule
o Awareness,
education and training activities
o Responsibilities
of individuals
o Regulatory
o Critical
assets and resources and up-to-date personnel contact information needed to
perform emergency, fallback and resumption procedures
o Alternative
processing facilities as determined within the plan
o Alternative
suppliers for critical resources
o Chain of
communications plan
o
Key resources identified
· Ensure that
the IT continuity framework addresses:
o Organisational
structure for IT continuity management as a liaison to organisational
continuity management
o Roles,
tasks and responsibilities defined by SLAs and/or contracts for internal and
external service providers
o Documentation
standards and change management procedures for all IT continuity-related
procedures and tests
o Policies
for conducting regular tests
o The
frequency and conditions (triggers) for updating the IT continuity plans
o
The results of the risk assessment process
(PO9)