Prepared for Emergencies With ITSCM (IT Service Continuity Management)

Prepared for Emergencies With ITSCM (IT Service Continuity Management)
Preparing for a critical IT incident by means of IT Service Continuity Management (ITSCM) is only mandatory for banks, insurance companies, and operators of critical infrastructures. But it should be standard in all industries because it ensures that time-critical business processes continue to function in the event of an IT emergency or can be restored in an acceptable amount of time.

Prepared for emergencies with ITSCM

IT Service Continuity Management (ITSCM) makes a significant contribution to the resilience, continuity, and stability of companies. ITSCM is a subfield of Business Continuity Management (BCM) focusing on the availability of IT infrastructures, IT systems, and applications in the event of critical IT incidents.

While BCM proactively addresses the potential impact on time-critical business processes in the event of a building, personnel, and service provider failure, it “only” plans manual bridging measures for IT failure. ITSCM takes over the planning of availability and the coordinated restart of data centers, IT infrastructures, or IT systems, if necessary, within the parameters specified by BCM.

ITSCM as an integral part of an organization thus provides it with the ability to deliver the required IT services at a minimum level predefined by BCM or to restore them in an acceptable time despite a critical IT incident. This requires ensuring that existing risks to IT infrastructures and IT systems are managed so that the company or the contracted IT service provider can always provide at least the agreed service targets.

In coordination with the BCM process, the ITSCM uses formal techniques for risk assessment. In this way, risks are reduced and the restart of IT services is planned and prepared.

READ:  Waiting for the ePrivacy Regulation (ePVO)

Timely prevention

When setting up the system, specialists coordinate the ITSCM organization and the BCM organization and ensure that IT normal operations and IT emergency operations match. To this end, rules must be defined in the ITSCM policy and the establishment of the ITSCM organization must be coordinated before the emergency occurs.

A manual to be prepared with tactical guidelines for the process should describe the methodology and contain work instructions for the ITSC manager and the ITSC coordinators.

Build competencies

The ITSCM policy is the statement and approval of IT/corporate management for the implementation of an ITSCMS and forms the basis for the process, describing medium- and long-term goals. It also defines the interfaces and expectations for other processes and makes the ITSCM measurable to a certain degree.

For success, it is important that all employees with ITSCM tasks have appropriate competence – through education, training, but also through active action.

Confronting target requirements with facts

Once the basic prerequisites are in place and there is an awareness of the importance of an ITSCMS, the gap analysis is a fundamental step – the selection of ITSC solution options builds on this. The gap analysis, which must be performed annually, includes a comparison of target and actual values for the continuity goals of the RTO / RTA and RPO / RPA applications.

In addition, the question is answered as to which IT infrastructures, IT systems and applications are required for the identified time-critical business processes. In addition, the RTO / RPO values (target) are compared with the RTA / RPA values (actual). Identified target / actual deviations can be closed by adjustments in IT or by extending the bridging measures in BCM.

What happens to identified risks?

To get an overall picture, it helps to form so-called “risk clusters”, each of which in turn comprises extensive groups of questions. For each worst-case scenario – such as the failure of a data center (DC), the inaccessibility of a data center or the failure of a WAN – a definition must be made in the ITSC solution concept.

READ:  What is A Man-In-The-Middle Attack?

Specifically, for example, it must be clarified what the “failure of an RZ” means for the organization. Sensible and feasible solutions must be defined for each scenario.

Step by step to the solution concept

The gap analysis compares the results of the business impact analysis (BIA) with the current situation and identifies the gaps in terms of required recovery times, minimum level of IT emergency operation, or maximum acceptable data loss… Based on the results of the gap analysis, the optimal ITSC solution options can be determined by analyzing “consequential losses versus investments”. – The decision results in the ITSC solution concept, in which all solutions are summarized in one document. The concept documents the continuity strategies employed at the level of the technology used in each case and in coordination with continuity management

IT – Two letters, but a high level of complexity

In practice, there is often talk of an IT contingency plan or an ITSC plan. This could lead to the conclusion that there is only one plan. In fact, there is a multitude of plans: their entirety is called an ITSC plan.

1. Response plan

A compact summary of basic procedures: The response plan is intended to support the crisis team during a critical IT incident. It does not consist of long texts about the “why”, it is rather a collection of methodological tools. Among other things, it contains the answer to how the critical IT incident is declared, immediate actions, and assistance with initial assessment and communication.

2. Coordination plans

Emphasis is on the plural, there is one cause-unspecific plan per failure scenario. These plans accompany the restart in a structured manner until the end of the IT emergency operation and provide an overview of the interaction of the plans during the restart.

READ:  What Is a Data Breach?

The content includes, among other things, the graphical representation of the restart (plans, blocks) and a checklist of the tasks for restarting in the event of a critical IT incident. The procedures should be divided into plans with blocks and individual tasks.

3. Recovery plans

Recovery plans refer to the restart of the respective IT infrastructures, IT systems, and IT applications. All recovery plans should be based on the same template. The content is filled by IT specialists who are supported by the ITSC coordinators and the ITSC manager. IT recovery planning requires the cooperation and coordination of all IT functional groups.

4. Recovery plan

This plan roughly describes, for the prioritized recovery option, the tasks that need to be performed to recover an RZ. It is often sufficient to write a plan that describes the basic procedure and can therefore be transferred to other sites.

Activation in case of emergency

The ITSC plan is activated by calling out the “critical IT incident”. Interfaces to BCM and CM procedures must be observed, as well as the de-escalation procedure for withdrawing the alert. Maintenance and testing of the plans is essential for adequate action.

As a management process, the entire ITSCM system is subject to the principle of continuous improvement. Checks must be made to ensure that internal work instructions are implemented and adhered to and that all BCM requirements are met.

Avoiding pitfalls

To ensure that companies are adequately prepared, external experts provide support in developing and implementing ITSCM systems, creating ITSCM strategies and ITSCM plans, and setting up crisis management. The work is difficult and requires appropriate expertise to avoid mistakes. The goal must be to sustainably integrate ITSCM into everyday IT processes, the culture of the IT organization. The optimum benefit of the ITSCM program unfolds when ITSCM is viewed as an integral part of normal day-to-day operations and not as a separate activity.