Случайная страница | ТОМ-1 | ТОМ-2 | ТОМ-3 Архитектура Биология География Другое Иностранные языки Информатика История Культура Литература Математика Медицина Механика Образование Охрана труда Педагогика Политика Право Программирование Психология Религия Социология Спорт Строительство Физика Философия Финансы Химия Экология Экономика Электроника

IT Service Continuity Management

This section provides practical usage and details about how each IT Service Continuity Management (ITSCM) method can be used in various activities of CSI.

Business Continuity Management, ITSCM and CSI

Any CSI initiative to improve services needs to also have integration with ITSCM as any changes to the service requirement s, infrastructure etc. need to be taken into account for any changes that may be required for the Continuity Plan. That is why it is important for all service improvement plan s to go through Change Management.

Business Continuity Management (BCM) is concerned with managing risks to ensure that an organization can continue operating to a predetermined minimum level. The BCM process involves reducing the risk to an acceptable level and planning for the recovery of business process es should a risk materialize and a disruption to the business occur.

ITSCM allows an IT organization to identify, assess and take responsibility for managing its risks, thus enabling it to better understand the environment in which it operates, decide which risks it wishes to counteract, and act positively to protect the interests of all stakeholder s (including staff, customer s, shareholders, third parties and creditors). CSI can complement this activity and help to deliver business benefit.

Risk Management

Every organization manages its risk, but not always in a way that is visible, repeatable and consistently applied to support decision making. The task of Risk Management is to ensure that the organization makes cost-effective use of a risk process that has a series of well-defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact.

There are two distinct phases: risk analysis and risk management. Risk analysis is concerned with gathering information about exposure to risk so that the organization can make appropriate decisions and manage risk appropriately. Risk analysis involves the identification and assessment of the level (measure) of the risks calculated from the assessed values of asset s and the assessed levels of threat s to, and vulnerabilities of, those assets.

Risk Management involves having processes in place to monitor risks, access to reliable and up-to-date information about risks, the right balance of control in place to deal with those risks, and decision-making processes supported by a framework of risk analysis and evaluation. Risk Management also involves the identification, selection and adoption of countermeasure s justified by the identified risks to assets in terms of their potential impact upon services if failure occurs, and the reduction of those risks to an acceptable level.

Risk Management covers a wide range of topics, including business continuity management, security, programme/ project risk management and operational service management. These topics need to be placed in the context of an organizational framework for the management of risk. Some risk-related topics, such as security, are highly specialized and this guidance provides only an overview of such aspects.

A certain amount of risk taking is inevitable if an organization is to achieve its objective s. Effective management of risk helps to improve performance by contributing to:

• Increased certainty and fewer surprises
• Better service delivery
• More effective management of change
• More efficient use of resources
• Better management at all levels through improved decision making
• Reduced waste and fraud, and better value for money
• Innovation
• Management of contingent and maintenance activities.

Relating management of risk to safety, security and business continuity

Management of risk should be carried out in the wider context of safety concerns, security and business continuity:

• Health and safety policy and practice is concerned with ensuring that the workplace is a safe environment.
• Security is concerned with protecting the organization’s asset s, including information, buildings and so on.
• Business continuity is concerned with ensuring that the organization could continue to operate in the event of a disaster, such as loss of a service, flood or fire damage.

Figure 5.13 Reasons for a Risk Management process

Business perspective on Risk Management

Risk Management from the business perspective, in the context of working with supplier s, centres on assessing vulnerabilities in supplier arrangements which pose threats to any aspect of the business including:

• Customer satisfaction
• Brand image
• Market share
• Share price
• Profitability
• Regulatory impacts or penalties (in some industries).

The nature of the relationship affects the degree of risk to the business.

Risks associated with an outsourced supplier are likely to be greater in number, and more complex to manage, than with an internal supply. It is rarely possible to outsource risk. Blaming a supplier does not impress customers or internal user s affected by a security incident or a lengthy system failure. New risks arising from the relationship need to be identified and managed, with communication and escalation as appropriate.

A substantial risk assessment should have been undertaken pre-contract, but this needs to be maintained in the light of changing business needs, changes to the contract scope or changes in the operational environment.

Risk profiles and responsibilities

The organization and the supplier must consider the threat s posed by the relationship to their own asset s, and have their own risk profile. Each must identify their respective risk owners. In a well-functioning relationship it is possible for much or all of the assessment to be openly shared with the other party. By involving supplier experts in risk assessments, the organization may gain valuable insights into how best to mitigate risks, as well as improving the coverage of the assessment.

Risk assessments typically consider threats which may exploit vulnerabilities to impact the confidentiality, integrity or availability of one or more assets.

Scope of risk assessments:

• Identification of risks (threats and vulnerabilities)
• Target, i.e. the assets under threat
• Impact of risks, qualitative and quantitative
• Probability of occurrence
• Possible mitigating actions or control s
• Identification of stakeholder s who are accountable for the risk, and responsible for selecting an appropriate action (including possibly accepting the risk with no control)
• Responsibility for implementing selected actions or controls
• Choice of actions or controls, based on evaluation of impact vs. cost of action or control.

For outsourced operation s, particular care needs to be taken when considering the ownership of the assets at risk. These will be different for each party.

Risk Management processes need to be considered as cyclical, review ing the suitability of previous actions, and reassessing risks in the light of changing circumstances. Risks are likely to be managed through a Risk Register such as the example provided in Table 5.8.

Table 5.8 Risk register

For further information on risk management, consult the ITIL Service Design and Service Transition publications.

While Risk Management is primarily conducted during design and transition stages of the service lifecycle, a good CSI programme will assess the results of Risk Management activities to identify service improvements through risk mitigation, elimination and management.

Дата добавления: 2015-10-02; просмотров: 74 | Нарушение авторских прав