Business Continuity and IT Availability – Part VII

Through establishment and deployment of an emergency management program, top-level personnel can send a clear message to everyone in the entity that business continuity and disaster recovery control responsibilities are taken seriously. If properly institutionalized, lower-level personnel will endeavor to understand germane aspects of the entity’s continuity systems, and how they operate, as well as their own roles and responsibilities within the control program.

Within the confidentiality, integrity, and availability (C-I-A) triad; pertinent financial and non-financial information relating to external or internal events, as well as daily activities, should be identified, captured, and communicated properly and in a timely manner to decision makers. When required, established entity communication channels should permit authorized information flows throughout the organizational structure, with all relevant internal and external data reliably conveyed to intended recipients.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part VI

Considering the interconnectivity of national economies through computer networks, entities are more vulnerable than ever to the possibility of technical difficulties disrupting business at any point in the communication chain. From flood or fire to computer-virus or denial-of-service, disasters can affect information assets crucial to conducting business locally, regionally, and globally.

To enable beneficial IT and information security service delivery and support (as with all processes) appropriate objectives, goals, policies, procedures, standards and rules are required. Specifically, utilizing standards for ITSM usually generates benefits the moment an entity decides to rely on a business continuity service provider. For example, using a publicly available, generally accepted, standard as the basis for a SLA between the entity and disaster recovery service partners will normally generate fewer disputes and lower costs.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part V

Managerial concerns normally include: excessive business costs, forgone business opportunities, and potential revenue losses. When a business interruption occurs, restored information assets may affect operational effectiveness and efficiency. Potentially, the IT function’s costs could escalate beyond tolerable limits, while user departments experience a general productivity and/or critical resource loss disabling pursuing business opportunities as well as economical revenue generation. Specifically, errors in data back-up, storage, maintenance, retention and restoration may interfere with fulfilling organizational continuity and availability objectives. For example, many entities rely on available information to provide feedback on divisional and departmental performance. Errors in restored information could reduce management’s ability to evaluate performance and take appropriate corrective action; thus diminishing program, system and process monitoring effectiveness.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part IV

Where accepted as a managerial responsibility, an adequate ISG program should have security professionals participating in system life cycle design, acquisition, testing, and maintenance phases to ensure business continuity as well as availability requirements are appropriately incorporated, that selected contingency configuration items function as intended and that deployed service restoration features are not compromised during maintenance.

As synthesized sub-frameworks, Information Technology Service Management (ITSM) and Information Security Service Management (ISSM) promote entity information technology and information security units actively identifying services customers need; then focusing on planning and delivering defined services to meet availability as well as continuity requirements. Internally and externally; IT and/or information security units should manage accepted service-level agreements (SLAs) to meet agreed-upon service restoration targets.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part III

Governance usually occurs at different organizational strata, with activities flowing from processes, with processes linking up to systems, and programs receiving objectives from the entity’s oversight committee through established reporting lines. Alternatively or simultaneously, designated technological resources may provide information directly to the entity’s oversight committee for critical programs, systems, or processes. Nevertheless, IT availability is generally accepted as an information security governance (ISG) domain. Therefore, the ISG program should provide guidelines aiding management in understanding the importance of, and promote the development of, an entity-wide BCP. Proactively, an ISG program should address business continuity and availability requirements integration during system development projects.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part II

Minimally, an entity’s IT governance program should address business continuity and IT availability requirements within the context of ensuring continuous service. As suggested by ISACA, a business continuity plan (BCP) assumes the role for advance planning and preparations necessary to minimize loss and ensure continuity of critical business functions in the event of a disaster. Whereby, disaster recovery planning is a key BCP component referring to the technological aspects of a BCP that encompasses consistent actions to be undertaken before, during and after a catastrophe. Sound disaster recovery preparation is forged through a comprehensive planning system, involving all of the entity’s business processes.

“View Part I of the Business Continuity and IT Availability series here“

Business Continuity and IT Availability – Part I

Organizational units exist for various reasons. Governance focusing on business perpetuity and reliability should address strategic to operational transformations enabling adequate continuity management. Threading from the first-tier ‘Governance Tree’ level, linked leaves are inextricably affected by external forces. Consequently, an organizational formation’s continuity depends on relevant, accurate and timely external environment information assessments to drive appropriate governance. Management, especially information security management, cannot establish an adequate safeguarding posture unless root expectations are understood and potential threats, weaknesses as well as opportunities are appropriately addressed. Towards this end, entity oversight committee members — particularly non-executive directors — should ensure they are satisfied that effective, efficient, as well as compliant processes are deployed for business continuity and IT availability.

Governance and Managing IT Projects – Part VIII

In group situations, decisions on what should be included in the portfolio of active IT investments may be fragmented between the chief information officer (CIO) and business executives; who may each make assumptions regarding how, and by whom, decisions should be made. However, both IT and business leaders should vet project proposals by matching them with the entity’s strategic objectives. Directly, SILCM has a significant effect on the viability of an IT project governance program. Indirectly, IT project governance may impact stakeholder assessed entity value. Therefore, management should ensure ‘best practices’ IT project governance is deployed, within the IT governance framework, to enable increased valuation by stakeholders.

“View Part I of the Governance and Managing IT Projects series here“

Governance and Managing IT Projects – Part VII

Technological development and deployment is inextricably connected to the economic, social, political, and informational factors that prevail in the entity’s control environment. The system and infrastructure development life cycle is the process involving multiple stages utilized to convert a managerial need into an operational IT asset — which may be custom-developed, acquired, or a combination of both. To effectively and efficiently accomplish the conversion, project membership cohesion for achieving stated objectives and goals is imperative. Within this context, through aligned policies and procedures, an entity’s control environment can provide discipline and structure to processes ensuring operational, financial, and compliance requirements are adequately addressed for IT projects.

“View Part I of the Governance and Managing IT Projects series here“

Governance and Managing IT Projects – Part VI

Planning system and infrastructure deployments generally resides with upper level management. In particular, the chief information officer (CIO) or a manager possessing overall responsibility for IT commonly plans system and infrastructure deployments for the entity. Whereby, lower level IT management has an obligation to implement the entity’s strategic plan based on the entity’s long-term objectives.

Typical project constraints that must be managed are ambit, time and budget; wherefore the secondary — and more ambitious — challenge is optimizing the allocation and integration of resources necessary to meet pre-defined objectives and goals. Thus, considering this stated premise, the central dilemma of IT project management is achieving all project objectives, while honoring established project constraints.

“View Part I of the Governance and Managing IT Projects series here“