ITSCM | The Centauri Step, Governance and IT Security
The continuity of IT services is a key part of the security issue!
To be able to continue working
ITSCM stands for IT Service Continuity Management. For this, the ISO 22301 standard for business continuity management and the ISO 27001 standard for information security management are utterly complementary. By anticipating crises which could disrupt the activities of an organization, you can develop a pragmatic approach to IT security management.
The aim of managing continuity is to prevent serious and unplanned disruptions in service from resulting in a major disaster for your organization – such as the loss of critical data. Such interruptions can be caused by IT infrastructure flaws (e.g. viruses, denial-of-service attacks etc.), but also by natural disasters like floods, fires, earthquakes, and so on.
Although continuity might seem like a parallel topic to security, it is in fact important to address these two topics together to protect the future existence of the organization.
Those British again…
It is also worth mentioning the British ITIL framework of best practices which closely resembles the ITSCM framework. I can already hear you thinking: “with acronyms like those, here comes another series of stringent rules and cumbersome processes…” But it’snot the case! Both the ITIL and ITSCM aim to provide adaptable guidelines.
You and your team need to assess the framework, best practices and guidelines and then implement what works for you. And most importantly, try to stay flexible and avoid the silos that tend to occur within (almost) all organizations!
The key steps :
Developing an ITSCM will bring the organization’s management a great deal of insight as to the rules it needs, particularly for suppliers. How to proceed:
- Firstly, identify all of the organization’s assets (see the ISO 27001 chapter on Asset Management).
- Identify risks and threats.
- Prepare Disaster Recovery Plans (the type of emergency plan to implement depends on the level of risk that the organization is willing to take! These plans consist in establishing an order of priority for the restoration of services).
One small tip which might seem obvious, but which is useful to remember: a copy of this plan should of course be stored off site so that it can be accessed in an emergency!
Given that business continuity management encompasses IT risk management, as well as other risk management processes, IT teams should logically work closely with the business continuity team. This will allow them to prepare the business continuity plan (BCP), which includes IT incident prevention and recovery plans for disasters, as well as business impact assessments (BIA) which formally establish the cost of service interruption – and help identify which services are vital to the ongoing existence of the organization.
But, concretely, what does this entail?
For a better understanding of the issues at stake, approach the task by noting the questions you need to ask within your organization the answers will be useful to every member of staff, in every department.
Here are a few examples:
- How do we respond to incidents?
- What risks and threats does our business face?
- Which are our most critical activities? (this is the purpose of the BIA – see above).
- How will we react in the event of a disaster?
- Where is the information we will need to restore our most critical systems?
MY ADVICE = Once you have answered these questions, it is time to establish:
- The scope of IT responsibilities.
- The extent to which the business is impacted by each risk,
- Plans and processes for each risk scenario.
- The staff and reference documentation requirements.
NOTE: These elements will also help you in negotiations with your suppliers, to ensure that they are able to apply your own standards of continuity and security of your data.