ITIL and DRP

[Joanne]

Hello @ll,

I'm about to start a Disaster Recovery Planning project with a new client that has implemented ITIL.
Are there any particular areas I should be looking at with respect to ITIL?
Any help/hints will be greatly appreciated!

Thanks

Joanne

[ITILGUY]

Hello Joanne

Couple links between ITIL and BC/DR :-

1- The overall ITIL framework has a "security management" component and this can be based on BS7799 (ISO17799)

2- One of the two ITIL pillars which is "IT Service Delivery" which covers 5 processes (functions) including a "IT Service Continuity Management" process (function) which includes risk assessment, business impact analysism disaster recovery plans, ....

Hope this helps

[Joanne]

Thanks for the tips ITILGUY. My next question would then be:

Is it mandatory to use these guidelines (are they guidelines?)when developing the DRP?
The reason I'm asking is that my client will be under an IT audit towards the middle of the DRP project. The audit will be performed by their HQ which I assume may then be subject to ITIL.
My confusion comes from the fact that I'm more CISA inclined and perhaps have more difficulty "picturing" the ITIL framework.

Thanks.

Joanne

[ranjithraghunathan]

Strictly and only in line with ITIL, the Disaster Recovery Plan is part of IT Service Continuity Management.

Your project should cover the following:
1. Initiation
2. Requirements and Strategy
3. Organization and implementation planning
4. Education and Awareness, Review, Testing, Change Control, Training, Assurance

1. Initiation - Initiate Business Contuinity Management
2. Requirements & Strategy - Business Impact Analysis, Risk Assessment, Business Continuity Strategy.
3. Organization and implementation planning - Implement Standby Arragements, Develop Recovery Plans, Implement Risk Reduction Measures, Develop Procedures, Initiate Testing

In the business impact analysis - have the purpose areas as follows
1. Identify key IT services
Determine the effect of unavailability
2. Determine the effect of unavailability
3. Investigate the time before the effects are felt
4. Assess minimum recovery requirements
5. Document with the business impact scenarios

Risk Analysis & Management

Guage - Assets, Threasts, Vulnerabilities under Risks.
Take Counter measures for tackling the risks.

Business continuity strategy - What services will be plan for?, What recovery and preventive options are available? , What are the costs of each?, What services take priority in recovery?

Standby arrangements - Do nothing, manual workarounds, reciprocal arrangements, Immediate Recovery, Intermidiate Recovery, Gradual Recovery, Fortress approach, dormant contracts, insurance.

Do you want more?
_________________
Ranjith Raghunathan
ITIL Foundation Certified

P.S - Most of my posts are to understand the ITIL fundamentals clearly. So please excuse if not genuine answers to questions.

[ranjithraghunathan]

I would suggest that you have your entire Disaster Recovery Plan charted down in a flowchart using Swimlane (MS Visio 2003 is sufficient).

This will help you very well in simplifying your course of action.
_________________
Ranjith Raghunathan
ITIL Foundation Certified

P.S - Most of my posts are to understand the ITIL fundamentals clearly. So please excuse if not genuine answers to questions.

[jpgilles]

Although ITIL's Continuity Management is pretty accurate for that matter, I would recommend to refer to BCI's guides of Best Practices.

(BCI stands for Business Continuity Institute, see their web site)
_________________
JP Gilles

[itsm5]

Or better still... there is an emerging standard for business continuity management: BS25999

See the website: 25999.info for information on the current state of play, or perhaps pas56.com (bs25999 was previously known as PAS56).

This shouldn't be confused with PAS77, which is another option. This is specifically related to IT Service Continuity Management. See the source from BSI here: standardsdirect.org/pas77.htm

[stef]

Hello ,

My question is about the response from Ranjith Raghunathan

I have read ITIL book, so i agree with you, but can you help me understand:

- BIA is for the business so i have understood that the goal was to determine impact when business processes stop (if the pay service stop ...). But in my compagny, we started with application so i would determine impact when application stop (if the application stop ...). When i read your message i understand that i have to determine impact when a IT componant (server, motherboard, hard disk, switch) stop (if this component stop ...). What is the good practice ? Have tou an exemple of "key IT service", an exemple of "effect of unavailability" ? What is the granularity of the study : server, hard disk, cpu ...

- Risk : risk on a specific hard disk or on a specific server or on all the IT system (mehari ...)

An other question : how much month for implementing ITIL Continuity on 700 servers.

Thank you

[jpgilles]

Stef,

ITIL as BCI recommend to start with BIA as a DRP should be part of a larger plan to recover business activities in case of a disaster (what's the value of being able to restart application X in 24 H on a backup site if there are no users to use it, because the biz managers did not organize to relocate the users as part of their continuity plan?).
However, it happens quite often that the IT department starts working on continuity and DRP issues before the business really starts considering the issue.
In any case, the recommendation is the same: you have to start form the business side:
* which business processes are the most critical for the company?
* How long can teh company survive without them?
* What IT services do support these business processes?
* What IT systems do participate in this services?
* What CI do contribute to these systems?

Please take care that although the work will focus on restoring the most critical services first, preferably in a controlled and fully planned procedure, you probably have to make sure, you wil be able to restore all services at the end, even the least critical (e.g. development activities may not be critical nor need to be restarted in the next 48 hours, however the company may not be able to survice to the loss of all development data & work that was done over the past year nor the unabality to restart its development in a certain period of time after the disaster....

Ansewering the questions above will merely allow to classify IT services and systems in several categories (I would recommend a minimum of 3) based on different criteria (max unavailability, data loss,...) that will help shape your recorvery plan in different phases...

Hope it can help clarify your mind

Best regards
JP
_________________
JP Gilles

[m_croon]

[carischila]

What is the best Motherboard out there that can take the most upgrades?
I am looking at building a computer but I need to know the best motherboard that can handle the most upgrades. Can anyone let me know what some of the best are and how much they cost? Feel free to just add links if you'd like.

[UKVIKING]

Oblique topic change... I love it

Clueless as well
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter

[Diarmid]

I don't fancy using a computer put together with that level of compatibility.
_________________
"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718

[asrilrm]

[Diarmid]