Control over the IT process of Ensure Continuous Service that satisfies the business requirement for IT of
- ensuring minimal business impact in the event of an IT service interruption
- building resilience into automated solutions and developing, maintaining and testing IT continuity plans
- Developing and maintaining (improving) IT contingency
- Training on and testing IT contingency plans
- Storing copies of contingency plans and data at off-site locations
- Number of hours lost per user per month due to unplanned outages
- Number of business-critical processes relying on IT not covered by the IT continuity plan
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
There is no understanding of the risks, vulnerabilities and threats to IT operations or the impact of loss of IT services to the business. Service continuity is not considered to need management attention.
2 Initial/Ad Hoc when
Responsibilities for continuous service are informal, and the authority to execute responsibilities is limited. Management is becoming aware of the risks related to and the need for continuous service. The focus of management attention on continuous service is on infrastructure resources, rather than on the IT services. Users implement workarounds in response to disruptions of services. The response of IT to major disruptions is reactive and unprepared. Planned outages are scheduled to meet IT needs but do not consider business requirements.
3 Repeatable but Intuitive when
Responsibility for ensuring continuous service is assigned. The approaches to ensuring continuous service are fragmented. Reporting on system availability is sporadic, may be incomplete and does not take business impact into account. There is no documented IT continuity plan, although there is commitment to continuous service availability and its major principles are known. An inventory of critical systems and components exists, but it may not be reliable. Continuous service practices are emerging, but success relies on individuals.
4 Defined when
Accountability for the management of continuous service is unambiguous. Responsibilities for continuous service planning and testing are clearly defined and assigned. The IT continuity plan is documented and based on system criticality and business impact. There is periodic reporting of continuous service testing. Individuals take the initiative for following standards and receiving training to deal with major incidents or a disaster. Management communicates consistently the need to plan for ensuring continuous service. High-availability components and system redundancy are being applied. An inventory of critical systems and components is maintained.
5 Managed and Measurable when
Responsibilities and standards for continuous service are enforced. The responsibility to maintain the continuous service plan is assigned. Maintenance activities are based on the results of continuous service testing, internal good practices, and the changing IT and business environment. Structured data about continuous service are being gathered, analysed, reported and acted upon. Formal and mandatory training is provided on continuous service processes. System availability good practices are being consistently deployed. Availability practices and continuous service planning influence each other. Discontinuity incidents are classified, and the increasing escalation path for each is well known to all involved. Goals and metrics for continuous service have been developed and agreed upon but may be inconsistently measured.
6 Optimized when
Integrated continuous service processes take into account benchmarking and best external practices. The IT continuity plan is integrated with the business continuity plans and is routinely maintained. The requirement for ensuring continuous service is secured from vendors and major suppliers. Global testing of the IT continuity plan occurs, and test results are input for updating the plan. The gathering and analysis of data are used for continuous improvement of the process. Availability practices and continuous service planning are fully aligned. Management ensures that a disaster or major incident will not occur as a result of a single point of failure. Escalation practices are understood and thoroughly enforced. Goals and metrics on continuous service achievement are measured in a systematic fashion. Management adjusts the planning for continuous service in response to the measures.