Service Continuity Management

In the DSM.itil framework, the Service Continuity Management domain consists of two disciplines, Business Continuity Management and Security Continuity Management.

Business Continuity Management

Business Continuity Management is the process by which plans are put in place and managed to ensure that IT and Business Services can recover and continue should a serious incident occur. It is not just about reactive measures, but also about proactive measures - reducing the risk of a disaster in the first instance.

Business Continuity management is regarded as the recovery of the infrastructure used to deliver IT and Businesses services to ensure that the whole end-to-end business process can continue should a serious incident occur (at primary support level).

Continuity management involves the following basic steps:

• Prioritizing the businesses to be recovered by conducting a Business Impact Analysis (BIA)
• Performing a Risk Assessment (or Risk Analysis) for each of the Services to identify the assets, threats, vulnerabilities and countermeasures for each service
• Evaluating the options for recovery
• Producing the Contingency Plan
• Testing, reviewing and revising the plan on a regular basis

Security Continuity Management

The DSM.itil security management process describes the structured fitting of security within the IT Operations Framework. DSM.itil security management is based on the Code of Practice for Information Security Management defined by ISO/IEC 27002.

A basic concept of security management is the information security. The primary goal of information security is to the availability of information. When protecting information it is the value of the information that has to be protected. These values are stipulated by the confidentiality, integrity and availability of the data itself. Inferred aspects are privacy, anonymity and verifiability.

The goal of the Security Management is split up in two parts:

• The realization of the security requirements defined in a service level agreement (SLA) and other external requirements which are specified in underpinning contracts, legislation and possible internal or external imposed policies.
• The realization of a basic level of security. This is necessary to guarantee the continuity of the management organization. This is also necessary in order to reach a simplified service-level management for the information security, as it happens to be easier to manage a limited number of SLAs as it is to manage a large number of SLAs.

The input of the security management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external) underpinning contracts. These requirements can also act as key performance indicators (KPIs) which can be used for the process management and for the justification of the results of the security management process.

The output gives justification information to the realization of the SLAs and a report with deviations from the requirements.

The security management process has relations with almost all other DSM.itil-processes. However, the most obvious relations will be the relations to the service level management process, the incident management process and the Change Management process.