Our client is an established research led university with over 20,000 students in the UK.
An internal audit identified a requirement to undertake an IT focused business impact analysis (BIA) to ascertain the level of need for the recovery of IT systems and services by the University’s departments and schools in the event of a disruptive incident. 90% of the buildings are based on a single campus.
A business continuity aim was defined to provide focus for the analysis which stated that if an incident causes the loss of IT, communications or data services, recovery plans and associated solutions will be in place to ensure that IT services can be recovered at a level and speed that will allow the University to continue to deliver teaching and other business critical activities, thus ensuring income streams and reputation are protected.
Prior to Teed’s involvement, previous disaster recovery (DR) planning had been geared towards the internal resilience of key data centres to avoid incidents causing disruption to IT services. However, there was not sufficient focus on dealing with a worst case scenario event at the level of a complete loss of data centre facilities. The BIA study carried out by Teed sought to change this philosophy and address this type of scenario.
Previously there had been difficulty in obtaining commitment from user departments and schools in terms of the real priority of systems and services. It was recognised that an independent specialist approach would help identify the real needs as opposed to perceived needs. At the same time, requirements would be mapped against what was currently achievable within a range of incident scenarios and clarify where there were gaps.
Teed was engaged to take the client through the business impact analysis to identify gaps and help define solutions and strategies to improve the current level of preparedness.
Our consultant’s first action was to gain an understanding of the current set up of IT infrastructure and the ability to recover from a range of disruptive scenarios. Taking account of this information, an impact analysis method was devised to ensure appropriate and useful information was obtained from BIA participants.
Next, representatives of 28 departments and schools were taken through the BIA interview process during which 57 respective business functions were identified with 106 associated critical activities. For each critical activity, the Recovery Time Objective (RTO) was defined before asking if there were potential workarounds and contingencies which would buy more time before access to IT services and data was required.
A series of other questions were asked to gain a good understanding of all resource dependencies and potential areas of concern to be addressed. A shopping list of all IT & Communications services requirements were mapped against each department or school, with RTOs and Recovery Point Objectives (RPOs) delivered to the IS team.
The information was validated through discussions held to determine if requirements could be satisfied, with the emphasis on known gaps and vulnerabilities.
The University now has a clear understanding of IT related risks and user requirements. This information has been fed into a two-year programme of scheduled disaster recovery activity nearing fruition at the time of writing. This included producing an IT Statement of Recovery clearly allocating tiers to IT services to ensure prioritisation at the time of recovery.
12 priority activities were outlined by Teed’s consultant in the Recommendations Report submitted to the University, for changing existing infrastructure, processes and data management to take account of available technology.
The opportunity was also used to ensure expectations were managed and not all responsibilities lie with the IS department. Departments and schools were encouraged to implement workarounds to address recovery capability and residual risk.
Teed’s consultant was able to draw upon experience gained from helping similar institutions enabling the client to define IT & Comms priorities and manage expectations in the event of a worst case scenario. Teed has been asked to undertake review and exercising activity upon completion of the DR implementation to ensure it is effective.