Was only going to do one blog today but decided that this was a bit too relevant for it to wait.
I recently met with a manager of a local service provider. The senior manager was quite concerned about two things their previous IT Manager had not addressed:
- Compliance (HIPPA/HITECH)
- Business Continuity
As a result of that conversation I put together the following for her (modified for this audience) to help her deal with her concerns about her needs and her future IT Manager.
BC Plan Requirements
- Must be compliant (HITECH, HIPPA, et al):
- The organization needs to be compliant with, at a minimum, HITECH and HIPPA. There are probably others that have not surfaced as of yet.
- Must be maintainable and maintained.
- As requirements, processes and personnel change, the plan must be maintained.
- It must work.
- You need to be able to, at any time, demonstrate the efficacy of the plan.
Compliance
Almost every IT compliance addresses the following issues:
- Availability
- Applications
- Reporting
- Disaster Recovery
- Business Continuity
- Access - as needed basis only - should require signoff by appropriate department management
- Security:
- User
- Internal
- External
- Partners
- Providers
- Customers/Clients/Members
- Network
- Between Applications and Resources
- Between Applications and Users
- Between Departments
- Between Internal users, external users and the public (Internet)
- Between sites (WAN)
- Application
- Need to know
- Auditing:
- Internal
- Periodic
- Legal Search
- Organizational, Professional, Business, Government Audits
- Documentation:
- Systems
- Services
- Procedures/Workflows
- Remediation
- Verification
- Structure
- Procedures
- Functionality
- Required as part of BC Implementation:
- Hot Site - IT and Office
In order to implement the plan, it will be necessary to set up a hot site capability.
Electronic Document Library
In order to ensure that all requisite documentation is available, it will be necessary to establish an electronic document library which has appropriate security and redundancy. A possible viable solution is already in place, but research needs to be done to insure that appropriate access control and redundancy measures are in active to address BC/DR issues.
As a byproduct of establishing the document library, it might be appropriate to create a position for a dedicated librarian to manage metadata maintenance and assist with search and audit requirements.
Recovery Time Limit (to be determined)
Recommendations to Address Business Continuity Requirements
- Workflows
- Workflows are already established for business processes.
- A regular review of existing and new processes needs to be implemented.
- Provider contact Info
- All service and material providers will need to be notified in event the primary location is unavailable for any length of time.
- Partner contact info
- All partners will need to be notified in event the primary location is unavailable for any length of time.
- Staff Redundancy
- All departments should be populated and have trained personnel on staff to address any short or long term loss of employees for all job functions of a critical or sensitive nature, or requiring specific skills, to include management.
- Full Systems and process Documentation – maintainable
- A completely maintainable documentation of the all systems processes and procedures must be maintained which will require a regular, periodic review.
- For IT, it would be desirable if ITILv3 compliance was followed as this would bring the organization into alignment with most major financial institutions and simplify and changeover in personnel.
No comments:
Post a Comment