ITIL— Information Technology Infrastructure Library is a set of

best practices standards for Information Technology (IT) service

management. The United Kingdom's Central Computer and
Telecommunications Agency (CCTA) created ITIL in response to
the growing dependence on Information Technology to meet
business needs and goals. ITIL provides businesses with a
customizable framework of best practices to achieve quality
service and overcome difficulties associated with the growth of IT
systems.

COBIT—Published by ITGI and positioned as a high-level

governance and control framework

ISO/IEC 17799: 2000—Published by the International

Organisation for Standardisation (ISO) and International
Electrotechnical Commission (IEC) and derived from the UK
government’s BS 7799 to provide a framework of a standard for
information security management

FFIEC Business Continuity Planning Booklet - This Federal

Financial Institutions Examination Council (FFIEC) Business
Continuity Planning booklet provides guidance and examination
procedures to assist examiners in evaluating financial institution
and service provider risk management processes to ensure
the availability of critical financial services.

SAS 70 Overview
Statement on Auditing Standards (SAS) No. 70, Service
Organizations, is an internationally recognized auditing standard
developed by the American Institute of Certified Public
Accountants (AICPA). A SAS 70 audit or service auditor's
examination is widely recognized, because it represents that a
service organization has been through an in-depth audit of their
control activities, which generally include controls over
information technology and related processes. In today's global
economy, service organizations or service providers must
demonstrate that they have adequate controls and safeguards when
they host or process data belonging to their customers. In addition,
the requirements of Section 404 of the Sarbanes-Oxley Act of 2002
make SAS 70 audit reports even more important to the process of
reporting on effective internal controls at service organizations.

ITIL
The Service Management section of ITIL is made up of eleven different disciplines, split
into two sections, Service Support and Service Delivery:

Service Support

Configuration Management
Change Management
Release Management
Incident Management
Problem Management
Service Desk

Service Delivery

Service Level Management

Capacity Management
Financial Management for IT Services
Availability Management
IT Service Continuity Management

Service Level Management

The object of SLM is to maintain and gradually improve business aligned IT service quality,
through a constant cycle of agreeing, monitoring, reporting and reviewing IT service
achievements and through instigating actions to eradicate unacceptable levels of service.

SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and
monitors and reviews the actual service levels achieved against their SLA targets. SLM should
also be trying to proactively improve all service levels within the imposed cost constraints. SLM is
the process that manages and improves agreed level of service between two parties, the provider
and the receiver of a service.

SLM is responsible for negotiating and agreeing service requirements and expected service
characteristics with the Customer, measuring and reporting of Service Levels actually being
achieved against target, resources required, cost of service provision. SLM is also responsible
for continuously improving service levels in line with business processes, with a SIP, co-ordinating
other Service Management and support functions, including third party suppliers, reviewing SLAs
to meet changed business needs or resolving major service issues and producing, reviewing and
maintaining the Service Catalogue.

IT Service Continuity Management

The object of IT Service Continuity Management is to support the overall Business Continuity
Management process by ensuring that the required IT technical and services facilities can be
recovered within required and agreed business time-scales.

IT Service Continuity Management is concerned with managing an organisation's ability to

continue to provide a pre-determined and agreed level of IT services to support the minimum
business requirements, following an interruption to the business. This included ensuring
business survival by reducing the impact of a disaster or major failure, reducing the vulnerability
and risk to the business by effective risk analysis and risk management, preventing the loss of
Customer and User confidence, and producing IT recovery plans that are integrated with and fully
support the organisation's overall Business Continuity plan.

IT Service Continuity is responsible for ensuring that the available IT Service Continuity options
are understood and the most appropriate solution is chosen in support of the business
requirements. It is also responsible for identifying roles and responsibilities and making sure
these are endorsed and communicated from a senior level to ensure respect and commitment for
the process. Finally IT Service Continuity is responsible for guaranteeing that the IT recovery
plans and the Business Continuity Plans are aligned , and are regularly reviewed, revised and
tested.

COBIT

Control Objectives for Information and related Technology, is a framework for

information security created by ISACA, the Information Systems Audit and Control
Association, and the ITGI (IT Governance Institute). Control Objectives for Information
and Related Technology, or COBIT, provides managers, auditors, and IT users with a set
of generally accepted information technology control objectives to assist them in
maximizing the benefits derived through the use of information technology and
developing the appropriate IT governance and control in a company. In its 3rd edition,
COBIT has 34 high level objectives that cover 318 control objectives categorized in four
domains:

Planning and Organization, Acquisition and Implementation, Delivery and Support, and
Monitor.
HIGH LEVEL CONTROL OBJECTIVES
Planning and Organization
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Assess Risks
PO10 Manage Projects
PO11 Manage Quality
HIGH LEVEL CONTROL OBJECTIVES
Delivery and Support
DS1 Define and Manage Service Levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Assist and Advise Customers
DS9 Manage the Configuration
DS10 Manage Projects
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations

ISO 17799

ISO/IEC 17799:2005 contains best practices of control objectives and controls in the
following areas of information security management:
 • security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance.

THE PROCESS
Sub-section 11.1.1 focuses upon the management process for developing and maintaining
continuity.

IMPACT ANALYSIS
Sub-section 11.1.2 states the requirement for impact analysis and risk assessment.

PLANNING
Sub-section 11.1.3 covers the development and implementation of the plan itself.

FRAMEWORK
Sub-section 11.1.4 describes the framework in which the plans exist.

DRII Ten Professional Practice Areas

• Subject Area 1: Project Initiation and Management

• Subject Area 2: Risk Evaluation and Control
• Subject Area 3: Business Impact Analysis
• Subject Area 4: Developing Business Continuity Strategies
• Subject Area 5: Emergency Response and Operations
• Subject Area 6: Developing and Implementing Business Continuity Plans
• Subject Area 7: Awareness and Training Programs
• Subject Area 8: Exercising and Maintaining Business Continuity Plans
• Subject Area 9: Public Relations and Crisis Coordination
• Subject Area 10: Coordination With External Agencies