Purpose:

Co-ordinate and execute the activities and operational procedures required to deliver internal and outsourced IT services, including the execution of pre-defined standard operating procedures and the required monitoring activities.

Objective:

Deliver IT operational service outcomes as planned.

Description:

<?>

Inputs:

  • Operation and use plan
  • OLAs
  • SLAs
  • Operation and use plan
  • Service definitions

Outputs:

  • Operational schedule
  • Backup log
  • Independent assurance plans
  • Asset monitoring rules and event conditions
  • Event logs
  • Incident tickets
  • Environmental policies
  • Insurance policy reports
  • Facilities assessment reports
  • Health and safety awareness

Controls:

<?>

Task Instructions:

Perform Operational Procedures

    1. Develop and maintain operational procedures and related activities to support all delivered services.

    2. Maintain a schedule of operational activities, perform the activities, and manage the performance and throughput of the scheduled activities.

    3. Verify that all data expected for processing are received and processed completely, accurately, and in a timely manner. Deliver output in accordance with enterprise requirements. Support restart and reprocessing needs. Ensure that users are receiving the right outputs in a secure and timely manner.

    4. Ensure that applicable security standards are met for the receipt, processing, storage, and output of data in a way that meets enterprise objectives, the enterprise’s security policy, and regulatory requirements.

    5. Schedule, take and log backups in accordance with established policies and procedures

Manage Outsourced IT Services

    1. Ensure that the enterprise’s requirements for the security of information processes are adhered to in accordance with contracts and SLAs with third parties hosting or providing services.

    2. Ensure that the enterprise’s operational business and IT processing requirements and priorities for service delivery are adhered to in accordance with contracts and SLAs with third parties hosting or providing services.

    3. Integrate critical internal IT management processes with those of outsourced service providers, covering, e.g., performance and capacity planning, change management, configuration management, service request, and incident management, problem management, security management, business continuity, and the monitoring of process performance and reporting.

    4. Plan for independent audit and assurance of the operational environments of outsourced providers to confirm that agreed-on requirements are being adequately addressed.

Monitor IT Infrastructure

    1. Log events, identifying the level of information to be recorded based on a consideration of risk and performance.

    2. Identify and maintain a list of infrastructure assets that need to be monitored based on service criticality and the relationship between configuration items and services that depend on them.

    3. Define and implement rules that identify and record threshold breaches and event conditions. Find a balance between generating spurious minor events and significant events, so event logs are not overloaded with unnecessary information.

    4. Produce event logs and retain them for an appropriate period to assist in future investigations.

    5. Establish procedures for monitoring event logs and conduct regular reviews.

    6. Ensure that incident tickets are created in a timely manner when monitoring identifies deviations from defined thresholds.

Manage the Environment

    1. Identify natural and man-made disasters that might occur in the area within which the IT facilities are located. Assess the potential effect on IT facilities.
    2. Identify how IT equipment, including mobile and off-site equipment, is protected against environmental threats. Ensure that the policy limits or excludes eating, drinking, and smoking in sensitive areas, and prohibits the storage of stationery and other supplies posing a fire hazard within computer rooms.
    3. Situate and construct IT facilities to minimize and mitigate susceptibility to environmental threats.
    4. Regularly monitor and maintain devices that proactively detect environmental threats (e.g., fire, water, smoke, humidity).
    5. Respond to environmental alarms and other notifications. Document and test procedures, which should include prioritization of alarms and contact with local emergency response authorities, and train personnel in these procedures.
    6. Compare measures and contingency plans against insurance policy requirements and report results. Address points of non-compliance in a timely manner.
    7. Ensure that IT sites are built and designed to minimize the impact of environmental risk (e.g., theft, air, fire, smoke, water, vibration, terror, vandalism, chemicals, explosives). Consider specific security zones and/or fireproof cells (e.g., locating production and development environments/servers away from each other).
    8. Keep the IT sites and server rooms clean and in a safe condition at all times (i.e., no mess, no paper or cardboard boxes, no filled dustbins, no flammable chemicals or materials).

Manage Facilities

    1. Examine the IT facilities’ requirement for protection against power fluctuations and outages, in conjunction with other business continuity planning requirements. Procure suitable uninterruptible supply equipment (e.g., batteries, generators) to support business continuity planning.

    2. Regularly test the uninterruptible power supply’s mechanisms, and ensure that power can be switched to the supply without any significant effect on business operations.

    3. Ensure that the facilities housing the IT systems have more than one source for dependent utilities (e.g., power, telecommunications, water, gas). Separate the physical entrance of each utility.

    4. Confirm that cabling external to the IT site is located underground or has suitable alternative protection. Determine that cabling within the IT site is contained within secured conduits, and wiring cabinets have access restricted to authorized personnel. Properly protect cabling against damage caused by fire, smoke, water, interception, and interference.

    5. Ensure that cabling and physical patching (data and phone) are structured and organized. Cabling and conduit structures should be documented (e.g., blueprint building plan and wiring diagrams).

    6. Analyze the facilities housing’s high-availability systems for redundancy and fail-over cabling requirements (external and internal).

    7. Ensure that IT sites and facilities are in ongoing compliance with relevant health and safety laws, regulations, guidelines, and vendor specifications.

    8. Educate personnel on a regular basis on health and safety laws, regulations, and relevant guidelines. Educate personnel on fire and rescue drills to ensure knowledge and actions taken in case of fire or similar incidents.

    9. Record, monitor, manage, and resolve facility incidents in line with the IT incident management process. Make available reports on facilities incidents where disclosure is required in terms of laws and regulations.

    10. Ensure that IT sites and equipment are maintained according to the supplier’s recommended service intervals and specifications. The maintenance must be carried out only by authorized personnel.

    11. Analyze physical alterations to IT sites or premises to reassess the environmental risk (e.g., fire or water damage). Report results of this analysis to business continuity and facilities management.