Risico’s van een gevirtualiseerde IT-omgeving

More documents

Recommendations

Info

Risico’s van een gevirtualiseerde IT-omgeving Possen & Ulrich----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ProcessnumberPO09PO09PO09PO09ProcessAssess and manageIT risksAssess and manageIT risksAssess and manageIT risksAssess and manageIT risksControlobjectivenumberControl objectiveControl objective descriptionPO9.3 Event Identification Identify events (an important realistic threat that exploits a significantapplicable vulnerability) with a potential negative impact on the goals oroperations of the enterprise, including business, regulatory, legal, technology,trading partner, human resources and operational aspects. Determine thenature of the impact and maintain this information. Record and maintainrelevant risks in a risk registry.PO9.4 Risk Assessment Assess on a recurrent basis the likelihood and impact of all identified risks,using qualitative and quantitative methods. The likelihood and impactassociated with inherent and residual risk should be determined individually,by category and on a portfolio basis.PO9.5 Risk Response Develop and maintain a risk response process designed to ensure that costeffectivecontrols mitigate exposure to risks on a continuing basis. The riskresponse process should identify risk strategies such as avoidance, reduction,sharing or acceptance; determine associated responsibilities; and consider riskPO9.6Maintenance and Monitoringof a Risk Action PlanAI06 Manage changes AI6.1 Change Standards andProceduresAI06 Manage changes AI6.2 Impact Assessment,Prioritization andAuthorizationtolerance levels.Prioritise and plan the control activities at all levels to implement the riskresponses identified as necessary, including identification of costs, benefitsand responsibility for execution. Obtain approval for recommended actionsand acceptance of any residual risks, and ensure that committed actions areowned by the affected process owner(s). Monitor execution of the plans, andreport on any deviations to senior management.Set up formal change management procedures to handle in a standardisedmanner all requests (including maintenance and patches) for changes toapplications, procedures, processes, system and service parameters, and theunderlying platforms.Assess all requests for change in a structured way to determine the impact onthe operational system and its functionality. Ensure that changes arecategorised, prioritised and authorised.AI06 Manage changes AI6.3 Emergency Changes Establish a process for defining, raising, testing, documenting, assessing andauthorising emergency changes that do not follow the established changeprocess.----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Pagina 114
Risico’s van een gevirtualiseerde IT-omgeving Possen & Ulrich----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ProcessnumberProcessControlobjectivenumberControl objectiveAI06 Manage changes AI6.4 Change Status Tracking andReportingAI06 Manage changes AI6.5 Change Closure andDocumentationDS03DS03DS03DS03DS03Manage performanceand capacityManage performanceand capacityManage performanceand capacityManage performanceand capacityManage performanceand capacityDS3.1DS3.2DS3.3Performance and CapacityPlanningCurrent Performance andCapacityFuture Performance andCapacityControl objective descriptionEstablish a tracking and reporting system to document rejected changes,communicate the status of approved and in-process changes, and completechanges. Make certain that approved changes are implemented as planned.Whenever changes are implemented, update the associated system and userdocumentation and procedures accordingly.Establish a planning process for the review of performance and capacity of ITresources to ensure that cost-justifiable capacity and performance areavailable to process the agreed-upon workloads as determined by the SLAs.Capacity and performance plans should leverage appropriate modellingtechniques to produce a model of the current and forecasted performance,capacity and throughput of the IT resources.Assess current performance and capacity of IT resources to determine ifsufficient capacity and performance exist to deliver against agreed-uponservice levels.Conduct performance and capacity forecasting of IT resources at regularintervals to minimise the risk of service disruptions due to insufficientcapacity or performance degradation, and identify excess capacity forpossible redeployment. Identify workload trends and determine forecasts tobe input to performance and capacity plans.DS3.4 IT Resources Availability Provide the required capacity and performance, taking into account aspectssuch as normal workloads, contingencies, storage requirements and ITresource life cycles. Provisions such as prioritising tasks, fault-tolerancemechanisms and resource allocation practices should be made. Managementshould ensure that contingency plans properly address availability, capacityand performance of individual IT resources.DS3.5 Monitoring and Reporting Continuously monitor the performance and capacity of IT resources. Datagathered should serve two purposes:• To maintain and tune current performance within IT and address such issuesas resilience, contingency, current and projected workloads, storage plans,and resource acquisition• To report delivered service availability to the business, as required by the----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Pagina 115
Page 1:
Risico’s van een gevirtualiseerde
Page 4 and 5:
Possen & UlrichRisico’s van een g
Page 6 and 7:
Page 8 and 9:
Page 10 and 11:
Page 12 and 13:
Page 14 and 15:
Page 16 and 17:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67: Possen & UlrichRisico’s van een g
Page 84 and 85: Risico’s van een gevirtualiseerde
Page 128: Possen & UlrichRisico’s van een g
show all

Risico’s van een gevirtualiseerde IT-omgeving

Create successful ePaper yourself

Delete template?

Save as template?