| Action Lists |
A specific IS Service Continuity Management term referring
to defined actions, allocated to recovery teams & individuals,
within a phase of a plan. These are supported by reference
data.
|
| Activation |
The implementation of business continuity procedures, activities
& plans in response to a Business Continuity Emergency,
Event, Incident and/or Crisis (E / I / C).
|
| Agreed Service Time |
The time during which a particular IS service is agreed
to be fully available, ideally as defined in the Service
Level Agreement. Different levels of service might
apply within the agreed service time, for instance the Service
Desk might not be available for all the hours that users
can access their services.
|
| Alert |
A formal notification that an E-I-C has occurred which
may develop into a Business Continuity Management or Crisis
Management invocation.
|
| Alert Phase |
The first phase of a Business Continuity Plan in which
the initial emergency procedures & damage assessments
are activated.
|
| Alternate Site |
A site held in readiness for use during a Business Continuity
E-I-C to maintain the business continuity of an organisation’s
Mission Critical Activities. The term applies equally to
office or technology requirements. Alternate sites may be
‘cold’, ‘warm’ or ‘hot’. This type of site is also known
as a Recovery Site.
|
| Alternative Routing |
The routing of information via an alternative cable routing
medium (i.e. using different networks should the normal
network be rendered unavailable).
|
| Assembly Area |
The designated area at which employees, visitors &
contractors assemble if evacuated from their building/site.
|
| Assurance |
The activity & method whereby an organisation can verify
& validate its BCM capability.
|
| Audit |
The method by which procedures and/or documentation are
measured against pre-agreed standards.
|
| Availability |
An umbrella term that includes reliability (including resilience),
maintainability, serviceability & security. A
common definition of availability is 'the ability of a component
or IS service (under combined aspects of its reliability,
maintainability & security) to perform its required
function at a stated instant or over a stated period of
time'. Service availability is sometimes expressed
as an availability percentage, i.e. the proportion of time
that the service is actually available for use by the customers
within the agreed service time.
|
| Backlog |
The effect on the business of a build-up of work that occurs
as the result of a system or method being unavailable for
an unacceptable period. A situation whereby a backlog of
work requires more time to action than is available through
normal working patterns. In extreme circumstances, the backlog
may become so marked that the backlog cannot be cleared.
|
| Back-out plan |
A plan that documents all actions to be taken to restore
the service if the associated Change or Release fails or
partially fails. Back-out plans may provide for a
full or partial reversal. In extreme circumstances
they may simply call for the IS Service Continuity Plan
to be invoked.
|
| Backup |
A method by which data, electronic or paper based, is copied
in some form so as to be available & used if the original
data from which it originated is lost, destroyed or corrupted.
|
| Benchmarking |
A form of comparison usually between the activities of
one organisation & those of one or more comparable external
organisations. Also used to describe a form of simulation
modelling where the entire operational environment is replicated
or simulated.
|
| Brainstorming |
A Problem Management technique used to quickly generate,
clarify & evaluate a sizeable list of ideas, Problems,
issues , themes, etc. by documenting 'what we know' as a
team, tapping the creative thinking of the team & getting
everyone involved. The technique is particularly useful
in identifying possible causes when constructing a Cause
/ Effect Diagram.
|
| BS 7799 |
A UK BSI Standard for information security management.
Section 9 deals with Business Continuity Management. The
corresponding international standard is known as ISO 17799.
|
| BS 7799-1:2000 |
The British Standards Institution 'Code of practice for
information security management'. Also referred to
as ISO/IEC 17799-2000
|
| BS15000 |
The British Standards Institution 'Specification for IS
service management'.
|
| Business Activity |
A group of activities/processes undertaken by an organisation
to produce a product and/or service and/or in pursuit of
a common goal.
|
| Business Activity Levels |
The predicted or historic levels of business method activity
that are to be or have been supported by the IS infrastructure.
Measured in business terms (e.g. number of account holders).
|
| Business Continuity Institute (BCI) |
The Institute of professional Business Continuity Managers.
Website www.thebci.org
|
| Business Continuity Management |
The complete set of activities & processes divided
into various stages that are necessary to manage business
continuity. Anticipating Incidents which may affect critical
business functions & processes & ensuring that the
organisation is capable of responding to such Incidents
in a planned & rehearsed manner.
|
| Business Continuity Management Activity |
An action or series of actions that form a part of a BCM
process.
|
| Business Continuity Management Policy |
A BCM policy sets out an organisation’s aims, principles
& approach to BCM, what & how it will be delivered,
key roles & responsibilities & how BCM will be governed
& reported upon. |
| Business Continuity Management Process |
A set of activities/processes with defined outcomes, deliverables
& evaluation criteria that form a distinct part of the
BCM lifecycle.
|
| Business Continuity Management Programme |
An ongoing management & governance method supported
by senior management & resourced to ensure that the
necessary steps are taken to identify the impact of potential
losses, maintain viable recovery strategies & plans,
& ensure continuity of products/services through exercising,
rehearsal, testing, training, maintenance & assurance.
|
| Business Continuity Management Team |
A defined number of roles & responsibilities for implementing
the Business Continuity Management Plan.
|
| Business Continuity Objective |
The desired time within which business method should be
recovered, & the minimum staff, assets & services
required within this time.
|
| Business Continuity Plan |
Documents describing the roles, responsibilities &
actions necessary to resume business processes following
a disruption. The Business Continuity Plan will provide
a defining structure for & exert a major influence upon
the development of IS continuity plans. Its scope
both encompasses & exceeds IS Service Continuity Management
& is normally a business responsibility.
|
| Business Continuity Team |
One of a number of groups of people with defined, agreed
& documented roles within the business recovery process.
|
| Business Critical Functions |
Critical operational or support activities.
|
| Business Critical Point |
The latest moment at which the business can afford to be
without a Mission Critical Activity or dependency.
|
| Business Function |
A business unit within an organisation e.g. a department,
division, branch.
|
| Business Impact Analysis |
A formal analysis of the effect on the business if a specific
set of IS services are not available. It will also
identify the minimum set of services that an organisation
will require to continue operating.
|
| Business Impact Resource Recovery Analysis |
An assessment of the minimum level of resources e.g. personnel,
workstations, technology, telephony required, overtime,
after a Business Continuity E-I-C to maintain the continuity
of the organisation’s Mission Critical Activities at a minimum
level of service / production. Generally considered to be
part of a BIA it is an integral part of any subsequent resource
Gap Analysis.
|
| Business Objectives |
The measurable targets designed to help an organisation
achieve its overall business strategy.
|
| Business Operations |
Activities & procedures carried out by the User community
in performing the business role of an organisation.
A Service Desk is concerned with supporting & dealing
with the comments & requests arising from those business
operations.
|
| Business Process |
A series of related business activities aimed at achieving
one or more business objectives in a measurable manner.
Typical business processes include receiving orders, marketing
services, selling products, delivering services, distributing
products, invoicing for services, accounting for money received.
A business method will usually depend upon several business
functions for support e.g. IT, personnel, accommodation.
A business method will rarely operate in isolation, i.e.
other business processes will depend on it & it will
depend on other processes. See also Process.
|
| Business Risk |
The risk that external factors, such as a fall in demand
for an organisations products or services, will result in
unexpected loss. Business risk, if managed well, can also
result in a competitive advantage being gained.
|
| Call Tree |
A structured cascade method (system) that enables a list
of persons, roles and/or organisations to be contacted as
a part of an information or plan invocation procedure.
|
| Call Tree Cascade Test |
A test designed to validate the currency of contact lists
& the processes by which they are maintained.
|
| CCTA Risk Analysis & Management Method |
CRAMM® is a tool for analysis & management of IS security
risks, suitable for use by the IS Service Continuity &
Availability Management processes. It provides an
insight into the risks to which an organisation is exposed
& its use is often considered an essential first step
towards attaining ISO 17799, the international standard
for information security management.
|
| Central Computer and Telecommunications Agency |
>The CCTA was the UK Government Centre for Information Systems
responsible for producing & maintaining ITIL.
Now subsumed within the OGC.
|
| Certification |
The formal evaluation of an organisation's processes by
an independent & accredited body against a defined standard
& the issuing of a certificate indicating conformance.
|
| Change |
Any deliberate action that alters the form, fit or function
of CIs - typically, an addition, modification, movement
or deletion that impacts on the IS infrastructure.
|
| Change Control |
The procedures to ensure that all Changes are controlled,
including the submission, recording, analysis, decision
making, approval, implementation & post-implementation
review of the change.
|
| Clerical Backup |
In case of contingency, delivering some part of the required
services without the IS infrastructure. Nowadays,
as well as some manual processes, this is likely to be via
standalone PCs & commercial office systems software.
|
| Cold Stand-by/Start/Site (portable or fixed) |
An empty computer room, either in portable accommodation
or on a fixed site, with power, environmental control &
telecommunications, but no IS equipment or software for
use in an emergency. See also Gradual Recovery.
|
| Command Centre (CC) |
The facility used by a Crisis Management Team after the
first phase of a Business Continuity E-I-C. An organisation
must have a primary & secondary location for a command
centre in the event of one being unavailable. It may also
serve as a reporting point for deliveries, services, press
& all external contacts.
|
| Consequence |
The end result following a Business Continuity E-I-C that
can be defined as loss, injury, disadvantage or gain.
|
| Contingency Fund |
A budget for meeting & managing operating expense at
the time of a Business Continuity (E / I / C).
|
| Continuous Availability |
A characteristic of an IS service that masks from the users
the effects of losses of service, planned or unplanned.
See also Continuous Operation.
|
| Control |
Any action which reduces the probability of a risk occurring
or reduces its impact if it does occur.
|
| Control Culture |
Sets the tone for an organisation, influencing the control
consciousness of its people. Control culture factors include
the integrity, ethical values & competence of the entity’s
people: management’s philosophy & operating style; the
way management assigns authority & responsibility, &
organises & develops its people; & the attention
& direction provided by a Board.
|
| Control Environment |
The whole system of controls, financial & otherwise,
established by a Board & management in order to carry
on an organisation’s business in an effective & efficient
manner, in line with the organisation’s established objectives
& goals. Also there to ensure compliance with laws &
regulations, to safeguard an organisation’s assets &
to ensure the reliability of management & financial
information. Also referred to as Internal Control.
|
| Control Framework |
A model or recognised system of control categories that
covers all internal controls expected within an organisation.
|
| Control Review / Monitoring |
Involves selecting a control & establishing whether
it has been working effectively & as described &
expected during the period under review.
|
| Control Self Assessment (CSA) |
A class of techniques used in an audit or in place of an
audit to assess risk & control strength & weaknesses
against a control framework. The ‘self’ assessment refers
to the involvement of management & staff in the assessment
process, often facilitated by internal auditors. CSA techniques
can include workshop/seminars, focus groups, structured
interviews & survey questionnaires.
|
| Corporate Governance |
The system/process by which the directors & officers
of an organisation are required to carry out & discharge
their legal, moral & regulatory accountabilities &
responsibilities.
|
| Cost Benefit Analysis |
>A method (after a BIA & risk assessment) that facilitates
the financial assessment of different strategic BCM options
& balances the cost of each option against the perceived
savings.
|
| Countermeasure |
An action taken to reduce risk. It may reduce the
'value' of the asset, the threats facing the asset or the
vulnerability of that asset to those threats.
|
| Crisis |
An occurrence and/or perception that threatens the operations,
staff, shareholder value, stakeholders, brand, reputation,
trust and/or strategic/business goals of an organisation.
|
| Crisis Management |
The method concerned with managing the whole range of impacts
following a disaster, including elements such as adverse
media coverage & loss of customer confidence.
|
| Crisis Management Plan |
A clearly defined & documented plan of action for use
at the time of a crisis. Typically a plan will cover all
the key personnel, resources, services & actions required
to implement & manage the Crisis Management process.
|
| Crisis Management Team(s) (CMT) |
A defined number of roles & responsibilities for implementing
the organisation’s Crisis Management Plan.
|
| Critical Success Factors |
The certain factors that will be critical to the success
of the organisation, in the sense that if the objectives
associated with those factors are not achieved, the organisation
will fail - perhaps catastrophically so. Identification
of CSFs should help determine the strategic objectives of
the organisation.
|
| Customer Relationship Management |
All of the activities necessary to ensure that IS Service
Managers have a true understanding of their customers' needs
& that the customers also understand their responsibilities.
Use of the term in an IS Service Management sense should
not be confused with the specific CRM term which is generally
focused on helping a business 'sell' more to its customers
rather than deliver better services.
|
| Damage Assessment |
The method of assessing the financial/non-financial damage
following a Business Continuity E-I-C. It usually refers
to the assessment of damage to physical assets e.g. vital
records, buildings, sites, technology to determine what
can be salvaged or restored & what must be replaced.
|
| Data Mirroring |
A method whereby critical data is copied instantaneously
to another location so that it is not lost in the event
of a Business Continuity E-I-C.
|
| Data Protection |
Statutory requirements to manage personal data in a manner
that does not threaten or disadvantage the person to whom
it refers. |
| Denial of Access |
The inability of a organisation to access and/or occupy
its normal working environment. Usually imposed & controlled
by the Emergency and/or Statutory Services.
|
| Dependency |
The reliance, directly or indirectly, of one activity or
method upon another.
|
| Disaster Recovery Planning |
The processes within Business Continuity Management that
focus upon recovery from, principally, physical disasters.
|
| Downtime |
The total period that a service or component is not operational
within an agreed service time. Measured from when
a service or component fails to when normal operations recommence.
|
| Emergency |
An actual or impending situation that may cause injury,
loss of life, destruction of property or cause the interference,
loss or disruption of an organisation’s normal business
operations to such an extent that it poses a threat.
|
| Emergency Co-ordinator |
The person assigned the role of co-ordinating the activities
of the evacuation of a site and/or building with the statutory
and/or emergency services.
|
| Emergency Change |
A Change planned, scheduled & implemented at very short
notice in order to protect a service from an unacceptable
risk of failure or degradation, lack or loss of functionality.
|
| Emergency Services |
Usually refers to the civil services of Police, Fire &
Ambulance.
|
| Escalation |
Passing information and/or requesting action on an Incident,
Problem or Change to more senior staff (hierarchical escalation)
or other specialists (functional escalation). The
circumstances in which either vertical escalation for information/authority
to apply further resources or horizontal escalation for
greater functional involvement need to be precisely described,
so that the purpose of the escalation & the nature of
the required response is absolutely clear to all parties
as the escalation occurs. Escalation rules will be
geared to priority targets. Functional Escalation
is sometimes called Referral.
|
| Essential Service |
A service without which a building would be ‘disabled’.
Often applied to the utilities (water, gas, electricity,
etc.) it may also include standby power systems, environmental
control systems or communication networks.
|
| Event |
Any occurrence that may lead to a business continuity incident.
|
| Exception Reporting |
Reducing the Management Information produced to that which
most demands or deserves attention. The 'Top Ten'
style of list is an example.
|
| Exercise |
An announced or unannounced execution of business continuity
plans intended to implement existing plans and/or highlight
the need for additional plan development. A way of testing
part of a Business Continuity Plan. An exercise may involve
invoking Business Continuity procedures but is more likely
to involve the simulation of a Business Continuity E-I-C
in which participants role-play in order to assess what
issues may arise, prior to a real invocation.
|
| Extreme or Catastrophic Emergency, Event, Incident and/or Crisis |
A Business Continuity E-I-C of immense proportions that
has severe consequences, often damaging a large proportion
of the organisation’s assets that results in a loss greater
than an expected loss.
|
| Facilities Management (FM) |
The function that manages all aspects of an organisation’s
real estate assets & infrastructure.
|
| Failure |
A failure occurs when a functional unit is no longer fit
for purpose.
|
| Fallback |
Another term for alternative e.g. a fallback facility is
another site/building that can be use when the original
site/building is unusable or unavailable.
|
| Fault |
A condition that causes a functional unit to fail to perform
the required function.
|
| Fault Tolerance |
The ability of a service to continue when a failure occurs.
See also Resilience.
|
| First Level Support |
The technical & managerial resources within the Service
Desk available at the initial point of contact with the
Customer/User.
|
| Fortress Approach |
An approach to IS Service Continuity where the entire site
is made as disaster-proof as possible.
|
| Full Rehearsal |
A simulation exercise involving a Business Continuity E-I-C
where the organisation or some of its component parts are
suspended until the exercise is completed.
|
| Full Release |
A release that tests, distributes & implements all
components of a release unit, regardless of whether or not
they have changed since the last release of the software.
|
| Function |
The actions or intended purpose of a person, team or thing
in a specific role. Service Management functions may
be considered as high-level business activities, often with
a broad scope & associated with a particular job, consisting
of a collection of lower level activities. The characteristics
of a function are that it is continuous & represents
a defining aspect of the business enterprise. It is
usually associated with more than one method & contributes
to the execution of those processes. Rarely do (or
should) functions mirror the organisational structure.
|
| Gap Analysis |
A survey whose aim is to identify the differences between
BCM/Crisis Management requirements (what the business says
it needs at time of an (E / I / C)) & what is in place
and/or available.
|
| Hazard |
A source of potential harm or a situation with a potential
to cause loss.
|
| Hot Site |
A site (data centre, work area) that provides a BCM facility
with the relevant work area recovery, telecommunications
& IS interfaces & environmentally controlled space
capable of providing relatively immediate backup data processing
support to maintain the organisation’s Mission Critical
Activities.
|
| Hot Standby |
A term that is normally reserved for Technology Recovery.
An alternate means of processing that minimises downtime
so that no loss of processing occurs. Usually involves the
use of a standby system or site that is permanently connected
to business users & is often used to record transactions
in tandem with the primary system.
|
| Hot Stand-by / Start / Site (internal,external or mobile |
An IT Service Continuity option - either provided from
within the organisation or by a 3rd party, possibly in a
fixed place or mobile, consisting of a computer room with
full environmental & telecommunications facilities plus
the necessary hardware & software to enable the site
to take over processing from the normal infrastructure with
minimal disruption to services. See also Immediate
Recovery, Intermediate Recovery.
|
| Housekeeping |
The method of maintaining procedures, systems, people &
plans in a state of readiness.
|
| Immediate Recovery |
In liberal terms, this IS Service Continuity option provides
for the immediate recovery of services in a contingency
situation. The instant availability of services distinguishes
this option from what may be referred to as 'Hot Stand-by/Start',
which typically will permit services to be recovered within
2 to 24 hours depending on the criticality of the business
method they support. Depending on that business criticality,
'immediate' recovery may then vary from zero to 24 hours.
See also Gradual Recovery, Intermediate Recovery.
|
| Impact |
A measure of the effect that an Incident, Problem or Change
is having or might have on the business being provided with
IS services. Often equal to the extent to which agreed
or expected levels of service may be distorted. Together
with urgency, & perhaps technical security, it is the
major means of assigning priority for dealing with Incidents,
Problems or Changes.
|
| Impact Analysis |
The identification of critical business processes &
the potential damage or loss that may be caused to the organisation
resulting from a disruption to those processes, or perhaps
from a proposed change. Business impact analysis identifies
the form the loss or damage will take; how that degree of
damage or loss is likely to escalate with time following
an Incident; the minimum staffing, facilities & services
needed to enable business processes to continue to operate
at a minimum acceptable level; & the time within which
they should be recovered. The time within which full
recovery of the business processes is to be achieved is
also identified.
|
| Incident |
An event which is not part of the standard operation of
a service & which causes or may cause disruption to,
or a reduction in, the quality of services & Customer
productivity.
|
| Incident Categorisation |
A sub-division of Classification, which provides a means
of identifying, using a series of structured codes, firstly,
what appears to have gone wrong with the IS Service (the
symptoms), secondly why (the cause of that failure) &
thirdly identification of the component likely to be at
fault. The category codes are elements within the
classification data string & are essential for fault
analysis purposes.
|
| Infrastructure |
A building & all of its supporting services. Infrastructure
is usually divided into technology infrastructure (e.g.
computers, cabling, telephony, etc.) & real estate infrastructure
(e.g. buildings, utility supplies, air-conditioning, etc.).
|
| Inherent Risk |
The possibility that some human activity or natural event
will have an adverse affect on the asset(s) of an organisation
& which cannot be managed or transferred away.
|
| Interface |
Physical or functional interaction at the boundary between
CIs.
|
| Internal Audit |
An organisation’s own in-house team of auditors. Responsible
primarily for evaluating the effectiveness of internal control
systems & contributing to their ongoing effectiveness
by providing advice & support to management.
|
| Invocation |
The act by which a Business Continuity Management or Crisis
Management method is formally started. The term is often
used to refer to the act of using a service such as work
area recovery as offered by a commercial or third party
provider.
|
| ISO 9000 |
Guidelines & assurances of method & procedure standards
for quality assurance systems. The current version
of ISO 9000 is ISO 9000:2000
|
| Key Performance Indicator |
A measure (quantitative or qualitative) that enables the
overall delivery of a service to be assessed by both business
& IS representatives. KPIs should be few in number
& focus on the service's potential contribution to business
success. To be effective in improving business performance,
they must be linked to a strategic plan which details how
the business intends to accomplish its vision & mission.
The metrics selected must address all aspects of performance
results, describe the targeted performance in measurable
terms & be deployed to the organisational level that
has the authority, resources & knowledge to take the
necessary action.
|
| Key Task(s) |
Tasks identified within a Business Continuity Plan as a
priority action typically to be carried out within the first
few minutes/hours of the plan invocation.
|
| Knowledge Base |
Data repository holding information on Incidents, Problems
& Known Errors, enabling an organisation to match new
Incidents against previous ones & thus to reuse established
solutions & approaches.
|
| Lead Time |
The time it takes for a supplier – either equipment or
a service – to make that equipment or service available.
Business continuity plans should try to minimise this by
agreeing Service Levels (Service Level Agreement) with the
supplier in advance of a Business Continuity E-I-C rather
than relying on the supplier’s best efforts.
|
| Major Incident |
An Emergency Services definition. Any emergency that requires
the implementation of special arrangements by one or more
of the Emergency Services, National Health Service or a
Local Authority.
|
| Major Incident |
An Incident where the impact on the business is extreme.
|
| Management System |
The framework of processes & procedures used to ensure
that the organisation can fulfil all tasks required to achieve
its objectives.
|
| Manual Procedures |
An alternative process of working following a loss of IS
systems. As working practices rely more & more on computerised
activities, the ability of an organisation to fallback to
manual alternatives lessens. However, temporary measures
& methods of working can help mitigate the impact of
a Business Continuity E / I / C & give staff a
feeling of doing something.
|
| Maximum Acceptable Outage (MAO) |
This is the timeframe during which a recovery must become
effective before an outage compromises the ability of an
organisation to achieve its business objectives & or
survival.
|
| Metric |
Measurable element of a service, method or function.
The real value of metrics is seen in their change over time.
Reliance on a single metric is not advised, especially if
it has the potential to affect User behaviour in an undesirable
way.
|
| Offsite Location |
A site at a safe distance from the primary site where critical
data (computerised or paper) and/ or equipment is stored
from where it can be recovered & used at the time of
a Business Continuity E-I-C if original data, material or
equipment is lost or unavailable.
|
| Operational Risk |
The risk that deficiencies in information systems or internal
controls will result in unexpected loss. The risk is associated
with human error, system failures & inadequate procedures
& controls.
|
| Organisation |
An enterprise, a corporate entity; a firm, an establishment,
a public or government body, department or agency; a business
or a charity.
|
| Outage |
Period of time that a service, system, method or business
function is expected to be unusable or inaccessible which
has a high impact on the organisation, compromising the
achievement of the organisation’s business objectives. An
outage is different to ‘downtime’ where method or system
failures happen as a part of normal operations, & where
the impact merely reduces the short-term effectiveness of
processes.
|
| Period of Tolerance |
The period of time in which a Business Continuity E-I-C
can escalate to a potential disaster without undue impact
to the organisation.
|
| Plan Currency |
Business Continuity Plans must be maintained (housekeeping)
to an adequate state. The measure of how up-to-date BC &
CMT plans are kept. A good (recent) plan currency is vital
if plans are to be reliable.
|
| Plan Maintenance |
The management method of keeping an organisation’s BCM
competence & capability up-to-date, fit-for-purpose
& effective.
|
| Post Implementation Review |
One or more reviews held after the implementation of a
Change to determine initially, if the Change has been implemented
successfully & subsequently, if the expected benefits
have been obtained.
|
| Preventative |
Measures put in place to lessen the likelihood of a Business
Continuity E / I / C .
|
| Prioritisation |
The order in which Mission Critical Activities & their
dependencies are addressed following invocation of the BCM
process.
|
| Program</td>
| An organised list of instructions that, when executed,
causes a computer to behave in a predetermined manner.
Programs contain variables representing numeric data, text
or graphical images & statements that instruct the computer
what to do with variables.
|
| Programme |
A portfolio of projects & other activities that are
planned, initiated & managed in a co-ordinated way in
order to achieve a set of defined business objectives.
|
| Project |
A temporary organisation created for the purpose of delivering
one or more business products according to a specified business
case.
|
| Project Management |
The techniques & tools used to describe, control &
deliver a series of activities with given deliverables,
timeframes & budgets.
> |
| Qualitative Assessment |
A form of assessment that analyses the general structures
& systems currently in place. A descriptive methodology,
which typically involves risk mapping & risk matrices.
These assessments do not involve detailed measurements.
|
| Quality |
The totality of features & characteristics of a product
or service which bear on its ability to satisfy stated &
implied needs.
|
| Quality Assurance |
Confirming the degree of excellence of a product or service,
measured against its defined purpose. This might involve
a number of techniques. For documentation it might
involve inviting informed comment; for software, a method
of formal testing, trialling or inviting public feedback
on a beta version; for hardware, performance against specified
test; for management process, comparison with a standard
such as BSI5000. |
| Quantification |
The objective measure of the seriousness of risk or impact,
often measured in financial or regulatory terms.
|
| Quantitative Assessment |
A form of assessment that analyses the actual numbers &
values involved. This type of methodology typically applies
mathematical & statistical techniques & modelling.
|
| Reciprocal Agreement |
An IS Service Continuity Planning option that depends on
two organisations being willing & able to share their
resources, prior to, or in the event of, an emergency.
Capacity & technical compatibility are particular issues.
|
| Recovery |
Following failure & repair, the failed CIs are recovered
into the live infrastructure. This may include recovering
data to the last known recoverable state. There may
remain further steps before the service is restored to the
Users, e.g. testing, transaction re-runs & notifying
Users. Recovery is the penultimate stage of the Incident
life-cycle.
|
| Recovery Centre |
Where an IS unit analyses its full expenditure & investments
so that they may be recovered from Customers, usually by
formal charging but without profit.
|
| Recovery Plan |
See: BCM Plan.
|
| Redundancy |
Where a system has been designed to eliminate single points
of failure, redundant CIs are those which can fail without
affecting the delivery of service. However, generally,
once a CI has failed, the inherent redundancy will be gone
& repair/replacement is required before further failures
which would affect the service.
|
| Residual Risk |
The level of uncontrolled risk remaining after all cost-effective
actions have been taken to lessen the impact & probability
of a specific risk or group of risks, subject to the organisations
risk appetite.
|
| Resilience |
The ability of an organisation, staff, system, network,
activity or method to absorb the impact of a business interruption,
disruption and/or loss & continue to provide a minimum
acceptable level of service.
|
| Resolution |
An action that will resolve an Incident, i.e. allow the
users to carry out their business functions. This
may be a temporary work-around or the permanent repair or
replacement of a faulty CI.
|
| Restoration of Service |
The service is said to be restored when the users are able
to method new work, i.e. the system & available data
have been recovered, appropriate test performed. users informed,
& any lost work repeated. Restoration, following
Recovery, is the final stage of the Incident life-cycle.
|
| Resumption |
The implementation of steps to enable the recovery &
continuity of an organisation’s Mission Critical Activities
and/or their dependencies immediately following a Business
Continuity E / I / C
|
| Risk |
A measure of the exposure to which an organisation may
be subject. This is a combination of the likelihood
of a business disruption occurring & the possible loss
that may result from such business disruption.
|
| Risk Analysis |
The systematic method of identifying the nature & causes
of risks to which an organisation could be exposed &
assessing the likely impact & probability of those risks
occurring.
|
| Risk Assessment |
The overall method of risk identification, analysis &
evaluation.
|
| Risk Avoidance |
An informed decision not to become involved in a risk situation.
|
| Risk Based Auditing |
Audits that focus on risk & risk management as the
audit objective. |
| Risk Control |
That part of risk management which involves the implementation
of policies, standards, procedures & physical changes
to eliminate or minimise adverse risks.
|
| Risk Management |
The culture, processes & structures that are put in
place to effectively manage potential opportunities &
adverse effects. As it is not possible or desirable to eliminate
all risk, the objective is to implement cost effective processes
that reduce risks to an acceptable level, reject unacceptable
risks & treat risk by financial interventions i.e. transfer
other risks through insurance or other means, or by organisational
intervention i.e. BCM.
|
| Risk Reduction Measure |
Measure taken to reduce the likelihood or consequences
of a business disruption occurring (as opposed to planning
to recover after a disruption.
|
| Scope |
Generally, the extent to which a method or procedure applies.
The scope of Configuration Management may not, for example,
extend to Customer information (other than on an 'as informed'
basis) & the scope of a Change Management procedure
may not apply to 'Urgent Changes'. Also a key concept
in outsourcing, defining which activities are covered by
the base contract & which are separately chargeable.
|
| Second Level / Line Support |
Technical resources (sometimes based within the Service
Desk) called upon by Incident & Problem Management to
assist in the resolution of an Incident, restoration of
service, the identification of a Problem or Known Error,
the provision of a work-around or the generation of a Change.
|
| Service |
An integrated composite that consists of a number of components,
such as management process, hardware, software, facilities
& people, that provides a capability to satisfy a stated
management need or objective.
|
| Service Level Agreement |
A formal negotiated document that defines (or attempts
to define) in quantitative (and perhaps qualitative) terms
the service being offered to a Customer. Confusion
must be avoided over whether the quantitative definitions
constitute thresholds for an acceptable service, targets
to which the supplier should aspire or expectations that
the supplier would strive to exceed. Any metrics included
in a SLA should be capable of being measured on a regular
basis & the SLA should record by whom. Typically
it will cover: service hours, service availability, Customer
support levels, throughputs & responsiveness, restrictions,
functionality & the service levels to be provided in
a contingency. It may also include information on
security, charges & terminology.
|
| Service Manager |
A senior manager, normally reporting to the IS director,
who has overall responsibility for ensuring services are
delivered in accordance with agreed business requirements.
The Service Manager is also responsible for negotiating
requirements with senior business representatives.
The Service Manager is responsible for the Service Management
Team & is usually a member of the high level CAB.
The Service Manager should have a major say in the allocation
of resources between services.
|
| Single Point of Failure (SPOF) |
The only (single) source of a service, activity and/or
method i.e. there is no alternative, whose failure would
lead to the total failure of a Mission Critical Activity
and/or dependency. |
| Stakeholders |
All those who have an interest in an organisation, its
activities & it achievements. These may include
Customers, partners, employees, shareholders, owners, government
& regulations.
|
| Statutory Services |
Those services whose responsibilities are laid down by
law e.g. Fire & Rescue Service, Coast Guard Service.
|
| Task |
Generically, an activity or set of activities that might
be defined as part of a process. When used within
a phrase such as 'Standard Operational Task' it defines
a well documented, controlled, proceduralised, & usually
low risk, activity. The procedure controlling the
manner in which the task is carried out would be subject
to formal Change Control.
|
| Terms of Reference |
A document that usually describes the purpose & scope
of an activity or requirement.
|
| Unexpected Loss |
The worst case financial loss or impact that a business
could incur due to a particular loss E / I / C or
risk. The unexpected loss is calculated as the expected
loss plus the potential adverse volatility in this value.
It can be thought of as the worst financial loss that could
occur in a year over the next 20 years.
|
| Uninterrupted Power Supply (UPS) |
Equipment (usually a bank of batteries) that offers short-term
protection against power surges & outages. Note that
UPS usually only allows enough time for vital systems to
be correctly powered down.
|
| Virus |
An unauthorised programme that inserts itself into a computer
system & then propagates itself to other computers via
networks or disks. When activated, it interferes with the
operation of the computer systems.
|
| Warm Site |
A site (data centre/ work area) which is partially equipped
with hardware, communications interfaces, electricity &
environmental conditioning capable of providing backup operating
support.
|
| Work-around |
A process of avoiding an Incident or Problem, either by
employing a temporary fix or technique that means a Customer
is not reliant on a CI that is known to cause failure.
|
