S 6.14 Replacement procurement plan

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator; staff responsible for the individual IT applications

In the event of failure of individual parts of the IT system, in addition to repair, replacement is initially likely to be the most effective way of restoring availability. To speed up the replacement process, it is useful to draw up a replacement procurement plan. For each major IT component, this plan must provide information on:

• designation of the IT component (name, device number, date purchased)

• manufacturer

• supplier

• availability

• time required for re-installation.

If a given IT component can be obtained from several manufacturers or suppliers, they should be listed as alternatives. It may also be possible to include references to other products. In the replacement procurement process, such information is needed to keep costs down.

In addition to restoring the availability of the IT system, advances in information technology must also be taken account of in the context of replacement measures. If parts of the IT system in use are no longer technologically up-to-date, then replacement oriented exclusively at restoring the status ante quo is inappropriate. The replacement procurement plan must therefore be regularly revised (see also S 2.2 Resource management).

It should also be specified in a replacement procurement plan for which types of IT system it is critical to obtain replacements as soon as possible, which ones require replacing only in the medium term and which ones may not require replacement at all. An expensive new purchase is not necessary every time an IT system or IT component fails. If, for example, a PC in a LAN which contains the number of identical clients fails, it is usually possible in the short-term to resort to other, similar terminal devices. In the medium term, if necessary, any existing spare parts can be installed. On the other hand if a central router fails, a replacement must be obtained as quickly as possible as in this case the entire organisation will probably be affected.

There may be business processes which are regarded as so critical for the organisation that substitute systems are held on-site for all the IT systems employed. These should not be kept in the same part of the building, i.e. in the server room or computer centre, but at least in a different fire zone.

Additional controls:

• At what intervals is the replacement procurement plan reviewed?

• Is the replacement procurement plan reviewed following equipment changes?