Meeting summary for SIP Study Group - 18th June 2025

Quick recap

The meeting covered essential IT management topics including asset management, automation, and system interfaces, with emphasis on maintaining accurate inventories and protecting sensitive information during data transfers. The discussion then focused on incident management, problem resolution, and change control processes, highlighting the importance of proper approval procedures and documentation. The session concluded with detailed coverage of business continuity and disaster recovery planning, including backup strategies and the importance of testing recovery plans through various exercises.

Next steps

• IT team to implement and maintain comprehensive IT asset management system.
• Security team to review and enhance encryption protocols for system interfaces.
• IT team to establish and regularly test incident management processes, including logging and resolution procedures.
• Management to define and communicate realistic Service Level Agreements (SLAs) for incident response times.
• Change management team to implement a robust change management process, including approval, testing, and rollback procedures.
• Business continuity team to develop and regularly test disaster recovery plans, including defining RTOs and RPOs.
• IT team to implement and test various backup strategies, including the 3-2-1 rule.
• Management to conduct and regularly update Business Impact Analysis (BIA) to identify critical business functions.
• IT security team to address shadow IT risks and implement controls to prevent unauthorized software usage.
• Training team to ensure all employees are aware of their roles and responsibilities in emergency situations.

Summary

IT Asset Management Best Practices

Winton emphasizes the importance of IT asset management, comparing it to car insurance where knowing the details of the asset is crucial. He highlights the challenges of maintaining an accurate inventory, especially in remote settings or when joining an established organization. Winton warns about the risks of shadow IT and unpatched software, stressing the need to balance patch management with operational continuity. He concludes by reminding that asset management should include both tangible hardware and intangible software components, as overlooking any assets can lead to an underestimated threat surface.

Job Scheduling and Automation Best Practices

Winton discusses job scheduling and automation, highlighting the importance of reducing human error through tools like Cron, Jenkins, and Azure Automation. He emphasizes the need for auditors to check logs, monitor error handling, and review access permissions for automated processes. Winton also touches on system interfaces, mentioning APIs and EDI, and stresses the importance of encryption to protect sensitive information during data transfer between systems. He concludes by noting the potential risks associated with these technologies, including data corruption and insecure APIs.

Partner Security and Incident Management

Winton discusses partner-to-partner interfacing and the importance of problem and incident management. He emphasizes the need for due diligence when multiple external partners interact, highlighting the potential risks of exposing confidential data and creating vulnerabilities. Winton recommends using SOC 2 reports to verify partners' security measures. He then explains the incident management process, stressing the importance of detecting, logging, resolving, and learning from problems to improve future responses and organizational resilience.

IT Service Management Best Practices

Winton discusses the importance of Mean Time to Repair (MTTR) as a key metric in IT service management, emphasizing that a lower MTTR is better. He explains that Service Level Agreements (SLAs) play a crucial role in defining acceptable response and resolution times for incidents. Winton then moves on to change management, highlighting the risks of unauthorized changes and the need for a proper approval process, including emergency change procedures. He stresses the importance of having logs for auditing purposes and a rollback plan for deployments. Finally, Winton briefly touches on business resilience, emphasizing the need for contingency plans in case of system failures.

Business Continuity Planning Fundamentals

Winton discusses key concepts in business continuity and disaster recovery planning, including Recovery Time Objective (RTO) and Recovery Point Objective (RPO). He emphasizes the importance of conducting a Business Impact Analysis to identify critical systems and set appropriate RTOs and RPOs. Winton also explains different backup strategies, including full, incremental, and differential backups, and recommends following the 3-2-1 rule for data backup to ensure data availability and survival in case of emergencies.

Disaster Recovery Planning and Testing

Winton emphasizes the importance of having a disaster recovery plan and testing it thoroughly. He stresses the need for rehearsals, tabletop exercises, and walkthroughs to identify gaps and ensure everyone knows their roles. Winton also highlights the significance of communication plans, alternate sites, and defining recovery time and point objectives. He concludes by underlining the critical nature of business operations and resilience, including asset inventory, classification, change controls, monitoring, and incident management.

Understanding MTD, Risks, and Backups

Winton discusses three questions to wrap up the meeting. He explains that MTD (Maximum Tolerable Downtime) measures the longest period an organization can accept disruption before penalties occur. Winton then identifies data breaches as the primary risk of unmanaged shadow IT, emphasizing that it bypasses security controls. Finally, he clarifies that incremental backups save changes since the last backup of any type, while differential backups save changes since the last full backup.

BIA and Change Management Review

Winton concludes the session by reviewing a few more questions about business impact analysis (BIA) and change management. He explains that a BIA identifies critical business functions and emphasizes the importance of focusing on the most critical functions first. Winton encourages participants to connect with him on LinkedIn and announces that next week's session will cover domain 5. He thanks everyone for joining and looks forward to seeing them in the next meeting.