ICT Incident Management Procedures

University of Lincoln
ICT Incident Management

Procedures
Author
Approved
Current Version
Issue Date
Review Date
Mark N R Smith, ICT Services

12/09/11
2.1
12/09/11
12/03/12
ICT Incident Management Procedures
13/09/2011 13:22:00
Document Control
Revision History
Version
Date
Author(s)
Notes on Revisions
2.1
12.09.11
Mark N R Smith
Extracted from Critical Incident (DR) Plan.
2.2
13.09.11
Mark N R Smith
Corrected typos
Approval
This document has been approved by:
Head of ICT
Signed:
Date:
12.09.11
I.Marshall
Page 2 of 7
File: ICT Incident Management Procedures - v2_2.docx
13/09/2011 13:22:00
Contents
1
2
3
Introduction ............................................................................................................ 4
Purpose ................................................................................................................... 4
Incident Procedure ................................................................................................. 4
3.1 ICT Procedure Checklist ................................................................................. 5
3.2 Incident Procedure Details .............................................................................. 5
3.2.1
Within the First 30 Minutes ..................................................................... 5
3.2.2
Within the First Hour ............................................................................... 6
3.2.3
Each Subsequent Hour ............................................................................. 6
Page 3 of 7
13/09/2011 13:22:00
1 Introduction
This procedure details the steps to be taken in the event of a situation that is
affecting staff or student access to IT systems within ICT.
2 Purpose
All sections within ICT should use these procedures when a system (A system
could be an Operating System, Application, web service or hardware) is
unavailable, unresponsive or its security is compromised and a solution is not
identified within the first 30 minutes. This document details the steps that have to
be taken and provides guidelines on how to manage the incident.
3 Incident Procedure
Incident Identified
Initial diagnosis and fix if possible

(30 minutes maximum)
Triage
Within 30 minutes ICT IMT formed
Form Incident
Management Team
Formulate and record action plan

Formulate communications plan
Assess Impact
Initial phone call and email to:
VCO
Head of Service
Deans
SU
Call in ALL support Provision:

Call-out ICT technical
specialists
Invoke support contracts
Invoke Support
Plan Comms
Work on fix/alternatives
Communicate
Stakeholders
Fig. 1 - Incident Management Procedure
Page 4 of 7
13/09/2011 13:22:00
3.1 ICT Procedure Checklist

During an incident the following checklist should be completed as a minimum log
of the events that take place. This checklist can be found as a single sheet at the
end of this document.
Elapsed Time
Within 30 mins.
Action
Perform initial diagnosis
Attempt initial fix
Assess impact of fault
Plan Comms. based on impact
Action initial Comms. plan step(s) (Service
Desk)
Form ICT Incident Management Team
(IIMT)
Within first hour
IIMT Re-evaluate impact assessment

IIMT formulate action plan
IIMT invoke ICT Service Desk supplier
support escalation options if no fix option.
IIMT refine Comms. plan in light of impact
assessment
Action Comms. Plan steps depending on
impact phone depts., faculty heads & SU
(Service Desk)
ICT specialists work with support providers
IIMT begin to investigate alternative service
provision
Each hour
IIMT revisit action plan

Continue Comms. Plan (Service Desk)
IIMT continue investigation/implementation
alternative service provision
3.2
3.2.1
Done By
When
Incident Procedure Details

Within the First 30 Minutes
During the first 30 minutes the initial problem diagnosis will take place to gather
information, assess the impact of the problem and to attempt to establish a
recovery time to bring the service back into operation. This process will be
managed by the most senior member of staff available in the ICT business unit.
Based on diagnostic information and in conjunction with the service owners,
where applicable, fixes may be applied to restore the service.
Within 30 minutes of the problem if the service is not restored or judged
sufficiently serious, an ICT Incident Management Team (IIMT) will be formed.
An incident could be categorised as serious if:
Page 5 of 7
13/09/2011 13:22:00
It affects a major university system;

It impacts teaching or learning;
It affects a business critical system;
It affects a significant number of individuals;
There is no workaround or alternative to allow the service to continue;
Feedback from affected individuals indicates a serious issue.
3.2.2
Within the First Hour
The IIMT will re-visit the impact assessment and formulate a communications
plan. For a serious incident this means the Service Desk (or member of the IIMT
if Service Desk not available) will telephone the VCO, the Heads of Service and
Faculties and the Students Union. A less serious incident will email affected
individuals. The communications will provide details of how to obtain more
information and how to get support for urgent business requirements. Also
feedback from affected individuals will inform the planning for communications,
the workaround situation.
The IIMT will produce an action plan to restore the service. The first item in the
action plan, done immediately, will be to invoke all the relevant third-party
support arrangements to work with ICT specialists. The existing system will not
then be changed except under the direction of third-party support except in a
limited easily-reversible way.
Also the IIMT will begin to consider alternative methods to provide the service
taking into account user feedback. During this time the IIMT will consider if the
issue requires greater resources than those available within ICT then the incident
should be escalated to the university IMT.
3.2.3
Each Subsequent Hour
Each subsequent hour the IIMT will revisit the action plan on the basis of
additional information acquired. ICT specialists will continue to work with support
providers to diagnose and fix the problem. The Comms. plan will continue and be
refined in the light of further information, particularly about recovery times. The
IIMT will continue to consider if implementation of alternative service provision or
escalation to the University IMT is appropriate.
Page 6 of 7
Elapsed
Time
Within 30
mins.
13/09/2011 13:22:00
Action
Done
By
Perform initial diagnosis

Attempt initial fix
Assess impact of fault
Plan Comms. based on impact
Action initial Comms. plan step(s) (Service
Desk)
Form ICT Incident Management Team (IIMT)
Within
first hour
IIMT Re-evaluate impact assessment

IIMT formulate action plan
IIMT invoke ICT Service Desk supplier support
escalation options if no fix option.
IIMT refine Comms. plan in light of impact
assessment
Action Comms. Plan steps depending on
impact phone depts., faculty heads & SU
(Service Desk)
IIMT begin to investigate alternative service
provision
Each hour
IIMT revisit action plan

Continue Comms. Plan (Service Desk)
IIMT continue investigation/implementation
alternative service provision
Page 7 of 7
When
(Date&Time)

ICT Incident Management Procedures - V2 - 2

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ICT Incident Management Procedures - V2 - 2

Încărcat de

Drepturi de autor:

Formate disponibile

University of Lincoln