Sample Availability Protection Standard:: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== | ==Objectives== | ||
# '''General''' | |||
## Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations. | |||
## System and network failures should be reported immediately to the Information Technology Director or designated IT operations manager. | |||
## Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time. | |||
## An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the [[Sample_System_Development_Life_Cycle_Standard:|'''System Development Life Cycle Standard''']], to aid in the event of system failure, recovery, or reconfiguration. | |||
## Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis. | |||
## Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures. | |||
# '''Data Backup''' | |||
## All sensitive information shall be stored on network servers. | |||
## Full backups of Mission Critical Resources must be performed on at least a weekly basis. | |||
## Incremental backups for Mission Critical Resources must be performed on at least a daily basis. | |||
## Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements. | |||
## Backup media shall be stored and protected in accordance with the [[Sample_Physical_Access_Standard:|'''Physical Access Standard''']] and [[Sample_Information_Handling_Standard:|'''Information Handling Standard''']]. | |||
# '''Redundancy and Fail-over''' | |||
## The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours. | |||
## Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours. | |||
## Servers that have been classified as High availability should use disk mirroring. | |||
# '''Business Continuity Plans''' | |||
## Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table: | |||
## Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits. | |||
## Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations. | |||
## Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations. | |||
## Business Continuity Plans must adhere to all applicable legal and regulatory requirements. | |||
## Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the [[Sample_Information_Handling_Standard:|'''Information Handling Standard''']]. | |||
## Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis. | |||
## Business Continuity Plans must be tested semi-annually for reliable and reproducible results. | |||
''' | |||
''' | |||
''' | |||
<br> | <br> | ||
== | ==Document Examples== | ||
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br> | |||
<br> | <br> | ||
<gallery> | |||
Image:Availability Protection Standard.png|Availability Protection Standard page one of eight. | |||
Image:Availability Protection Standard(1).png|Availability Protection Standard page two of eight. | |||
Image:Availability Protection Standard(2).png|Availability Protection Standard page three of eight. | |||
Image:Availability Protection Standard(3).png|Availability Protection Standard page four of eight. | |||
Image:Availability Protection Standard(4).png|Availability Protection Standard page five of eight. | |||
Image:Availability Protection Standard(5).png|Availability Protection Standard page six of eight. | |||
Image:Availability Protection Standard(6).png|Availability Protection Standard page seven of eight. | |||
Image:Availability Protection Standard(7).png|Availability Protection Standard page eight of eight. | |||
</gallery> |
Latest revision as of 21:03, 15 January 2014
Objectives
- General
- Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.
- System and network failures should be reported immediately to the Information Technology Director or designated IT operations manager.
- Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
- An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the System Development Life Cycle Standard, to aid in the event of system failure, recovery, or reconfiguration.
- Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis.
- Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.
- Data Backup
- All sensitive information shall be stored on network servers.
- Full backups of Mission Critical Resources must be performed on at least a weekly basis.
- Incremental backups for Mission Critical Resources must be performed on at least a daily basis.
- Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.
- Backup media shall be stored and protected in accordance with the Physical Access Standard and Information Handling Standard.
- Redundancy and Fail-over
- The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.
- Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.
- Servers that have been classified as High availability should use disk mirroring.
- Business Continuity Plans
- Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:
- Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.
- Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.
- Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.
- Business Continuity Plans must adhere to all applicable legal and regulatory requirements.
- Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the Information Handling Standard.
- Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.
- Business Continuity Plans must be tested semi-annually for reliable and reproducible results.
Document Examples
Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.
-
Availability Protection Standard page one of eight.
-
Availability Protection Standard page two of eight.
-
Availability Protection Standard page three of eight.
-
Availability Protection Standard page four of eight.
-
Availability Protection Standard page five of eight.
-
Availability Protection Standard page six of eight.
-
Availability Protection Standard page seven of eight.
-
Availability Protection Standard page eight of eight.