Business Continuity Management:: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
== | ==Business Continuity Management Considerations== | ||
Events that trigger the implementation of a business continuity plan may have significant security implications. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at different physical locations, using similar but different machines and software which may communicate over different communications lines. Different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management. | |||
Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back-up sites and communications networks. These security considerations should be integrated with the testing of business continuity plan implementations. | |||
==Business Continuity Management== | |||
ISO 27001 defines Business Continuity Management objectives to counteract interruptions to business and protect critical business processes from the effects of major failures or disasters. This section provides templates for Information Security standards that are required to comply with ISO Business Continuity Management objectives and support the objectives established in the Asset Protection Policy, and Threat Assessment and Monitoring Policy.<br> | ISO 27001 defines Business Continuity Management objectives to counteract interruptions to business and protect critical business processes from the effects of major failures or disasters. This section provides templates for Information Security standards that are required to comply with ISO Business Continuity Management objectives and support the objectives established in the Asset Protection Policy, and Threat Assessment and Monitoring Policy.<br> | ||
<br> | <br> | ||
Line 10: | Line 14: | ||
<br> | <br> | ||
:3. [[Sample Incident Response Standard:|'''Sample ISO Incident Response Standard''']]<br> | :3. [[Sample Incident Response Standard:|'''Sample ISO Incident Response Standard''']]<br> | ||
:The Incident Response Standard is required to comply with ISO Business Continuity Management and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions. | :The Incident Response Standard is required to comply with ISO Business Continuity Management and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions. | ||
==IT Service Continuity Management== | |||
IT Service Continuity Management helps to ensure the availability and rapid restoration of IT services in the event of a disaster. The high level activities are [[Risk Analysis]], [[Manage Plan Management]], [[Contingency Plan Testing]], and [[Risk Management]]. | IT Service Continuity Management helps to ensure the availability and rapid restoration of IT services in the event of a disaster. The high level activities are [[Risk Analysis]], [[Manage Plan Management]], [[Contingency Plan Testing]], and [[Risk Management]]. | ||
==References== | ==References== | ||
See: [[Continuity_Management: | Continuity Management]] | See: [[Continuity_Management: | Continuity Management]] | ||
See the “Business Continuity Planning” booklet of the FFIEC IT Examination Handbook. |
Revision as of 13:06, 10 April 2007
Business Continuity Management Considerations
Events that trigger the implementation of a business continuity plan may have significant security implications. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at different physical locations, using similar but different machines and software which may communicate over different communications lines. Different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.
Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back-up sites and communications networks. These security considerations should be integrated with the testing of business continuity plan implementations.
Business Continuity Management
ISO 27001 defines Business Continuity Management objectives to counteract interruptions to business and protect critical business processes from the effects of major failures or disasters. This section provides templates for Information Security standards that are required to comply with ISO Business Continuity Management objectives and support the objectives established in the Asset Protection Policy, and Threat Assessment and Monitoring Policy.
- 1. Sample ISO Availability Protection Standard
- The Availability Protection Standard is required to comply with ISO Business Continuity Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the availability of information assets.
- 2. Sample ISO Threat Monitoring Standard
- The Threat Monitoring Standard is required to comply with ISO Business Continuity Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for periodically identifying, analyzing, and prioritizing threats to sensitive information such as health information pertaining to individuals. The Threat Monitoring Standard provides specific requirements for performing real-time intrusion detection monitoring and periodic intrusion detection analysis to detect threat and intrusion activity.
- 3. Sample ISO Incident Response Standard
- The Incident Response Standard is required to comply with ISO Business Continuity Management and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.
IT Service Continuity Management
IT Service Continuity Management helps to ensure the availability and rapid restoration of IT services in the event of a disaster. The high level activities are Risk Analysis, Manage Plan Management, Contingency Plan Testing, and Risk Management.
References
See: Continuity Management See the “Business Continuity Planning” booklet of the FFIEC IT Examination Handbook.