Sample Availability Protection Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
Line 11: Line 11:
'''Availability classifications''' are defined in the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
'''Availability classifications''' are defined in the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
<br>
<br>
'''Information assets''' are defined in the A[[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
'''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
<br>
'''Mission Critical Resources''' refers to systems, applications, and networks that have been classified as High or Medium availability.<br>
'''Mission Critical Resources''' refers to systems, applications, and networks that have been classified as High or Medium availability.<br>
Line 17: Line 17:
'''Sensitive information''' refers to information that is classified as Restricted or Confidential. Refer to the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']] for confidentiality classification categories.<br>
'''Sensitive information''' refers to information that is classified as Restricted or Confidential. Refer to the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']] for confidentiality classification categories.<br>
<br>
<br>
=='''II. Requirements'''==
=='''II. Requirements'''==
<br>
<br>

Revision as of 18:47, 25 April 2007

Availability Protection Standard


The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.

This Availability Protection Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for proper controls to protect the availability of Company information assets.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Availability classifications are defined in the Sample Information Classification Standard.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Mission Critical Resources refers to systems, applications, and networks that have been classified as High or Medium availability.

Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

II. Requirements


A. General


1. Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.


2. System and network failures should be reported immediately to <SPECIFY CONTACT>.


3. Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.


4. An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the Life Cycle Management Standard, to aid in the event of system failure, recovery, or reconfiguration.


5. Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis.


6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.


B.Data Backup


1. All sensitive information shall be stored on network servers.


2. Full backups of Mission Critical Resources must be performed on at least a weekly basis.


3. Incremental backups for Mission Critical Resources must be performed on at least a daily basis.


4. Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.


5. Backup media shall be stored and protected in accordance with the Sample Physical Access Standard and Sample Information Handling Standard.


C. Redundancy and Fail-over


1. The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.


2. Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.


3. Servers that have been classified as High availability should use disk mirroring.


D. Business Continuity Plans


1. Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:


Availability ClassificationAvailability RequirementsScheduled Outage RequirementsRecovery Time RequirementsData Loss or Impact Limits
HighHigh to Continuous Availability Required
MediumStandard Availability Required
LowLimited Availability Required


2. Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.


3. Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.


4. Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.


5. Business Continuity Plans must adhere to all applicable legal and regulatory requirements.


6. Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the Sample Information Handling Standard.


7. Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.


8. Business Continuity Plans must be tested semi-annually for reliable and reproducible results.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Availability Protection Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Availability Protection Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Availability Protection Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Availability Protection Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Availability Protection Standard and associated guidelines; ensuring the availability of information assets; determining the business impact if an information asset is unavailable, data integrity is compromised or unauthorized access is gained; defining Business Continuity Plans for critical information assets to mitigate risks to an acceptable level; ensuring Business Continuity Plans are reviewed and tested; and participating with periodic corporate recovery exercises.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; and implementing procedural safeguards and cost-effective controls that are consistent with the Availability Protection Standard.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Availability Protection Standard and associated guidelines; reporting system and network outages immediately; as well as storing sensitive and critical information on network servers to ensure data is backed up.

IV. Enforcement and Exception Handling


Failure to comply with the Availability Protection Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Availability Protection Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Availability Protection Standard.

V. Review and Revision


The Availability Protection Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer