Sample Availability Protection Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
=='''Availability Protection Standard'''==
==Objectives==
<br>
# '''General'''
The '''<Your Company Name>''' (the "Company") [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.<br>
## Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.
<br>
## System and network failures should be reported immediately to the Information Technology Director or designated IT operations manager.
This Availability Protection Standard builds on the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']], and provides specific instructions and requirements for proper controls to protect the availability of Company information assets.<br>
## Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
<br>
## An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the [[Sample_System_Development_Life_Cycle_Standard:|'''System Development Life Cycle Standard''']], to aid in the event of system failure, recovery, or reconfiguration.
=='''I. Scope'''==
## Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis.
<br>
## Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br>
# '''Data Backup'''
<br>
## All sensitive information shall be stored on network servers.
'''Availability classifications''' are defined in the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
## Full backups of Mission Critical Resources must be performed on at least a weekly basis.
<br>
## Incremental backups for Mission Critical Resources must be performed on at least a daily basis.
'''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
## Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.
<br>
## Backup media shall be stored and protected in accordance with the [[Sample_Physical_Access_Standard:|'''Physical Access Standard''']] and [[Sample_Information_Handling_Standard:|'''Information Handling Standard''']].
'''Mission Critical Resources''' refers to systems, applications, and networks that have been classified as High or Medium availability.<br>
# '''Redundancy and Fail-over'''
<br>
## The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.
'''Sensitive information''' refers to information that is classified as Restricted or Confidential. Refer to the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']] for confidentiality classification categories.<br>
## Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.
<br>
## Servers that have been classified as High availability should use disk mirroring.
 
# '''Business Continuity Plans'''
=='''II. Requirements'''==
## Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:
<br>
## Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.
:'''A. General'''<br>
## Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.
<br>
## Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.
::1. Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.<br>
## Business Continuity Plans must adhere to all applicable legal and regulatory requirements.
<br>
## Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the [[Sample_Information_Handling_Standard:|'''Information Handling Standard''']].
::2. System and network failures should be reported immediately to <SPECIFY CONTACT>.<br>
## Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.
<br>
## Business Continuity Plans must be tested semi-annually for reliable and reproducible results.
::3. Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.<br>
<br>
::4. An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the Life Cycle Management Standard, to aid in the event of system failure, recovery, or reconfiguration.<br>
<br>
::5. Prior to production use, each new or significantly modified business application must include a Security Impact Statement and [[Business_Impact_Analysis | Business Impact Analysis]].<br>
<br>
::6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.<br>
<br>
:'''B. Data Backup'''<br>
<br>
::1. All sensitive information shall be stored on network servers.<br>
<br>
::2. Full backups of Mission Critical Resources must be performed on at least a weekly basis.<br>
<br>
::3. Incremental backups for Mission Critical Resources must be performed on at least a daily basis.<br>
<br>
::4. Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.<br>
<br>
::5. Backup media shall be stored and protected in accordance with the [[Sample Physical Access Standard:|'''Sample Physical Access Standard''']] and [[Sample Information Handling Standard:|'''Sample Information Handling Standard''']]. <br>
<br>
:'''C. Redundancy and Fail-over'''<br>
<br>
::1. The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.<br>
<br>
::2. Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.<br>
<br>
::3. Servers that have been classified as High availability should use disk mirroring.<br>
<br>
:'''D. Business Continuity Plans'''<br>
<br>
::1. Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:<br>
<br>
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><table border="1">
<tr><td>'''Availability Classification'''</td><td>'''Availability Requirements'''</td><td>'''Scheduled Outage Requirements'''</td><td>'''Recovery Time Requirements'''</td><td>'''Data Loss or Impact Limits'''</td></tr>
<tr><td>High</td><td>High to Continuous Availability Required</td><td></td><td></td><td></td></tr>
<tr><td>Medium</td><td>Standard Availability Required</td><td></td><td></td><td></td></tr>
<tr><td>Low</td><td>Limited Availability Required</td><td></td><td></td><td></td></tr>
</table>
</blockquote>
<br> 
::2. Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.<br>
<br>
::3. Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.<br>
<br>
::4. Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.<br>
<br>
::5. Business Continuity Plans must adhere to all applicable legal and regulatory requirements.<br>
<br>
::6. Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the [[Sample Information Handling Standard:|'''Sample Information Handling Standard''']].<br>
<br>
::7. Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.<br>
<br>
::8. Business Continuity Plans must be tested semi-annually for reliable and reproducible results.<br>
<br>
<br>


=='''III. Responsibilities'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
The Chief Information Security Officer (CISO) approves the Availability Protection Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Availability Protection Standard.<br>
<br>
Company management, including senior management and department managers, is accountable for ensuring that the Availability Protection Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Availability Protection Standard.<br>
<br>
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Availability Protection Standard and associated guidelines; ensuring the availability of information assets; determining the business impact if an information asset is unavailable, data integrity is compromised or unauthorized access is gained; defining Business Continuity Plans for critical information assets to mitigate risks to an acceptable level; ensuring Business Continuity Plans are reviewed and tested; and participating with periodic corporate recovery exercises.<br>
<br>
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; and implementing procedural safeguards and cost-effective controls that are consistent with the Availability Protection Standard.<br>
<br>
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Availability Protection Standard and associated guidelines; reporting system and network outages immediately; as well as storing sensitive and critical information on network servers to ensure data is backed up.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Availability Protection Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Availability Protection Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Availability Protection Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Availability Protection Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>
<br>
<gallery>
Image:Availability Protection Standard.png|Availability Protection Standard page one of eight.
Image:Availability Protection Standard(1).png|Availability Protection Standard page two of eight.
Image:Availability Protection Standard(2).png|Availability Protection Standard page three of eight.
Image:Availability Protection Standard(3).png|Availability Protection Standard page four of eight.
Image:Availability Protection Standard(4).png|Availability Protection Standard page five of eight.
Image:Availability Protection Standard(5).png|Availability Protection Standard page six of eight.
Image:Availability Protection Standard(6).png|Availability Protection Standard page seven of eight.
Image:Availability Protection Standard(7).png|Availability Protection Standard page eight of eight.
</gallery>

Latest revision as of 21:03, 15 January 2014

Objectives

  1. General
    1. Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.
    2. System and network failures should be reported immediately to the Information Technology Director or designated IT operations manager.
    3. Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
    4. An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the System Development Life Cycle Standard, to aid in the event of system failure, recovery, or reconfiguration.
    5. Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis.
    6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.
  2. Data Backup
    1. All sensitive information shall be stored on network servers.
    2. Full backups of Mission Critical Resources must be performed on at least a weekly basis.
    3. Incremental backups for Mission Critical Resources must be performed on at least a daily basis.
    4. Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.
    5. Backup media shall be stored and protected in accordance with the Physical Access Standard and Information Handling Standard.
  3. Redundancy and Fail-over
    1. The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.
    2. Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.
    3. Servers that have been classified as High availability should use disk mirroring.
  4. Business Continuity Plans
    1. Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:
    2. Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.
    3. Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.
    4. Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.
    5. Business Continuity Plans must adhere to all applicable legal and regulatory requirements.
    6. Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the Information Handling Standard.
    7. Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.
    8. Business Continuity Plans must be tested semi-annually for reliable and reproducible results.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.