Sample Availability Protection Standard:: Difference between revisions
No edit summary |
|||
| Line 34: | Line 34: | ||
::6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.<br> | ::6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.<br> | ||
<br> | <br> | ||
:'''B.Data Backup'''<br> | :'''B. Data Backup'''<br> | ||
<br> | <br> | ||
::1. All sensitive information shall be stored on network servers.<br> | ::1. All sensitive information shall be stored on network servers.<br> | ||
Revision as of 12:54, 16 July 2007
Availability Protection Standard
The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.
This Availability Protection Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for proper controls to protect the availability of Company information assets.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.
Availability classifications are defined in the Sample Information Classification Standard.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Mission Critical Resources refers to systems, applications, and networks that have been classified as High or Medium availability.
Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.
II. Requirements
- A. General
- 1. Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.
- 1. Appropriate controls based on the availability classification of the information must be defined and incorporated into development and production processes and procedures to ensure that information assets are consistently available to conduct business and support business operations.
- 2. System and network failures should be reported immediately to <SPECIFY CONTACT>.
- 2. System and network failures should be reported immediately to <SPECIFY CONTACT>.
- 3. Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
- 3. Users shall be notified of scheduled outages (for example, for system maintenance) that require any period of downtime. This notification should specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
- 4. An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the Life Cycle Management Standard, to aid in the event of system failure, recovery, or reconfiguration.
- 4. An inventory of Mission Critical Resources and list of administrative items should be maintained, in accordance with the Life Cycle Management Standard, to aid in the event of system failure, recovery, or reconfiguration.
- 5. Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis.
- 5. Prior to production use, each new or significantly modified business application must include a Security Impact Statement and Business Impact Analysis.
- 6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.
- 6. Capacity management and load balancing techniques should be used, as deemed necessary, to help minimize the risk and impact of system failures.
- B. Data Backup
- 1. All sensitive information shall be stored on network servers.
- 1. All sensitive information shall be stored on network servers.
- 2. Full backups of Mission Critical Resources must be performed on at least a weekly basis.
- 2. Full backups of Mission Critical Resources must be performed on at least a weekly basis.
- 3. Incremental backups for Mission Critical Resources must be performed on at least a daily basis.
- 3. Incremental backups for Mission Critical Resources must be performed on at least a daily basis.
- 4. Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.
- 4. Backups and associated media shall be maintained online for a minimum of thirty (30) days and retained for at least one (1) year and in accordance with legal and regulatory requirements.
- 5. Backup media shall be stored and protected in accordance with the Sample Physical Access Standard and Sample Information Handling Standard.
- 5. Backup media shall be stored and protected in accordance with the Sample Physical Access Standard and Sample Information Handling Standard.
- C. Redundancy and Fail-over
- 1. The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.
- 1. The network infrastructure that supports Mission Critical Resources should have system-level redundancy such as redundant power supplies and system fail-over. Spares should be maintained for critical core components such as routers and switches and service level arrangements should allow for parts replacement within twenty-four (24) hours.
- 2. Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.
- 2. Servers that support Mission Critical Resources should have redundant power supplies and network interface cards. Spares should be maintained and service level arrangements should allow for parts replacement within twenty-four (24) hours.
- 3. Servers that have been classified as High availability should use disk mirroring.
- 3. Servers that have been classified as High availability should use disk mirroring.
- D. Business Continuity Plans
- 1. Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:
- 1. Recovery Time and Data Loss Limits for each Availability Classification category are defined in the following table:
Availability Classification Availability Requirements Scheduled Outage Requirements Recovery Time Requirements Data Loss or Impact Limits High High to Continuous Availability Required Medium Standard Availability Required Low Limited Availability Required
- 2. Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.
- 2. Business Continuity Plans must be developed to support the Recovery Time Requirements and Data Loss Limits.
- 3. Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.
- 3. Business Continuity Plans should specifically identify the Company and/or external Mission Critical Resources, personnel, resources, and necessary corrective actions required for continued availability in the event of an unexpected interruption to normal business operations.
- 4. Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.
- 4. Business Continuity Plans must be written to detail specific responsibilities and tasks for use in responding to emergencies and resuming business operations.
- 5. Business Continuity Plans must adhere to all applicable legal and regulatory requirements.
- 5. Business Continuity Plans must adhere to all applicable legal and regulatory requirements.
- 6. Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the Sample Information Handling Standard.
- 6. Business Continuity Plans are considered "Restricted" information and must be stored and protected in accordance with the Sample Information Handling Standard.
- 7. Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.
- 7. Business Continuity Plans must be reviewed and revised, as necessary, on a quarterly basis.
- 8. Business Continuity Plans must be tested semi-annually for reliable and reproducible results.
- 8. Business Continuity Plans must be tested semi-annually for reliable and reproducible results.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Availability Protection Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Availability Protection Standard.
Company management, including senior management and department managers, is accountable for ensuring that the Availability Protection Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Availability Protection Standard.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Availability Protection Standard and associated guidelines; ensuring the availability of information assets; determining the business impact if an information asset is unavailable, data integrity is compromised or unauthorized access is gained; defining Business Continuity Plans for critical information assets to mitigate risks to an acceptable level; ensuring Business Continuity Plans are reviewed and tested; and participating with periodic corporate recovery exercises.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information; and implementing procedural safeguards and cost-effective controls that are consistent with the Availability Protection Standard.
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Availability Protection Standard and associated guidelines; reporting system and network outages immediately; as well as storing sensitive and critical information on network servers to ensure data is backed up.
IV. Enforcement and Exception Handling
Failure to comply with the Availability Protection Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Availability Protection Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Availability Protection Standard.
V. Review and Revision
The Availability Protection Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer