{"id":122,"date":"2022-04-12T03:02:01","date_gmt":"2022-04-12T03:02:01","guid":{"rendered":"http:\/\/tcm.gov.to\/?page_id=122"},"modified":"2022-04-29T01:57:05","modified_gmt":"2022-04-29T01:57:05","slug":"information-security-aspects-of-business-continuity-management","status":"publish","type":"page","link":"https:\/\/tcm.gov.to\/?page_id=122","title":{"rendered":"Information Security Aspects of Business Continuity management"},"content":{"rendered":"<div id=\"themify_builder_content-122\" data-postid=\"122\" class=\"themify_builder_content themify_builder_content-122 themify_builder\">\n    \t<!-- module_row -->\n\t<div  class=\"themify_builder_row module_row clearfix module_row_0 themify_builder_122_row module_row_122-0 tb_muvv53\">\n\t    \t    <div class=\"row_inner col_align_top\" >\n\t\t\t<div  class=\"module_column tb-column col3-1 first tb_122_column module_column_0 module_column_122-0-0 tb_uya154\" style=\"width: 18.4%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_b8iy275    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-body-color u-text-1\"><b>12. Information security aspects of business continuity management<\/b><\/h4>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t<div  class=\"module_column tb-column col3-1 middle tb_122_column module_column_1 module_column_122-0-1 tb_sgqs56\" style=\"width: 22%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_ibl3737    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-body-color u-text-2\"><b>12.1 Information security continuity and redundancy<\/b><br \/><br \/><\/h4>\n<p class=\"u-text u-text-3\">Objective: Information security continuity should be embedded in the organization\u2019s business continuity management systems to ensure availability of information processing facilities.<\/p>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t<div  class=\"module_column tb-column col3-1 last tb_122_column module_column_2 module_column_122-0-2 tb_h7fj56\" style=\"width: 53.2%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_p7np473    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-black u-text-4\"><b>12.1.1 Planning information security continuity<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">The organization should determine its requirements for continuity of information security management in adverse situations, e.g. during a crisis or disaster.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-5\">\n<li>Determine and formulate explicitly the information security requirements during the business continuity management or disaster recovery management processes. Involve information security specialists when establishing business continuity or disaster recovery processes and define the predetermined level of information security of main information systems.\u00a0<\/li>\n<li>In the absence of formal business continuity and disaster recovery planning, assume that information security requirements remain the same in adverse situations, compared to normal operational conditions.\u00a0<\/li>\n<li>Alternatively, perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations.<\/li>\n<\/ul>\n<p class=\"u-text u-text-6\">Read more:\u00a0<\/p>\n<ul class=\"u-text u-text-7\">\n<li><span class=\"u-text-palette-1-base\">Control 11 \u2013 Data Recovery, CIS Critical Security Controls Version 8,\u00a0<a class=\"u-active-none u-border-none u-btn u-button-link u-button-style u-hover-none u-none u-text-palette-1-base u-btn-1\" href=\"https:\/\/www.cisecurity.org\/controls\/v8\">https:\/\/www.cisecurity.org\/controls\/v8<\/a><\/span><\/li>\n<\/ul>\n<h4 class=\"u-text u-text-8\"><b>12.1.2 Implementing information security continuity<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-9\">\n<li>Enact business continuity and disaster recovery plans of main information systems and data. Realistic recovery efforts require a thorough evaluation of the resources required to resume business processes as quickly as possible.\u00a0<\/li>\n<li>Establish, document, implement and maintain:<br \/>a) information security controls within business continuity or disaster recovery processes;<br \/>b)\u00a0processes, procedures and implementation changes to maintain existing information security controls during an adverse situation. Information security controls that have been implemented should continue to operate during an adverse situation;<br \/>c) compensating controls for information security that cannot be maintained during an adverse situation. If security controls are not able to continue to secure information, other controls should be established, implemented and maintained to maintain an acceptable level of information security.\n<p>When implementing continuity procedures:\u00a0<\/p>\n<\/li>\n<li>develop an adequate management structure to prepare for, mitigate and respond to a disruptive event or incident;\u00a0<\/li>\n<li>nominate the incident response personnel with the necessary responsibility, authority and competence to manage a disruptive event or incident;\u00a0<\/li>\n<li>ensure that documented response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level (see 12.1.1 Planning information security continuity).<\/li>\n<\/ul>\n<p class=\"u-text u-text-10\">Read more:<\/p>\n<ul class=\"u-text u-text-11\">\n<li><span class=\"u-text-palette-1-base\">Template for IT Service Continuity Plan,\u00a0<a class=\"u-active-none u-border-none u-btn u-button-link u-button-style u-hover-none u-none u-text-palette-1-base u-btn-2\" href=\"https:\/\/www.smartsheet.com\/business-continuity-templates#it-service-continuity-plan-template\">https:\/\/www.smartsheet.com\/business-continuity-templates#it-service-continuity-plan-template<\/a><\/span><\/li>\n<li><span class=\"u-text-palette-1-base\">Chapter 3. Information System Contingency Planning Process, NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems,\u00a0<a class=\"u-active-none u-border-none u-btn u-button-link u-button-style u-hover-none u-none u-text-palette-1-base u-btn-3\" href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-34r1.pdf\">https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-34r1.pdf<\/a><\/span><\/li>\n<\/ul>\n<h4 class=\"u-text u-text-12\"><b>12.1.3 Verify, review and evaluate information security continuity<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-13\">\n<li>Verify the information security management continuity by:<br \/>a) exercising and testing the information security continuity processes and controls to ensure that they are consistent with the information security continuity objectives;<br \/>b) exercising and testing the knowledge and routine to operate information security continuity processes and controls;<br \/>c) reviewing the validity and effectiveness of information security continuity measures when there are organizational, technical, procedural and process changes in the organsiaton.<\/li>\n<li>For testing purposes, integrate verification of information security continuity controls with the organization\u2019s business continuity or disaster recovery tests.<\/li>\n<\/ul>\n<h4 class=\"u-text u-text-14\"><b>12.1.4 Redundancies and availability of information processing facilities<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-15\">\n<li>When planning information security continuity (see 12.1.1), identify business requirements for the availability of information systems.\u00a0<\/li>\n<li>Consider redundant components or architectures to guarantee the contiuous availability. High-availability options such as fully redundant load balanced systems at alternate sites, data mirroring, and offsite database replication are normally expensive to set up, operate, and maintain and should be considered only for those high-impact information systems categorized with a high-availability security objective.\u00a0<\/li>\n<li>The implementation of redundancies can introduce risks to the integrity or confidentiality of information and information systems, which need to be considered when designing redundant systems.\u00a0<\/li>\n<li>Test redundant information systems to ensure the failover from one component to another component works as intended.<\/li>\n<\/ul>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t    <\/div>\n\t    <!-- \/row_inner -->\n\t<\/div>\n\t<!-- \/module_row -->\n\t<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"<p>12. Information security aspects of business continuity management 12.1 Information security continuity and redundancy Objective: Information security continuity should be embedded in the organization\u2019s business continuity management systems to ensure availability of information processing facilities. 12.1.1 Planning information security continuity The organization should determine its requirements for continuity of information security management in adverse situations, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-122","page","type-page","status-publish","hentry","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"builder_content":"<h4><b>12. Information security aspects of business continuity management<\/b><\/h4>\n<h4><b>12.1 Information security continuity and redundancy<\/b><br \/><br \/><\/h4> <p>Objective: Information security continuity should be embedded in the organization\u2019s business continuity management systems to ensure availability of information processing facilities.<\/p>\n<h4><b>12.1.1 Planning information security continuity<\/b><\/h4> <p><strong><em>The organization should determine its requirements for continuity of information security management in adverse situations, e.g. during a crisis or disaster.<\/em><\/strong><\/p> <ul> <li>Determine and formulate explicitly the information security requirements during the business continuity management or disaster recovery management processes. Involve information security specialists when establishing business continuity or disaster recovery processes and define the predetermined level of information security of main information systems.\u00a0<\/li> <li>In the absence of formal business continuity and disaster recovery planning, assume that information security requirements remain the same in adverse situations, compared to normal operational conditions.\u00a0<\/li> <li>Alternatively, perform a business impact analysis for information security aspects to determine the information security requirements applicable to adverse situations.<\/li> <\/ul> <p>Read more:\u00a0<\/p> <ul> <li>Control 11 \u2013 Data Recovery, CIS Critical Security Controls Version 8,\u00a0<a href=\"https:\/\/www.cisecurity.org\/controls\/v8\">https:\/\/www.cisecurity.org\/controls\/v8<\/a><\/li> <\/ul> <h4><b>12.1.2 Implementing information security continuity<\/b><\/h4> <p><strong><em>The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.<\/em><\/strong><\/p> <ul> <li>Enact business continuity and disaster recovery plans of main information systems and data. Realistic recovery efforts require a thorough evaluation of the resources required to resume business processes as quickly as possible.\u00a0<\/li> <li>Establish, document, implement and maintain:<br \/>a) information security controls within business continuity or disaster recovery processes;<br \/>b)\u00a0processes, procedures and implementation changes to maintain existing information security controls during an adverse situation. Information security controls that have been implemented should continue to operate during an adverse situation;<br \/>c) compensating controls for information security that cannot be maintained during an adverse situation. If security controls are not able to continue to secure information, other controls should be established, implemented and maintained to maintain an acceptable level of information security. <p>When implementing continuity procedures:\u00a0<\/p> <\/li> <li>develop an adequate management structure to prepare for, mitigate and respond to a disruptive event or incident;\u00a0<\/li> <li>nominate the incident response personnel with the necessary responsibility, authority and competence to manage a disruptive event or incident;\u00a0<\/li> <li>ensure that documented response and recovery procedures are developed and approved, detailing how the organization will manage a disruptive event and will maintain its information security to a predetermined level (see 12.1.1 Planning information security continuity).<\/li> <\/ul> <p>Read more:<\/p> <ul> <li>Template for IT Service Continuity Plan,\u00a0<a href=\"https:\/\/www.smartsheet.com\/business-continuity-templates#it-service-continuity-plan-template\">https:\/\/www.smartsheet.com\/business-continuity-templates#it-service-continuity-plan-template<\/a><\/li> <li>Chapter 3. Information System Contingency Planning Process, NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems,\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-34r1.pdf\">https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-34r1.pdf<\/a><\/li> <\/ul> <h4><b>12.1.3 Verify, review and evaluate information security continuity<\/b><\/h4> <p><strong><em>The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.<\/em><\/strong><\/p> <ul> <li>Verify the information security management continuity by:<br \/>a) exercising and testing the information security continuity processes and controls to ensure that they are consistent with the information security continuity objectives;<br \/>b) exercising and testing the knowledge and routine to operate information security continuity processes and controls;<br \/>c) reviewing the validity and effectiveness of information security continuity measures when there are organizational, technical, procedural and process changes in the organsiaton.<\/li> <li>For testing purposes, integrate verification of information security continuity controls with the organization\u2019s business continuity or disaster recovery tests.<\/li> <\/ul> <h4><b>12.1.4 Redundancies and availability of information processing facilities<\/b><\/h4> <p><strong><em>Information processing facilities should be implemented with redundancy sufficient to meet availability requirements.<\/em><\/strong><\/p> <ul> <li>When planning information security continuity (see 12.1.1), identify business requirements for the availability of information systems.\u00a0<\/li> <li>Consider redundant components or architectures to guarantee the contiuous availability. High-availability options such as fully redundant load balanced systems at alternate sites, data mirroring, and offsite database replication are normally expensive to set up, operate, and maintain and should be considered only for those high-impact information systems categorized with a high-availability security objective.\u00a0<\/li> <li>The implementation of redundancies can introduce risks to the integrity or confidentiality of information and information systems, which need to be considered when designing redundant systems.\u00a0<\/li> <li>Test redundant information systems to ensure the failover from one component to another component works as intended.<\/li> <\/ul>","_links":{"self":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=122"}],"version-history":[{"count":4,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/122\/revisions"}],"predecessor-version":[{"id":271,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/122\/revisions\/271"}],"wp:attachment":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}