- Develop, deploy, and enforce security policies that satisfy business objectives.
- Create policies that address key security topic issues such as:
- Security risk management,
- Critical asset identification,
- Physical security
- System and network management
- Authentication and authorization
- Access control
- Vulnerability management,
- Incident management
- Awareness and training
- Ensure that the intent of each policy is reflected in the standards, procedures, practices, training, and security architectures that implement it.
10. CONTINUITY PLANNING & DISASTER RECOVERY:
Develop business continuity and disaster recovery plans for critical assets and ensure that they are periodically tested and found effective.
- Elements of a BC plan, at a minimum, should include, but are not limited to, the following:
a. Procedures for response and recovery that contain predetermined prioritized actions on how to:
i. Respond to a disruptive event
ii. Activate the plan
iii. Recover critical business processes
iv. Restore the business back to its state before the incident or disaster occurred
b. Alternate work locations and work procedures (if necessary) must be identified in case the primary site is unavailable. The plan should also include procedures to equip the alternate work site (telecommunication systems, PCs, and other devices), and contracts with third parties.
c. Procedures to safeguard and reconstruct the home site.
d. Procedures to safeguard the alternate site.
e. Reconstruction plans for the recovery of all systems resources at the original location.
f. Critical information (such as current names, telephone/pager number of key personnel, etc) on continuity teams, affected staff, customers and suppliers.
g. Major upstream / downstream applications that contain information system groups that may be affected and critical contact information must be identified.
h. Time frames for restoring systems to ensure required transaction processing times are met and disruption time is minimized
- Elements of a DR plan, at a minimum, should include, but are not limited to, the following:
a. The identification of possible disasters that could interrupt access to systems for long periods of time.
b. Directions to Off-Site Storage locations
c. Business recovery location
d. Disaster recovery organization chart/list – action team call tree forinternal contacts and their locations
e. Hardware and other required inventory needed in the event of a disaster
f. Application and other required inventory needed in the event of a disaster
g. Operating system and other required inventory needed in the event of a disaster
h. Vendor name(s) and contact information
i. Media, records, and documentation needed for restoration
j. Recovery procedures and priority of servers, applications, and other dependent systems
k. Time frames for restoring systems to ensure required transaction processing
l. Critical file and work in process assessment report
m. Recovery status report
Read the rest of the list at http://internalaudit.wayne.edu/security-practices.php
- Disaster Recovery and Why We Need it (speakerknox.wordpress.com)
- The Importance of Disaster Recovery Testing (cloudcomputing.sys-con.com)
- A Customer’s Perspective on Information Security and Recovery as a Service: A Live Webinar (porticor.com)
- Focus on Business Continuity and Disaster Recovery (securitiesnewswatch.com)
- Disaster Recovery Tips for Your Business (thehartford.com)