Wayne State Univ: Top 10 Recommended Information Security Practices

2. POLICY:                                                       TOP

  • Develop, deploy, and enforce security policies that satisfy business objectives.
  • Create policies that address key security topic issues such as:
    • Security risk management,
    • Critical asset identification,
    • Physical security
    • System and network management
    • Authentication and authorization
    • Access control
    • Vulnerability management,
    • Incident management
    • Awareness and training
    • Privacy.
    • Ensure that the intent of each policy is reflected in the standards, procedures, practices, training, and security architectures that implement it.

 10. CONTINUITY PLANNING & DISASTER RECOVERY:

Develop business continuity and disaster recovery plans for critical assets and ensure that they are periodically tested and found effective.

  • Elements of a BC plan, at a minimum, should include, but are  not limited to, the following:

a.  Procedures for response and recovery that contain predetermined prioritized actions on how to:

                                                              i.      Respond to a disruptive event

                                                            ii.      Activate the plan

                                                           iii.      Recover critical business processes

                                                           iv.      Restore the business back to its state before the incident or disaster occurred

b.  Alternate work locations and work procedures (if necessary) must be identified in case the primary site is unavailable. The plan should also include procedures to equip the alternate work site (telecommunication systems, PCs, and other devices), and contracts with third parties.

c.       Procedures to safeguard and reconstruct the home site.

d.      Procedures to safeguard the alternate site.

e.       Reconstruction plans for the recovery of all systems resources at the original location.

f.       Critical information (such as current names, telephone/pager number of key personnel, etc) on continuity teams, affected staff, customers and suppliers.

g.      Major upstream / downstream applications that contain information system groups that may be affected and critical contact information must be identified.

h.      Time frames for restoring systems to ensure required transaction processing times are met and disruption time is minimized  

  • Elements of a DR plan, at a minimum, should include, but are  not limited to, the following:

a.       The identification of possible disasters that could interrupt access to systems for long periods of time.

b.       Directions to Off-Site Storage locations

c.       Business recovery location

d.      Disaster recovery organization chart/list – action team call tree forinternal contacts and their locations

e.       Hardware and other required inventory needed in the event of a disaster

f.       Application and other required inventory needed in the event of a disaster

g.      Operating system and other required inventory needed in the event of a disaster

h.      Vendor name(s) and contact information

i.        Media, records, and documentation needed for restoration

j.        Recovery procedures and priority of servers, applications, and other dependent systems

k.      Time frames for restoring systems to ensure required transaction processing

l.        Critical file and work in process assessment report

m.    Recovery status report

 

Read the rest of the list at http://internalaudit.wayne.edu/security-practices.php

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s