Response and Recovery Time Objectives Policies Based on the BIA
by Robert Johnson,
Chuck Easttom
Security Policies and Implementation Issues, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Brief Contents
- Contents
- Dedication
- Preface
- Acknowledgments
- About the Authors
- CHAPTER 1 Information Systems Security Policy Management
- What Is Information Systems Security?
- What Is Information Assurance?
- What Is Governance?
- Why Is Governance Important?
- What Are Information Systems Security Policies?
- Creating Policies
- Where Do Information Systems Security Policies Fit Within an Organization?
- Why Information Systems Security Policies Are Important
- When Do You Need Information Systems Security Policies?
- Why Enforcing and Winning Acceptance for Policies Is Challenging
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- ENDNOTES
- CHAPTER 2 Business Drivers for Information Security Policies
- CHAPTER 3 Compliance Laws and Information Security Policy Requirements
- U.S. Compliance Laws
- Whom Do the Laws Protect?
- Which Laws Require Proper Security Controls to Be Included in Policies?
- Which Laws Require Proper Security Controls for Handling Privacy Data?
- Aligning Security Policies and Controls with Regulations
- Industry Leading Practices and Self-Regulation
- Some Important Industry Standards
- International Laws
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- ENDNOTES
- CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
- CHAPTER 5 Information Security Policy Implementation Issues
- Human Nature in the Workplace
- Organizational Structures
- The Challenge of User Apathy
- The Importance of Executive Management Support
- The Role of Human Resources Policies
- Policy Roles, Responsibilities, and Accountability
- When Policy Fulfillment Is Not Part of Job Descriptions
- Impact on Entrepreneurial Productivity and Efficiency
- Tying Security Policy to Performance and Accountability
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- ENDNOTES
- CHAPTER 6 IT Security Policy Frameworks
- What Is an IT Policy Framework?
- What Is a Program Framework Policy or Charter?
- Business Considerations for the Framework
- Information Assurance Considerations
- Information Systems Security Considerations
- Best Practices for IT Security Policy Framework Creation
- Case Studies in Policy Framework Development
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- ENDNOTES
- CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
- Policies and Standards Design Considerations
- Document Organization Considerations
- Considerations for Implementing Policies and Standards
- Maintaining Your Policy and Standards Library
- Best Practices for Policies and Standards Maintenance
- Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- ENDNOTES
- CHAPTER 8 IT Security Policy Framework Approaches
- IT Security Policy Framework Approaches
- Roles, Responsibilities, and Accountability for Personnel
- Separation of Duties
- Governance and Compliance
- Best Practices for IT Security Policy Framework Approaches
- Case Studies and Examples of IT Security Policy Framework Approaches
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- ENDNOTES
- CHAPTER 9 User Domain Policies
- The Weakest Link in the Information Security Chain
- Seven Types of Users
- Why Govern Users with Policies?
- Acceptable Use Policy (AUP)
- The Privileged-Level Access Agreement (PAA)
- Security Awareness Policy (SAP)
- Best Practices for User Domain Policies
- Understanding Least Access Privileges and Best Fit Access Privileges
- Case Studies and Examples of User Domain Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 IT Infrastructure Security Policies
- Anatomy of an Infrastructure Policy
- Workstation Domain Policies
- Mobile Device Domain Policies
- LAN Domain Policies
- LAN-to-WAN Domain Policies
- WAN Domain Policies
- Remote Access Domain Policies
- System/Application Domain Policies
- Telecommunications Policies
- Best Practices for IT Infrastructure Security Policies
- Cloud Security Policies
- Case Studies and Examples of IT Infrastructure Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
- Data Classification Policies
- Data Handling Policies
- Identifying Business Risks Related to Information Systems
- Risk and Control Self-Assessment
- Risk Assessment Policies
- Quality Assurance Versus Quality Control
- Best Practices for Data Classification and Risk Management Policies
- Case Studies and Examples of Data Classification and Risk Management Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Incident Response Team (IRT) Policies
- Incident Response Policy
- Incident Classification
- The Response Team Charter
- Incident Response Team Members
- Responsibilities During an Incident
- Business Impact Analysis (BIA) Policies
- Procedures for Incident Response
- Discovering an Incident
- Reporting an Incident
- Containing and Minimizing the Damage
- Cleaning Up After the Incident
- Documenting the Incident and Actions
- Analyzing the Incident and Response
- Creating Mitigation to Prevent Future Incidents
- Handling the Media and Deciding What to Disclose
- Business Continuity Planning Policies
- Dealing with Loss of Systems, Applications, or Data Availability
- Response and Recovery Time Objectives Policies Based on the BIA
- Best Practices for Incident Response Policies
- Disaster Recovery Plan Policies
- Case Studies and Examples of Incident Response Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 IT Security Policy Implementations
- Simplified Implementation Process
- Target State
- Executive Buy-in, Cost, and Impact
- Policy Language
- Employee Awareness and Training
- Information Dissemination—How to Educate Employees
- Policy Implementation Issues
- Governance and Monitoring
- Best Practices for IT Security Policy Implementations
- Case Studies and Examples of IT Security Policy Implementations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- ENDNOTES
- CHAPTER 14 IT Security Policy Enforcement
- Organizational Support for IT Security Policy Enforcement
- An Organization’s Right to Monitor User Actions and Traffic
- Compliance Law: Requirement or Risk Management?
- What Is Law and What Is Policy?
- What Automated Security Controls Can Be Implemented Through Policy?
- Legal Implications of IT Security Policy Enforcement
- Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
- Best Practices for IT Security Policy Enforcement
- Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- CHAPTER 15 IT Policy Compliance and Compliance Technologies
- Creating a Baseline Definition for Information Systems Security
- Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
- Automating IT Security Policy Compliance
- Compliance Technologies and Solutions
- Best Practices for IT Security Policy Compliance Monitoring
- Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
Response and Recovery Time Objectives Policies Based on the BIA
The recovery time objective (RTO) is the length of time within which a business process should be recovered after an outage or downtime. Put another way, how soon will you have a given system back online? This should be set with the previously discussed maximum tolerable downtime (MTD) in mind.
It’s important to understand that the RTO relates to the business process. It does not relate to the dependent components, such as the technology. The RTO is the measurement of how quickly individual business processes should be recovered. The RTO is a natural extension of the BIA. It identifies the maximum allowed downtime for a business process. The maximum allowed downtime is based on the business tolerance for loss. This, in turn, becomes the RTO. That is why the business continuity planner is part of the BIA process.
The continuity planner understands the capabilities of the organization to recover from a disaster. The planner should be able to catch an unrealistic RTO set by the business during the BIA process. For example, the business may state that it requires near real-time recovery of its applications in the event of a disaster. Few organizations can achieve that goal. The BCP planner facilitates a candid discussion on the cost of recovery and the organization’s capabilities. The continuity planner can also push requirements that increase costs.
RTO policies often include a discussion of recovery point objectives (RPOs). The RPO is the maximum acceptable level of data loss from the point of the disaster. Consider an example wherein the company backs up a server every hour. In the event of a hard drive crash, the company could lose up to 59 minutes’ worth of data. The organization must ask whether this is acceptable. If it is not, then backup strategies must be re-examined.
The RPO can be shorter than the RTO. In that case, the business is saying the business process can be down longer. However, when business operations resume, the business needs the data from an earlier point, such as the point of outage. It’s important to understand that the RPO relates to the data, not to a single RTO. When you look at the RTO and RPO, the requirements to recover a business successfully emerge. These requirements drive the selection of recovery technology and design of the BCP.
NOTE
The BIA becomes the requirements document for the BCP and RTO. You rarely change the BIA requirements during the BCP process unless new data is discovered.
-
No Comment