Chapter 7 Business Continuity and Risk Management



Similar documents
POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Personal Data Security Breach Management Policy

Systems Support - Extended

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

CMS Eligibility Requirements Checklist for MSSP ACO Participation

GUIDANCE FOR BUSINESS ASSOCIATES

Session 9 : Information Security and Risk

Internal Audit Charter and operating standards

Accident Investigation

HIPAA HITECH ACT Compliance, Review and Training Services

Risk Management Policy AGL Energy Limited

Key Steps for Organizations in Responding to Privacy Breaches

Audit Committee Charter

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Business Continuity Management Policy

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

Change Management Process

Avaya Business Continuity Plan Overview

CDC UNIFIED PROCESS PRACTICES GUIDE

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

Appendix H. Annual Risk Assessment and Audit Plan 2013/14

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

System Business Continuity Classification

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

System Business Continuity Classification

Gravesham Borough Council

PADUA COLLEGE LIMITED ACN ABN

Data Protection Act Data security breach management

EJttilb Health. The University of Texas Medical Branch Audit Services. Audit Report. Epic In-Basket Management Audit. Engagement Number

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

How To Write An Ehsms Training, Awareness And Competency Procedure

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

OITS Service Level Agreement

High Level Meeting on National Drought Policy (HMNDP) CICG, Geneva March 2013

Maintain a balanced budget primarily the General & Park Funds

Sources of Federal Government and Employee Information

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

CUSTOMER Information Security Audit Report

Symantec User Authentication Service Level Agreement

Malpractice and Maladministration Policy

LINCOLNSHIRE POLICE Policy Document

Fraud Prevention Techniques for Higher Education

Presentation: The Demise of SAS 70 - What s Next?

17 Construction environmental management plan (CEMP)

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Process for Responding to Privacy Breaches

IT CONTROL ENVIRONMENT ASSESSMENT AND RECOMMENDATIONS REPORT

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Human Resources Policy pol-020

OFFICIAL JOB SPECIFICATION. Network Services Analyst. Network Services Team Manager

OE PROJECT MANAGEMENT GLOSSARY

Change Management Process For [Project Name]

7/25/14 FAIRFAX COUNTY PUBLIC SCHOOLS SUPPORT EMPLOYEE PERFORMANCE ASSESSMENT HANDBOOK

Professional Leaders/Specialists

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Information Services Hosting Arrangements

Privacy Breach and Complaint Protocol

June 29, 2009 Incident Review Dallas Fort Worth Data Center Review Dated: July 8, 2009

Information Technology Services. University of Maine System. Version December 20, 2012

Creating an Ethical Culture and Protecting Your Bottom Line:

VCU Payment Card Policy

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel

Business Continuity Management Systems Foundation Training Course

Revised October 27, 2011 Page 1 of 6

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF UPLAND SOFTWARE, INC.

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

DISASTER RECOVERY PLAN TEMPLATE

UBC Incident Response Plan V1.5

E-Business Strategies For a Cmpany s Bard

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

First Global Data Corp.

Transcription:

Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity management t sustain the peratin f critical business services fllwing a disaster r adverse event. 1. Agencies must maintain a business and disaster recvery plan with respect t infrmatin technlgy. Business and disaster recvery plans shall be prvided t the Office f the State CIO. 2. Agencies, thrugh their management, must implement and supprt an apprpriate infrmatin technlgy business cntinuity prgram t ensure the timely delivery f critical autmated business services t the State s citizens. 3. A management team cmpsed f representatives frm all the agency rganizatinal areas has primary leadership respnsibility t identify infrmatin technlgy risks and t determine what impact these risks have n business peratins. 4. Management must als plan fr business cntinuity, including disaster recvery, based n these risks and dcument cntinuity and recvery strategies and prcedures in a defined business cntinuity plan that is reviewed, apprved, tested and updated n an annual basis. 14.1.04 Business cntinuity planning framewrk 070102 Assessing the BCP Risk Purpse: T require that State agencies manage infrmatin technlgy risks apprpriately as required in GS 147-33.89. 1. Agencies shall identify the ptential risks that may adversely impact their business in rder t develp cntinuity and recvery strategies and justify the financial and human resurces required t prvide the apprpriate level f cntinuity initiatives and prgrams. 2. Agencies shall cnduct business risk impact analysis activities that include the fllwing: Define the agency s critical functins and services. Define the resurces (technlgy, staff and facilities) that supprt each critical functin r service. Identify key relatinships and interdependencies amng the agency s critical resurces, functins and services. Estimate the maximum elapsed time that a critical functin r service can be inperable withut a catastrphic impact. (See als Statewide Glssary fr Recvery Time Objective) Estimate the maximum amunt f infrmatin r data that can be lst withut a catastrphic impact t a critical functin r service. (See als Statewide Glssary fr Recvery Pint Objective) Dcument any critical events r services that are time-sensitive r predictable and require a higherthan-nrmal pririty (fr example, tax filing dates, reprting deadlines, etc.). 111

Identify any critical nn-electrnic media required t supprt the agency s critical functins r services. Identify any interim r wrkarund prcedures that exist fr the agency s critical functins r services. GUIDELINES The fllwing items shuld be cnsidered: Estimate the decline in effectiveness ver time f each critical functin r service. Estimate financial lsses ver time resulting frm the inperability f each critical functin r service. Estimate tangible (nn-financial) impacts ver time resulting frm the inperability f each critical functin r service. Estimate intangible impacts ver time resulting frm the inperability f each critical functin r service. 14.1.02 Business cntinuity and risk assessment 14.1.04 Business cntinuity planning framewrk 070103 Develping the BCP Purpse: T require that the apprpriate level f infrmatin technlgy business cntinuity management is in place t sustain the peratin f critical infrmatin technlgy services t supprt the cntinuity f vital business functins. 1. Management shall develp a business cntinuity plan (BCP) that cvers all f the agency s essential and critical business activities and that includes references t prcedures t be used fr the recvery f systems that perfrm the agency s essential and critical business activities. 2. At a minimum, an agency s business cntinuity plan must: Help prtect the health and safety f the emplyees f the State f Nrth Carlina. Prtect the assets f the State and minimize financial, legal and/r regulatry expsure. Minimize the impact and reduce the likelihd f business disruptins. Create crisis teams and respnse plans fr threats and incidents. Include cmmunicatin tls and prcesses. Require that emplyees are aware f their rles and respnsibilities in the BCP and in plan executin. Include training and awareness prgrams. Require simulatins and tabletp exercises. Have a dcumented plicy statement utlining: Framewrk and requirements fr develping, dcumenting, and maintaining the plans. Requirements fr testing and exercising. Review, sign-ff and update cycles. 112

Require senir management versight and apprval. Assess the prfessinal capability f third parties and ensure that they prvide adequate cntact with the agencies. Review dependence n third parties and take actins t mitigate risk assciated with dealing with third parties. Prvide directin n synchrnizatin between any manual wrk data and the autmated systems that ccur during a recvery perid. Set frth prcedures t be fllwed fr restring critical systems t prductin. 3. Training and awareness prgrams shall be undertaken t ensure that the entire agency is cnfident, cmpetent and capable and understands the rles each individual within the agency must perfrm in a disaster/r adverse situatin. 4. The persn(s) designated as the agency business cntinuity plan (BCP) crdinatr(s) has the respnsibility f verseeing the individual plans and files that cnstitute the BCP and ensuring that they are current, meet these standards and are cnsistent with the agency s verall plan. At the directin f the State Chief Infrmatin Officer, an agency s BCP shall be reviewed annually by the Office f Infrmatin Technlgy Services and recmmendatins shall be made fr imprvement, if necessary. 5. The agency business cntinuity plan shall be tested annually, at a minimum. All critical applicatins shall be tested annually. GUIDELINES The fllwing methds are recmmended: Tabletp testing (walk-thrugh f business recvery arrangements using example interruptins). Simulatins (especially fr pst-incident / pst-crisis management rles). Technical recvery testing. Testing recvery at an alternate site. Testing f ht-site arrangements, cmplete rehearsal (testing rganizatin, persnnel, equipment, facilities and prcesses). Updating f plan as necessary. Additinal steps that may be taken include the repetitin f the test t validate any updated prcedure(s) and the additin r remval f applicatin backup prcedures. Agency management shuld define, dcument, and apprve what type f testing methdlgy t use. 14.1.03 Develping and implementing cntinuity plans including infrmatin security 14.1.04 Business cntinuity planning framewrk 14.1.05 Testing, maintaining and re-assessing business cntinuity plans 070104 Disaster Recvery and/r Restratin Purpse: T restre the perability f the systems supprting critical business prcesses and return t nrmal agency peratins as sn as pssible. The agency is respnsible fr maintaining its ability t recver in the event f an utage. Agencies must ensure that business cntinuity and/r disaster recvery plans are develped, maintained, tested n a prescribed basis and subjected t a cntinual update and imprvement prcess. Agencies shall cnduct the fllwing disaster recvery and/r restratin activities: 1. Define the agency s critical perating facilities and missin essential service(s) r functin(s). 113

2. Define the resurces (facilities, infrastructure, and essential systems) that supprt each missin critical service r functin. 3. Define explicit test bjectives and success criteria t enable an adequate assessment f the Disaster Recvery and/r Restratin. 14.1.3 Develping and implementing cntinuity plans including infrmatin security Sectin 02 Infrmatin Technlgy Risk Management Prgram 070101 Implementing a Risk Management Prgram Purpse: T ensure that state agencies manage risks apprpriately. Risk management includes the identificatin, analysis, and management f risks assciated with an agency s business, infrmatin technlgy infrastructure, the infrmatin itself, and physical security t prtect the state s infrmatin technlgy assets and vital business functins. 1. The State f Nrth Carlina recgnizes that each agency, thrugh its management, must implement an apprpriate Infrmatin Technlgy (IT) Risk Management Prgram t ensure the timely delivery f critical autmated business services t the state s citizens. 2. The risk management prgram must identify and classify risks and implement risk mitigatin as apprpriate. 3. The prgram must include the identificatin, classificatin, priritizatin and mitigatin prcesses necessary t sustain the peratinal cntinuity f missin critical infrmatin technlgy systems and resurces. 4. In general, risk is defined as a cnditin r actin that may adversely affect the utcme f a planned activity. Sme types f risk are as fllws: Business Risk The cst and/r lst revenue assciated with an interruptin t nrmal business peratins. Organizatinal Risk The direct r indirect lss resulting frm ne r mre f the fllwing: Inadequate r failed internal prcesses Peple Systems External events Infrmatin Technlgy Risk - The lss f an autmated system, netwrk r ther critical infrmatin technlgy resurce that wuld adversely affect business prcesses. Legal Parameters established by legislative mandates, federal and state regulatins, plicy directives and executive rders that impact delivery f prgram services. Reputatin General estimatin, by the public, n hw state services are delivered (integrity, credibility, trust, custmer satisfactin, image, media relatins, plitical invlvement.) Citizen Services - Prgram services mandated by charter, legislatin, r plicy that prvides fr the delivery f the state s business (educatin, human services, highways, law enfrcement, health and safety, unemplyment benefits, vital recrds, etc.) 114

GUIDELINES Agencies are encuraged t select and use guidelines that supprt industry best practices fr risk management relative t business cntinuity planning and security as apprpriate. Sme suggested guidelines are listed belw. Risk Management Prgram Activities: Agency risk management prgrams at a minimum shuld fcus n the fllwing fur types f activities: Identificatin f Risks: A cntinuus effrt t identify which risks are likely t affect business cntinuity and security functins and dcumenting their characteristics. Analysis f Risks: An estimatin f the prbability, impact, and timeframe f the risks, classificatin int sets f related risks, and priritizatin f risks relative t each ther. Mitigatin Planning: Decisins and actins that will reduce the impact f risks, limit the prbability f their ccurrence, r imprve the respnse t a risk ccurrence. Fr mderate r high rated risks, mitigatin plans shuld be develped, dcumented and assigned t managers. Plans shuld include assigned manager s signatures. Tracking and Cntrlling Risks: Cllectin and reprting f status infrmatin abut risks and their mitigatin plans, respnse t changes in risks ver time, and management versight f crrective measures taken in accrdance with the mitigatin plan. Business Cntinuity Risk Management Prcesses: Fr business cntinuity risk management, the fcus f risk management is an impact analysis fr thse risk utcmes that disrupt agency business. Agencies shuld identify the ptential impacts in rder t develp the strategies and justify the resurces required t prvide the apprpriate level f cntinuity initiatives and prgrams. Agencies shuld cnduct business risk impact analysis activities that include the fllwing: Define the agency s critical functins and services. Define the resurces (technlgy, staff, and facilities) that supprt each critical functin r service. Identify key relatinships and interdependencies amng the agency s critical resurces, functins, and services. Estimate the decline in effectiveness ver time f each critical functin r service. Estimate the maximum elapsed time that a critical functin r service can be inperable withut a catastrphic impact. Estimate the maximum amunt f infrmatin r data that can be lst withut a catastrphic impact t a critical functin r service. Estimate financial lsses ver time f each critical functin r service. Estimate tangible (nn-financial) impacts ver time f each critical functin r service. Estimate intangible impacts ver time f each critical functin r service. Dcument any critical events r services that are time-sensitive r predictable and require a higherthan-nrmal pririty. (Fr example - tax filing dates, reprting deadlines, etc.) Identify any critical nn-electrnic media required t supprt the agency s critical functins r services. Identify any interim r wrkarund prcedures that exist fr the agency s critical functins r services. 115

Security Risk Prcess: The fcus f security risk management is an assessment f thse security risk utcmes that may jepardize agency assets and vital business functins r services. Agencies shuld identify thse impacts in rder t develp the strategies and justify the resurces required t prvide the apprpriate level f preventin and respnse. It is imprtant t use the results f risk assessment t prtect critical agency functins and services in the event f a security incident. The lack f apprpriate security measures wuld jepardize agency critical functins and services. Security risk impact analysis activities include the fllwing: Identificatin f the Federal, State, and Lcal regulatry r legal requirements that address the security, cnfidentiality, and privacy requirements fr agency functins r services. Identificatin f cnfidential infrmatin stred in the agency s files and the ptential fr fraud, misuse, r ther illegal activity. Identificatin f essential access cntrl mechanisms used fr requests, authrizatin, and access apprval in supprt f critical agency functins and services. Identificatin f the prcesses used t mnitr and reprt t management n whatever applicatins, tls and technlgies the agency has implemented t adequately manage the risk as defined by the agency (i.e., baseline security reviews, review f lgs, use f IDs, lgging events fr frensics, etc.). Identificatin f the agency s IT Change Management and Vulnerability Assessment prcesses. Identificatin f what security mechanisms are in place t cnceal agency data (Encryptin, PKI, etc.). Fr mre infrmatin n implementing a risk management prgram, including the Risk Management Guide and the Risk Assessment Questinnaire, please refer t the Risk Management Services page fund n the Enterprise Security and Risk Management Office (ESRMO) web site: http://www.esrm.sci.nc.gv/riskmanagement/default.aspx 4.1 Assessing security risks 4.2 Treating security risks 116

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information