II.C.21 Business Continuity Considerations
Management should do the following:
- Identify personnel who will have critical information security roles during a disaster, and train personnel in those roles.
- Define information security needs for backup sites and alternate communication networks.
- Establish and maintain policies that address the concepts of information security incident response and resilience, and test information security incident scenarios.
Business continuity plans should be reviewed as an integral part of the security process. Strategies should consider the different risk environments and the degree of risk mitigation necessary to protect the institution if continuity plans must be implemented. Management should train personnel regarding their security roles during a disaster. Additionally, management should update technologies and plans for backup sites and communications networks. These security considerations should be integrated with the testing of the business continuity plan.
Information security events may trigger activation of the business continuity plan. Therefore, the institution's plan should include steps that explicitly address information security incident response and resilience. Resilience testing should incorporate information security event scenarios identified by the institution.
Refer to the IT Handbook's "Business Continuity Planning" booklet for more information.
II.C.20(b) Managed Security Service Providers
II.C.22 Log Management