1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-21375-6 SANS 24762:2008Edition 1ISO/IEC 24762:2008Edition 1SOUTH AFRICAN NATIONAL STANDARD Information technology Security techniques Guid
4、elines for information and communications technology disaster recovery services This national standard is the identical implementation of ISO/IEC 24762:2008 and is adopted with the permission of the International Organization for Standardization and the International Electrotechnical Commission. Pub
5、lished by Standards South Africa 1 dr lategan road groenkloof private bag x191 pretoria 0001 tel: 012 428 7911 fax: 012 344 1568 international code + 27 12 www.stansa.co.za Standards South Africa SANS 24762:2008 Edition 1 ISO/IEC 24762:2008 Edition 1 Table of changes Change No. Date Scope National f
6、oreword This South African standard was approved by National Committee StanSA SC 71F, Information technology Information security, in accordance with procedures of Standards South Africa, in compliance with annex 3 of the WTO/TBT agreement. This standard was published in May 2008. Reference numberIS
7、O/IEC 24762:2008(E)ISO/IEC 2008INTERNATIONAL STANDARD ISO/IEC24762First edition2008-02-01Information technology Security techniques Guidelines for information and communications technology disaster recovery services Technologies de linformation Techniques de scurit Lignes directrices pour les servic
8、es de secours en cas de catastrophe dans les technologies de linformation et des communications SANS 24762:2008This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 24762:2008(E) PDF disclaimer This PDF file may contain embedded typefaces.
9、In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing A
10、dobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized f
11、or printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2008 All rights reserved. Unle
12、ss otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO c
13、opyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2008 All rights reservedSANS 24762:2008This s tandard may only be used and printed by approved subscription and freemailing clien
14、ts of the SABS .ISO/IEC 24762:2008(E) ISO/IEC 2008 All rights reserved iiiContents Page Foreword. v 0 Introduction vi 0.1 General vi 0.2 Structure . vi 0.3 Framework. vii 0.4 Interpretation of clauses . viii 1 Scope . 1 1.1 General. 1 1.2 Exclusions . 1 1.3 Audience 1 2 Normative references . 2 3 Te
15、rms and definitions. 2 4 Abbreviated terms 3 5 ICT disaster recovery . 3 5.1 General. 3 5.2 Environmental stability 4 5.3 Asset management. 4 5.4 Proximity of site 5 5.5 Vendor management 5 5.6 Outsourcing arrangements 7 5.7 Information security . 8 5.8 Activation and deactivation of disaster recove
16、ry plan . 9 5.9 Training and education 11 5.10 Testing on ICT systems 12 5.11 Business continuity planning for ICT DR service providers 12 5.12 Documentation and periodic review. 14 6 ICT disaster recovery facilities 14 6.1 General. 14 6.2 Location of recovery sites . 14 6.3 Physical access controls
17、 . 16 6.4 Physical facility security 19 6.5 Dedicated areas 24 6.6 Environmental controls 25 6.7 Telecommunications 26 6.8 Power supply. 27 6.9 Cable management. 29 6.10 Fire protection. 30 6.11 Emergency operations center (EOC) 32 6.12 Restricted facilities. 34 6.13 Non-recovery amenities . 37 6.14
18、 Physical facilities and support equipment life cycle 38 6.15 Testing . 40 7 Outsourced service providers capability 41 7.1 General. 41 7.2 Review organization disaster recovery status 41 7.3 Facilities requirements. 43 7.4 Expertise 43 7.5 Logical access control . 45 SANS 24762:2008This s tandard m
19、ay only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 24762:2008(E) iv ISO/IEC 2008 All rights reserved7.6 ICT equipment and operation readiness 47 7.7 Simultaneous recovery support 49 7.8 Levels of service . 50 7.9 Types of service 50 7.10 Proximity of se
20、rvices 51 7.11 Subscription ratio for shared services . 52 7.12 Activation of subscribed services. 52 7.13 Organization testing . 53 7.14 Changes in capability . 53 7.15 Emergency response plan . 54 7.16 Self assessment 57 8 Selection of recovery sites. 58 8.1 General . 58 8.2 Infrastructure. 59 8.3
21、 Skilled manpower and support 59 8.4 Critical mass of vendors and suppliers 59 8.5 Local service providers track records . 59 8.6 Proactive local support 60 9 Continuous Improvement. 60 9.1 General . 60 9.2 ICT DR trends 60 9.3 Performance measurement 61 9.4 Scalability. 62 9.5 Risk mitigation. 62 A
22、nnex A (informative) Correspondence between ISO/IEC 27002:2005 and this International Standard. 64 Bibliography . 67 SANS 24762:2008This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 24762:2008(E) ISO/IEC 2008 All rights reserved vForewo
23、rd ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical co
24、mmittees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in th
25、e work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare Internationa
26、l Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the
27、elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 24762 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. SANS 2476
28、2:2008This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 24762:2008(E) vi ISO/IEC 2008 All rights reserved0 Introduction 0.1 General This International Standard is aimed at aiding the operation of an Information Security Management Syste
29、m (ISMS) by providing guidance on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management. Information security management is the process by which management aims to achieve effective confidentiality, integrity and avai
30、lability of information and service. When an organization implements an ISMS the risks of interruptions to business activities for any reason should always be identified. ISO/IEC 27001 and ISO/IEC 27002 include a control objective for information security aspects of business continuity management (r
31、efer to Control Objective 14.1 in ISO/IEC 27002:2005), the implementation of which will reduce those risks. That control objective is supported by controls to be selected and implemented as part of the ISMS process. Business continuity management is an integral part of a holistic risk management pro
32、cess that safeguards the interests of an organizations key stakeholders, reputation, brand and value creating activities through: identifying potential threats that may cause adverse impacts on an organizations business operations, and associated risks; providing a framework for building resilience
33、for business operations; providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures. In planning for business continuity, the fallback arrangements for information processing and communication facilities become beneficial during periods
34、of minor outages and essential for ensuring information and service availability during a disaster or failure for the (complete) recovery of activities over a period of time. Such fallback arrangements may include arrangements with third parties in the form of reciprocal agreements, or commercial su
35、bscription services. 0.2 Structure This International Standard provides guidelines for the ICT DR services, which include both those provided in-house and outsourced. It covers facilities and services capability and provides fallback and recovery support to an organizations ICT systems. It includes
36、the implementation, testing and execution aspects of disaster recovery. It does not include other aspects of business continuity management. The guidelines are applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services in varying degrees. ICT DR servi
37、ce providers should interpret the intent of these guidelines within the context of the services they offer. These guidelines include the requirements for implementing, operating, monitoring and maintaining ICT DR services, divided into two areas: a) ICT disaster recovery (Clause 5); and b) ICT disas
38、ter recovery facilities (Clause 6). SANS 24762:2008This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 24762:2008(E) ISO/IEC 2008 All rights reserved viiClause 7, “outsourced service providers capability”, specifies the capabilities which
39、 outsourced ICT DR service providers should possess, and the practices they should follow, for them to be able to provide basic secure operating environments and facilitate organizations recovery efforts. The capabilities required are specified in terms of the infrastructure and services needed to e
40、nable organizations to implement and execute their ICT DR plans. (It should be noted that although this clause is targeted at outsourced service providers, the guidelines it contains are also recommended for adoption by service providers in general.) Clause 8, “selection of recovery sites”, provides
41、 guidance for: a) organizations that are in the process of selecting an external recovery site as part of their ICT DR practices; b) ICT DR service providers who are in the process of building (additional) recovery sites to expand their operations. Factors such as environmental stability, good infra
42、structure and availability of skilled manpower locally, may provide a favourable environment for the operation of ICT DR recovery sites. Further, the presence of other ICT DR service providers and their suppliers may create a critical mass for a vibrant local industry. The track record of key player
43、s is another indicator of the maturity and vibrancy of the local ICT DR industry. Where applicable, proactive support of the local authority may also contribute to the growth and expansion of this industry. Clause 9, “continuous improvement”, provides guidance for ICT DR service providers on ensurin
44、g continuous improvement to their ICT DR services through a set of practices. These practices can enable service providers to continuously maintain and improve the level of their services and thus provide an additional level of assurance to organizations engaging these services. 0.3 Framework 0.3.1
45、ICT DR service provision framework This International Standard is based on a multi-tier framework comprising different elements in the ICT DR services provision, as illustrated in Figure 1. The “foundation” layer comprises the important aspects of ICT DR services, namely Policies, Performance Measur
46、ement, Processes and People. This layer helps to define the supporting infrastructure and services capability. The “continuous improvement” layer highlights practices that help to improve ICT DR activities in specific areas, and represents an added level of provision to the services provided. Thus t
47、he guidelines in this International Standard are drawn from a composite view of these layers, and with a balance between cost effectiveness and standard rigor considerations. PoliciesPeoplePerformanceMeasurementProcessesServicesCapabilityInfrastructureContinuous ImprovementICT DR FrameworkEffective
48、Provision of ICT DR Services in Support of Organizations Business Continuity Management Organizations ICT DR Requirements Figure 1 ICT DR service provision framework SANS 24762:2008This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO/IEC 24762
49、:2008(E) viii ISO/IEC 2008 All rights reserved0.3.2 Policies “Policies” enable ICT DR service providers to set the direction on the other, related, areas of their ICT DR services, and also enable clear communication to the relevant parties on the requirements that can be met by ICT DR service provider facilities. The “Policies” aspect is elaborated on in clauses 5 to 9 of this International Standard. An established policy is usually expressed as “the system should include the following policies ” or “there should be documen
