1、INCITS/ISO/IEC 24762:20082009 Information Technology Security Techniquies Guidelines for information and communications technology disaster recovery servicesINCITS/ISO/IEC 24762:20082009 INCITS/ISO/IEC 24762:2008 2009 ii ITIC 2010 All rights reserved PDF disclaimer This PDF file may contain embedded
2、 typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not
3、infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were
4、 optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Informat
5、ion Technology Standards) as an American National Standard. Date of ANSI Approval: 11/11/2009 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2010 by Information Technology Industry Council (ITI). All rights reserved. These materials are su
6、bject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form,
7、including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/IEC 24762:2008(E) 2009 ITIC 2010 All rights reserve
8、d iiiContents Page Foreword v 0 Introductionvi 0.1 General .vi 0.2 Structure.vi 0.3 Framework.vii 0.4 Interpretation of clauses .viii 1 Scope.1 1.1 General 1 1.2 Exclusions.1 1.3 Audience1 2 Normative references .2 3 Terms and definitions.2 4 Abbreviated terms 3 5 ICT disaster recovery3 5.1 General
9、3 5.2 Environmental stability.4 5.3 Asset management .4 5.4 Proximity of site 5 5.5 Vendor management.5 5.6 Outsourcing arrangements 7 5.7 Information security8 5.8 Activation and deactivation of disaster recovery plan.9 5.9 Training and education.11 5.10 Testing on ICT systems12 5.11 Business conti
10、nuity planning for ICT DR service providers .12 5.12 Documentation and periodic review14 6 ICT disaster recovery facilities 14 6.1 General 14 6.2 Location of recovery sites14 6.3 Physical access controls .16 6.4 Physical facility security 19 6.5 Dedicated areas 24 6.6 Environmental controls25 6.7 Te
11、lecommunications 26 6.8 Power supply.27 6.9 Cable management .29 6.10 Fire protection.30 6.11 Emergency operations center (EOC).32 6.12 Restricted facilities .34 6.13 Non-recovery amenities .37 6.14 Physical facilities and support equipment life cycle38 6.15 Testing.40 7 Outsourced service providers
12、 capability.41 7.1 General 41 7.2 Review organization disaster recovery status41 7.3 Facilities requirements.43 7.4 Expertise43 7.5 Logical access control .45 INCITS/ISO/IEC 24762:2008(E) 2009 iv ITIC 2010 All rights reserved7.6 ICT equipment and operation readiness .47 7.7 Simultaneous recovery sup
13、port 49 7.8 Levels of service .50 7.9 Types of service50 7.10 Proximity of services 51 7.11 Subscription ratio for shared services52 7.12 Activation of subscribed services .52 7.13 Organization testing .53 7.14 Changes in capability .53 7.15 Emergency response plan54 7.16 Self assessment57 8 Selecti
14、on of recovery sites.58 8.1 General 58 8.2 Infrastructure.59 8.3 Skilled manpower and support 59 8.4 Critical mass of vendors and suppliers 59 8.5 Local service providers track records59 8.6 Proactive local support 60 9 Continuous Improvement.60 9.1 General 60 9.2 ICT DR trends 60 9.3 Performance me
15、asurement61 9.4 Scalability 62 9.5 Risk mitigation 62 Annex A (informative) Correspondence between ISO/IEC 27002:2005 and this International Standard 64 Bibliography.67 INCITS/ISO/IEC 24762:2008(E) 2009 ITIC 2010 All rights reserved vForeword ISO (the International Organization for Standardization)
16、and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal
17、with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC
18、have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the jo
19、int technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent right
20、s. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 24762 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. INCITS/ISO/IEC 24762:2008(E) 2009 vi ITIC 2010 All rights reserved0 I
21、ntroduction 0.1 General This International Standard is aimed at aiding the operation of an Information Security Management System (ISMS) by providing guidance on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management.
22、Information security management is the process by which management aims to achieve effective confidentiality, integrity and availability of information and service. When an organization implements an ISMS the risks of interruptions to business activities for any reason should always be identified. I
23、SO/IEC 27001 and ISO/IEC 27002 include a control objective for information security aspects of business continuity management (refer to Control Objective 14.1 in ISO/IEC 27002:2005), the implementation of which will reduce those risks. That control objective is supported by controls to be selected a
24、nd implemented as part of the ISMS process. Business continuity management is an integral part of a holistic risk management process that safeguards the interests of an organizations key stakeholders, reputation, brand and value creating activities through: identifying potential threats that may cau
25、se adverse impacts on an organizations business operations, and associated risks; providing a framework for building resilience for business operations; providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures. In planning for business
26、 continuity, the fallback arrangements for information processing and communication facilities become beneficial during periods of minor outages and essential for ensuring information and service availability during a disaster or failure for the (complete) recovery of activities over a period of tim
27、e. Such fallback arrangements may include arrangements with third parties in the form of reciprocal agreements, or commercial subscription services. 0.2 Structure This International Standard provides guidelines for the ICT DR services, which include both those provided in-house and outsourced. It co
28、vers facilities and services capability and provides fallback and recovery support to an organizations ICT systems. It includes the implementation, testing and execution aspects of disaster recovery. It does not include other aspects of business continuity management. The guidelines are applicable t
29、o both “in-house” and “outsourced” ICT DR service providers of physical facilities and services in varying degrees. ICT DR service providers should interpret the intent of these guidelines within the context of the services they offer. These guidelines include the requirements for implementing, oper
30、ating, monitoring and maintaining ICT DR services, divided into two areas: a) ICT disaster recovery (Clause 5); and b) ICT disaster recovery facilities (Clause 6). INCITS/ISO/IEC 24762:2008(E) 2009 ITIC 2010 All rights reserved viiClause 7, “outsourced service providers capability”, specifies the ca
31、pabilities which outsourced ICT DR service providers should possess, and the practices they should follow, for them to be able to provide basic secure operating environments and facilitate organizations recovery efforts. The capabilities required are specified in terms of the infrastructure and serv
32、ices needed to enable organizations to implement and execute their ICT DR plans. (It should be noted that although this clause is targeted at outsourced service providers, the guidelines it contains are also recommended for adoption by service providers in general.) Clause 8, “selection of recovery
33、sites”, provides guidance for: a) organizations that are in the process of selecting an external recovery site as part of their ICT DR practices; b) ICT DR service providers who are in the process of building (additional) recovery sites to expand their operations. Factors such as environmental stabi
34、lity, good infrastructure and availability of skilled manpower locally, may provide a favourable environment for the operation of ICT DR recovery sites. Further, the presence of other ICT DR service providers and their suppliers may create a critical mass for a vibrant local industry. The track reco
35、rd of key players is another indicator of the maturity and vibrancy of the local ICT DR industry. Where applicable, proactive support of the local authority may also contribute to the growth and expansion of this industry. Clause 9, “continuous improvement”, provides guidance for ICT DR service prov
36、iders on ensuring continuous improvement to their ICT DR services through a set of practices. These practices can enable service providers to continuously maintain and improve the level of their services and thus provide an additional level of assurance to organizations engaging these services. 0.3
37、Framework 0.3.1 ICT DR service provision framework This International Standard is based on a multi-tier framework comprising different elements in the ICT DR services provision, as illustrated in Figure 1. The “foundation” layer comprises the important aspects of ICT DR services, namely Policies, Pe
38、rformance Measurement, Processes and People. This layer helps to define the supporting infrastructure and services capability. The “continuous improvement” layer highlights practices that help to improve ICT DR activities in specific areas, and represents an added level of provision to the services
39、provided. Thus the guidelines in this International Standard are drawn from a composite view of these layers, and with a balance between cost effectiveness and standard rigor considerations. PoliciesPeoplePerformanceMeasurementProcessesServicesCapabilityInfrastructureContinuousImprovementICT DR Fram
40、eworkEffective Provision of ICT DR Services in Support of Organizations Business Continuity Management Organizations ICT DR Requirements Figure 1 ICT DR service provision framework INCITS/ISO/IEC 24762:2008(E) 2009 viii ITIC 2010 All rights reserved0.3.2 Policies “Policies” enable ICT DR service pro
41、viders to set the direction on the other, related, areas of their ICT DR services, and also enable clear communication to the relevant parties on the requirements that can be met by ICT DR service provider facilities. The “Policies” aspect is elaborated on in clauses 5 to 9 of this International Sta
42、ndard. An established policy is usually expressed as “the system should include the following policies ” or “there should be documented policies and procedures ”. 0.3.3 Performance measurement “Performance Measurement” enables ICT DR service providers to review and improve their services, and at the
43、 same time provides a means for service providers to demonstrate that their services meet organization requirements. This will in turn help to promote the ICT DR industry service level as a whole. The “Performance Measurement” aspect is elaborated on in clause 9.3 of this International Standard, whi
44、ch explains the need for measuring the performance of ICT DR services and illustrates some examples of measurement metrics that service providers can select.” 0.3.4 Processes “Processes” ensures that a consistent approach will be adopted in the other areas of ICT DR services, making possible the con
45、tinuous maintenance of service levels and the ease of training of ICT DR personnel. The “Processes” aspect is elaborated on in clauses 5 to 9 of this International Standard. An established process is usually expressed as “ according to appropriate established procedures”, “establish a set of procedu
46、res to ensure ”, or “there should be documented policies and procedures ”. 0.3.5 People “People”, relates to the pool of skilled and knowledgeable service provider, organization and as relevant, third party personnel needed to help operate, uphold and maintain ICT DR practices. Further, the safety a
47、nd welfare of personnel is also one of the aspects ICT DR service providers will need to take care of. The “People” aspect is elaborated in various clauses of this International Standard. Clause 5.9 covers the general training and education guidelines, and clause 7.4 elaborates on the need for servi
48、ce provider management expertise. Clauses 6.10 and part of 6.12 cover personnel health and safety, and clause 6.13 provides guidance on personnel welfare aspects. 0.4 Interpretation of clauses 0.4.1 Statements on capability expectations Statements on capability expectations typically contain the phr
49、ase “ service providers should be capable of providing organizations with “ meaning that service providers should possess certain capabilities. Such capabilities could be a latent potential that can be swiftly activated by service providers if there is organization demand. For example, additional resources could be readily channelled from another unit (e.g. from elsewhere in the region or country, or from overseas) in response to an organization requirement. Obviously the actual provision of a particular stated capabil
