1、INCITS/ISO/IEC 24762:20082009 Information Technology Security Techniquies Guidelines for information and communications technology disaster recovery servicesINCITS/ISO/IEC 24762:20082009 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduc
2、tion or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 24762:2008 2009 ii ITIC 2010 All rights reserved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typ
3、efaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe
4、Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlik
5、ely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 11/11/2009 Published by American National Stan
6、dards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2010 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), A
7、merican National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard s
8、hould be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 24762
9、:2008(E) 2009 ITIC 2010 All rights reserved iiiContents Page Foreword v 0 Introductionvi 0.1 General .vi 0.2 Structure.vi 0.3 Framework.vii 0.4 Interpretation of clauses .viii 1 Scope.1 1.1 General 1 1.2 Exclusions.1 1.3 Audience1 2 Normative references .2 3 Terms and definitions.2 4 Abbreviated ter
10、ms 3 5 ICT disaster recovery3 5.1 General 3 5.2 Environmental stability.4 5.3 Asset management .4 5.4 Proximity of site 5 5.5 Vendor management.5 5.6 Outsourcing arrangements 7 5.7 Information security8 5.8 Activation and deactivation of disaster recovery plan.9 5.9 Training and education.11 5.10 Te
11、sting on ICT systems12 5.11 Business continuity planning for ICT DR service providers .12 5.12 Documentation and periodic review14 6 ICT disaster recovery facilities 14 6.1 General 14 6.2 Location of recovery sites14 6.3 Physical access controls .16 6.4 Physical facility security 19 6.5 Dedicated ar
12、eas 24 6.6 Environmental controls25 6.7 Telecommunications 26 6.8 Power supply.27 6.9 Cable management .29 6.10 Fire protection.30 6.11 Emergency operations center (EOC).32 6.12 Restricted facilities .34 6.13 Non-recovery amenities .37 6.14 Physical facilities and support equipment life cycle38 6.15
13、 Testing.40 7 Outsourced service providers capability.41 7.1 General 41 7.2 Review organization disaster recovery status41 7.3 Facilities requirements.43 7.4 Expertise43 7.5 Logical access control .45 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for Res
14、aleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 24762:2008(E) 2009 iv ITIC 2010 All rights reserved7.6 ICT equipment and operation readiness .47 7.7 Simultaneous recovery support 49 7.8 Levels of service .50 7.9 Types of service50 7.10 Proximity of services 51
15、7.11 Subscription ratio for shared services52 7.12 Activation of subscribed services .52 7.13 Organization testing .53 7.14 Changes in capability .53 7.15 Emergency response plan54 7.16 Self assessment57 8 Selection of recovery sites.58 8.1 General 58 8.2 Infrastructure.59 8.3 Skilled manpower and s
16、upport 59 8.4 Critical mass of vendors and suppliers 59 8.5 Local service providers track records59 8.6 Proactive local support 60 9 Continuous Improvement.60 9.1 General 60 9.2 ICT DR trends 60 9.3 Performance measurement61 9.4 Scalability 62 9.5 Risk mitigation 62 Annex A (informative) Corresponde
17、nce between ISO/IEC 27002:2005 and this International Standard 64 Bibliography.67 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 24762:2008(E) 2009 ITIC 2010 All
18、 rights reserved vForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standa
19、rds through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and I
20、EC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is
21、 to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possi
22、bility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 24762 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Securi
23、ty techniques. Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 24762:2008(E) 2009 vi ITIC 2010 All rights reserved0 Introduction 0.1 General This International St
24、andard is aimed at aiding the operation of an Information Security Management System (ISMS) by providing guidance on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management. Information security management is the proces
25、s by which management aims to achieve effective confidentiality, integrity and availability of information and service. When an organization implements an ISMS the risks of interruptions to business activities for any reason should always be identified. ISO/IEC 27001 and ISO/IEC 27002 include a cont
26、rol objective for information security aspects of business continuity management (refer to Control Objective 14.1 in ISO/IEC 27002:2005), the implementation of which will reduce those risks. That control objective is supported by controls to be selected and implemented as part of the ISMS process. B
27、usiness continuity management is an integral part of a holistic risk management process that safeguards the interests of an organizations key stakeholders, reputation, brand and value creating activities through: identifying potential threats that may cause adverse impacts on an organizations busine
28、ss operations, and associated risks; providing a framework for building resilience for business operations; providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures. In planning for business continuity, the fallback arrangements for in
29、formation processing and communication facilities become beneficial during periods of minor outages and essential for ensuring information and service availability during a disaster or failure for the (complete) recovery of activities over a period of time. Such fallback arrangements may include arr
30、angements with third parties in the form of reciprocal agreements, or commercial subscription services. 0.2 Structure This International Standard provides guidelines for the ICT DR services, which include both those provided in-house and outsourced. It covers facilities and services capability and p
31、rovides fallback and recovery support to an organizations ICT systems. It includes the implementation, testing and execution aspects of disaster recovery. It does not include other aspects of business continuity management. The guidelines are applicable to both “in-house” and “outsourced” ICT DR ser
32、vice providers of physical facilities and services in varying degrees. ICT DR service providers should interpret the intent of these guidelines within the context of the services they offer. These guidelines include the requirements for implementing, operating, monitoring and maintaining ICT DR serv
33、ices, divided into two areas: a) ICT disaster recovery (Clause 5); and b) ICT disaster recovery facilities (Clause 6). Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO
34、/IEC 24762:2008(E) 2009 ITIC 2010 All rights reserved viiClause 7, “outsourced service providers capability”, specifies the capabilities which outsourced ICT DR service providers should possess, and the practices they should follow, for them to be able to provide basic secure operating environments
35、and facilitate organizations recovery efforts. The capabilities required are specified in terms of the infrastructure and services needed to enable organizations to implement and execute their ICT DR plans. (It should be noted that although this clause is targeted at outsourced service providers, th
36、e guidelines it contains are also recommended for adoption by service providers in general.) Clause 8, “selection of recovery sites”, provides guidance for: a) organizations that are in the process of selecting an external recovery site as part of their ICT DR practices; b) ICT DR service providers
37、who are in the process of building (additional) recovery sites to expand their operations. Factors such as environmental stability, good infrastructure and availability of skilled manpower locally, may provide a favourable environment for the operation of ICT DR recovery sites. Further, the presence
38、 of other ICT DR service providers and their suppliers may create a critical mass for a vibrant local industry. The track record of key players is another indicator of the maturity and vibrancy of the local ICT DR industry. Where applicable, proactive support of the local authority may also contribu
39、te to the growth and expansion of this industry. Clause 9, “continuous improvement”, provides guidance for ICT DR service providers on ensuring continuous improvement to their ICT DR services through a set of practices. These practices can enable service providers to continuously maintain and improv
40、e the level of their services and thus provide an additional level of assurance to organizations engaging these services. 0.3 Framework 0.3.1 ICT DR service provision framework This International Standard is based on a multi-tier framework comprising different elements in the ICT DR services provisi
41、on, as illustrated in Figure 1. The “foundation” layer comprises the important aspects of ICT DR services, namely Policies, Performance Measurement, Processes and People. This layer helps to define the supporting infrastructure and services capability. The “continuous improvement” layer highlights p
42、ractices that help to improve ICT DR activities in specific areas, and represents an added level of provision to the services provided. Thus the guidelines in this International Standard are drawn from a composite view of these layers, and with a balance between cost effectiveness and standard rigor
43、 considerations. PoliciesPeoplePerformanceMeasurementProcessesServicesCapabilityInfrastructureContinuousImprovementICT DR FrameworkEffective Provision of ICT DR Services in Support of Organizations Business Continuity Management Organizations ICT DR Requirements Figure 1 ICT DR service provision fra
44、mework Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 24762:2008(E) 2009 viii ITIC 2010 All rights reserved0.3.2 Policies “Policies” enable ICT DR service provid
45、ers to set the direction on the other, related, areas of their ICT DR services, and also enable clear communication to the relevant parties on the requirements that can be met by ICT DR service provider facilities. The “Policies” aspect is elaborated on in clauses 5 to 9 of this International Standa
46、rd. An established policy is usually expressed as “the system should include the following policies ” or “there should be documented policies and procedures ”. 0.3.3 Performance measurement “Performance Measurement” enables ICT DR service providers to review and improve their services, and at the sa
47、me time provides a means for service providers to demonstrate that their services meet organization requirements. This will in turn help to promote the ICT DR industry service level as a whole. The “Performance Measurement” aspect is elaborated on in clause 9.3 of this International Standard, which
48、explains the need for measuring the performance of ICT DR services and illustrates some examples of measurement metrics that service providers can select.” 0.3.4 Processes “Processes” ensures that a consistent approach will be adopted in the other areas of ICT DR services, making possible the contin
49、uous maintenance of service levels and the ease of training of ICT DR personnel. The “Processes” aspect is elaborated on in clauses 5 to 9 of this International Standard. An established process is usually expressed as “ according to appropriate established procedures”, “establish a set of procedures to ensure ”, or “there should
