Information Security Aspects of Business Continuity Management Standard
- Information security continuity
- The scope of this standard is limited to the IT infrastructure, and the data and applications of the local Winston-Salem State University (WSSU) environment. To ensure interruptions to normal WSSU business operations are minimized, and critical University business applications and processes are protected from the effects of major failures or disasters, each WSSU business unit, in cooperation with the Office of Information Technology (OIT) organization, must develop, implement and periodically test a local business continuity plan that can meet the recovery requirements of all critical business processes and applications. These interruptions could be caused by natural disasters, accidents, equipment failures, or deliberate actions.
- The consequences of an extended interruption due to a disaster or security failure must be analyzed to determine the impact on WSSU’s business, and to determine the recovery time necessary to restore normal business operations. Business continuity management must include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.
- Business continuity management begins with a business impact analysis and a threat analysis that identifies events that could cause an interruption of business operations and processes. Following the threat identification, a risk assessment must be performed to determine the impact of the threat on the business, likelihood of occurrence, and recovery time necessary for essential WSSU business applications and processes. This assessment will consider only those business processes that are information technology related. These activities must be performed with the full involvement of the owners of the business data and business processes.
- A business continuity plan must be developed by each WSSU business unit that addresses each of the following key elements:
- Understanding the risks WSSU is facing in terms of their likelihood and impact on the business, including identification and prioritization of business processes and supporting applications
- Understanding the impact the interruptions are likely to have on WSSU, and establishing the business objectives of information processing facilities
- Formulating and documenting a business continuity strategy and plans that are consistent with business objectives and priorities
- Regular testing and updating of the business continuity plans and processes that have been put in place
- Ensuring that the management of business continuity is built into WSSU’s processes and structure. Responsibility for coordinating the business continuity management process should be assigned to appropriate individuals.
- The disaster recovery requirements for the Office of Information Technology (OIT) components are based on the business impact analysis performed by WSSU business units and academic departments.
- Redundancies
- For all instances where WSSU is reliant upon the services of a third party for providing information services, WSSU will define the requirements for information availability and recovery. These requirements must be made part of the agreement with the party providing services.
- Although information security roles and responsibilities may be outsourced to third parties, it is the overall responsibility of each WSSU business unit to maintain control of the security of the information assets that it owns.