《08-30166965-DC.pdf》由会员分享,可在线阅读,更多相关《08-30166965-DC.pdf(38页珍藏版)》请在三一文库上搜索。
1、a Date: 15 August 2008 Origin: National Latest date for receipt of comments: 17 OCTOBER 2008 Project no.: 2007/01423 Responsible committee: BCM/1/-/1 BCM for ICT Interested committees: BCM/1 Business continuity management Title: Draft BS 25777, Code of practice for information and communications tec
2、hnology continuity Supersession information: If this document is published as a standard, the UK implementation of it will supersede NONE and partially supersede NONE. If you are aware of a current national standard which may be affected, please notify the secretary (contact details below). WARNING:
3、 THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 17 OCTOBER 2008. This draft is issued to allow comments from interested parties; all comments will be given consideration prior to publication. No acknowledgement will normally be sent. See over
4、leaf for information on commenting. No copying is allowed, in any form, without prior written permission from BSI except as permitted under the Copyright, Designs and Patent Act 1988 or for circulation within a nominating organization for briefing purposes. Electronic circulation is limited to disse
5、mination by e-mail within such an organization by committee members. Further copies of this draft may be purchased from BSI Customer Services, Tel: +44(0) 20 8996 9001 or email . British, International and foreign standards are also available from BSI Customer Services. Information on the co-operati
6、ng organizations represented on the committees referenced above may be obtained from the responsible committee secretary. Cross-references The British Standards which implement International or European publications referred to in this draft may be found via the British Standards Online Service on t
7、he BSI web site http:/. Direct tel: 0208 996 7492 Responsible Committee Secretary: Mr K Laverty (BSI) E-mail: Draft for Public Comment Head Office 389 Chiswick High Road London W4 4AL Telephone: +44(0)20 8996 9000 Fax: +44(0)20 8996 7001 Form 36 Version 8.0 DPC: 08/30166965 DC Licensed CopyChinese
8、University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI b Introduction Your comments on this draft are welcome and will assist in the preparation of the consequent British Standard. If no comments are received to the contrary, this draft may be implemented unchanged as a British Standa
9、rd. Submission The guidance given below is intended to ensure that all comments receive efficient and appropriate attention by the responsible BSI committee. Annotated drafts are not acceptable and will be rejected. All comments must be submitted, preferably electronically, to the Responsible Commit
10、tee Secretary at the address given on the front cover. Comments should be compatible with Version 6.0 or Version 97 of Microsoft Word for Windows, if possible; otherwise comments in ASCII text format are acceptable. Any comments not submitted electronically should still adhere to these format requir
11、ements. All comments submitted should be presented as given in the example below. Further information on submitting comments and how to obtain a blank electronic version of a comment form are available from the BSI web site at: http:/ Template for comments and secretariat observations Date: xx/xx/20
12、0x Document: ISO/DIS xxxxx 1 2 (3) 4 5 (6) (7) MB Clause No./ Subclause No./ Annex (e.g. 3.1) Paragraph/ Figure/Table/ Note (e.g. Table 1) Type of com- ment Comment (justification for change) by the MB Proposed change by the MB Secretariat observations on each comment submitted 3.1 Definition 1 ed D
13、efinition is ambiguous and needs clarifying. Amend to read . so that the mains connector to which no connection . 6.4 Paragraph 2 te The use of the UV photometer as an alternative cannot be supported as serious problems have been encountered in its use in the UK. Delete reference to UV photometer. M
14、icrosoft and MS-DOS are registered trademarks, and Windows is a trademark of Microsoft Corporation. Licensed CopyChinese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BE
15、YOND 17 OCTOBER 2008. Version 7 1 BS 25777, Code of practice for information and communications technology continuity Licensed CopyChinese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT
16、 IS NOT CURRENT BEYOND 17 OCTOBER 2008. Version 7 2 Contents Introduction 4 1 Scope 8 2 Terms and definitions 8 3 ICT continuity programme management 12 4 Understanding the ICT requirements for business continuity 15 5 Determining ICT continuity strategies 17 6 Developing and implementing ICT respon
17、ses 21 7 Exercising and testing 26 8 Maintenance, review and improvement 31 Annexes Annex A (informative) Continuity milestones 34 Bibliography 36 List of figures Figure 1 Relationship between ICT continuity and business continuity management 4 Figure 2 Elements of ICT service recovery 28 Figure A.1
18、 Key continuity milestones 35 Licensed CopyChinese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 17 OCTOBER 2008. Version 7 3 Publishing information This Part of
19、BS 25777-1 is published by BSI and came into effect on XX Month 200X . It was prepared by BSI panel BCM/1/-/1, under the authority of Technical Committee BCM/1, Business continuity management. A list of organizations represented on this committee can be obtained on request to its secretary. Presenta
20、tional conventions As a code of practice, this British Standard takes the form of guidance and recommendations. It should not be quoted as if it were a specification and particular care should be taken to ensure that claims of compliance are not misleading. Any user claiming compliance with this Bri
21、tish Standard is expected to be able to justify any course of action that deviates from its recommendations. Contractual and legal considerations This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance wit
22、h a British Standard cannot confer immunity from legal obligations. Licensed CopyChinese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 17 OCTOBER 2008. Version 7
23、4 Introduction ICT continuity and its relationship with business continuity management In most organizations, the processes that deliver products and services depend on information and communication technology (ICT). Disruption to ICT can therefore constitute a strategic risk, damaging the organizat
24、ions ability to operate and undermining its reputation. The consequences of a disruptive incident vary and can be far-reaching, and might not be immediately obvious at the time. ICT continuity supports the overall business continuity management (BCM) process of an organization. BCM seeks to ensure t
25、hat the organizations processes are protected from disruption and that the organization is able to respond positively and effectively when disruption occurs. The organization sets out its BCM priorities, and it is within this context that ICT continuity activities take place. ICT continuity ensures
26、that the required information and communications technology and services1 are resilient and can be recovered to pre-determined levels within timescales required by and agreed with the top management. Thus, effective BCM depends on ICT continuity to ensure that the organization can meet its objective
27、s at all times (see Figure 1), particularly during times of disruption. BCM and ICT continuity form an important element of good management, sound governance and organizational prudence. Top management is responsible for maintaining the ability of the organization to continue to function in the face
28、 of disruption. Many organizations also have a statutory or regulatory duty to maintain effective risk-based controls including BCM. Figure 1 Relationship between ICT continuity and business continuity management 1 Including computer systems, networks, applications, telecommunications, technical sup
29、port and service desk. Licensed CopyChinese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 17 OCTOBER 2008. Version 7 5 ICT continuity and organizational strategy
30、ICT continuity is integral to both ICT strategy and ICT service management, which align to organizational strategy. It is the element of ICT strategy and service management that enables an organization to continue to meet its goals and deliver its products and services when adverse conditions occur.
31、 Benefits of effective ICT continuity All activity is susceptible to disruption from internal and external events, such as technology failure, fire, flood, utility failure, illness and malicious attack. ICT continuity provides the capability to react before a disruption occurs or on detection of one
32、 or a series of related events that become incidents, and to respond and recover when those incidents result in disruption. The benefits of effective ICT continuity are that the organization: identifies the potential impacts of disruption to ICT services; understands the threats to ICT services and
33、their vulnerabilities; encourages improved collaboration between its business managers and its ICT service providers (internal and external); develops and enhances competence in its ICS staff by demonstrating credible responses through exercising ICT continuity plans and testing ICT continuity arran
34、gements; provides assurance to top management that it can depend upon predetermined levels of ICT services and receive adequate support and communications in the event of a disruption; provides additional confidence in the business continuity strategy through linking investment in IT solutions to bu
35、siness needs and ensuring that ICT services are protected at an appropriate level given their importance to the organization; has ICT services that are cost-effective and not under- or over-invested through an understanding of: the level of its dependence on those ICT services; and the nature, locat
36、ion, interdependence and usage of components that make up the ICT services; can enhance its reputation for prudence and efficiency; potentially gains competitive advantage through the demonstrated ability to deliver business continuity and maintain product and service delivery in times of disruption
37、; and understands and documents stakeholders expectations and their relationships with, and use of, ICT services. ICT continuity is not a costly overhead when designed and built into ICT services from their inception as part of ICT strategy. Instead, it ensures that ICT services are Licensed CopyChi
38、nese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THIS DRAFT IS NOT CURRENT BEYOND 17 OCTOBER 2008. Version 7 6 better built, better understood, cheaper and easier to maintain. Retrofitting ICT
39、continuity is complex, disruptive and expensive. Focus of ICT continuity ICT continuity focuses not only on the likelihood and impact of disruptive incidents, but also on the ability of the organization to detect and respond to the occurrences of such incidents. This requires the organization to mon
40、itor its ICT services to ensure that: they are resilient and recoverable at the appropriate level; any unexpected event within a service is detected, addressed and investigated in a timely manner; the dependencies between ICT services and external factors2 are known and used in assessing risk and th
41、e impact of change; and dependencies on the technical components3 are known and used in assessing risk and the impact of change. ICT continuity processes and solutions are also intended to ensure that legal obligations (such as to protect personal and otherwise sensitive data) are not breached. Prin
42、ciples of ICT continuity ICT continuity is based around six key principles: a) Protect: Protecting the ICT environment from environmental failures, hardware failures, operational errors, malicious attack, and natural disasters is critical to maintaining the desired levels of systems availability for
43、 an organization. b) Detect: Detecting incidents at the earliest opportunity will minimize the impact to services, reduce the recovery effort, and preserve the quality of service. c) React: Reacting to an incident in the most appropriate manner will lead to a more efficient recovery and minimize any
44、 downtime. Reacting poorly can result in a minor incident escalating into something more serious. d) Recover: Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Understanding the recovery priorities allows
45、the most critical services to be reinstated first. Services of a less critical nature may be reinstated at a later time or, in some circumstances, not at all. e) Operate: Running in disaster recovery mode until return to normal is possible. This might require some time and necessitate “scaling up“ d
46、isaster recovery operations to support increasing business volumes needing to be serviced over time. f) Return: Devising a strategy for every IT continuity plan that allows an organization to migrate back from disaster recovery mode to a position where it can support normal business. 2 Such as vendo
47、rs, customers, supply chain partners and outsourced service providers. 3 Examples are given in “Elements of an ICT service“. Licensed CopyChinese University of Hong Kong, 21/10/2008 07:31, Uncontrolled Copy, (c) BSI WARNING. THIS IS A DRAFT AND MUST NOT BE REGARDED OR USED AS A BRITISH STANDARD. THI
48、S DRAFT IS NOT CURRENT BEYOND 17 OCTOBER 2008. Version 7 7 Elements of an ICT service The key elements of an ICT service can be summarized as follows (see also Annex A). a) People: the specialists with appropriate deputies and knowledge; b) Premises: the physical environment in which ICT resources a
49、re located; c) Technology: i) the racking, servers, storage arrays, tape devices, other hardware and other permanent fixtures; ii) network, including data connectivity and voice services, including switches and routers; iii) software, including operating system software and application software, links or interfaces between applications and batch processing routines; d) Data: application data, voice data