The purpose of this standard is to establish the University’s obligation to ensure information continuity within its business continuity management systems and processes.
It is the responsibility of any college or departmental representative developing or contributing to business continuity plans for their area to ensure that the continuity of information security is embedded within those plans.
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliancefirstname.lastname@example.org.
Planning information security continuity
Information security management should remain the same in adverse situations as in normal operational conditions and these requirements should be considered when planning for business continuity and disaster recovery.
Implementing information security continuity
Business continuity and disaster recovery plans should contain processes and procedures to ensure the continuity of information security. Recommendations include:
- Having an adequate management structure in place to prepare for, mitigate and respond to a disruptive event using personnel with necessary authority, experience and competence;
- Establishing incident response personnel with necessary responsibility, authority and competence to manage an incident and maintain information security;
- Documenting and obtaining approval for a plan, response and recovery procedures that detail how the department, college or other entity will manage a disruptive event and will maintain its information security;
- Developing mitigation steps for information security controls that cannot be maintained during an adverse situation.
Verify, review and evaluate information security continuity
The University as a whole and colleges and departments individually should verify information security continuity controls at regular intervals to ensure that they are valid and effective during adverse situations.Information security continuity should be verified by conducting exercises and testing.
Information redundancy can help ensure that availability requirements meet the needs of the University. Redundancies should be tested to ensure the failover from one component to another works as intended. Because redundancies can introduce additional risks to the integrity and confidentiality of information systems, appropriate controls should be considered in the design of these systems.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Initially approved by Information Assurance Committee 5/15/15