IT Baseline Protection Manual S 6.1 Development of a survey of availability requirements

-->

S 6.1 Development of a survey of availability requirements

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Staff responsible for the individual IT applications

The availability requirements are to be identified for the IT applications run on an IT system and for their data. Since an IT application does not necessarily require each element of the IT system, the availability requirements of IT applications are to be mapped onto the essential components of the given IT system. The result of this activity can be represented in the form of a survey covering the following:

(Reading: The IT component "host" in the IT system "central system" has a maximum tolerable down-time of "3 hours" due to the "accounting".)

A practicable approach is to ask the procedures officer about the tolerable down-times of the used IT components with regard to the various IT applications, in order to list the results by IT system and component in the table.

Such a survey makes it easier to extract those components of the IT system which are particularly time-critical and for which contingency planning is indispensable. In addition, this survey provides information about the affected IT applications and their availability requirements in case of the failure of any one of the components.

The users and/or customer departments/specialised divisions must provide the rationale for such availability requirements. This must be done at this stage unless it has already been done elsewhere. The availability requirements must be confirmed by the agency/company management.

In case of failure of a component of the IT system, this survey makes it possible to establish quickly from when an emergency exists. The fact than an emergency need not necessarily occur even in the case of the failure of a particularly time-critical component, can be established on the basis of the replacement procurement plan (S 6.14 Replacement procurement plan) and of the study of internally and externally available alternatives (S 6.6 Study of internally and externally available alternatives).

Additional controls:

Do availability requirements, provided with a rationale, exist for each IT application?

Do these availability requirements tally with the actual status regarding procedures? When was the last up-dating of the table?

July 1999

home