S 6.5 Definition of "restricted IT operation"

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section; staff responsible for the individual IT applications

To provide against possible failure of parts of the IT system, it should be examined whether restricted IT operations are required or feasible. In order to allow as many IT applications as possible in case of restricted IT operations, the capacity requirements of each IT application must be confined to the necessary level (cf. S 6.4 Documentation on the capacity requirements of IT applications).

For restricted IT operations, it must be determined which IT application will be operated with what priority. This is to be laid down in writing.

Manual substitute techniques can be a suitable means of reducing the availability requirements of an IT procedure. However, the resources required for the use of a manual alternative technique (forms, paper lists, microfiches) must be kept on hand for this purpose.

Additional controls:

• Have provisions been laid down as to which IT application, with which priority, will have to be carried out during restricted IT operations?

• Have the qualitative and quantitative predefined conditions for restricted IT operations been agreed upon with the respective specialised units?