S 6.6 Study of internally and externally available alternatives

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Staff responsible for the individual IT applications

In order to avoid capacity shortfalls during restricted IT operations, internally and externally available alternatives must be explored.

When studying such alternatives, particular consideration must be given to the technical specifications of the alternative IT system. The compatibility and sufficient capacity (cf. S 6.4 Documentation on the capacity requirements of IT applications) of the alternative IT system are the basic prerequisites for its use.

The primary objective is the internal transfer of IT applications from one IT system to another (e.g. recourse to the development computer in case of failure of the production computer). External alternatives will have to be relied on when it is no longer possible to meet the availability requirements in an economically feasible way.

Alternatives for non IT-specific components should also be considered. In the infrastructure domain, for instance, consideration is to be given to alternatives regarding IT rooms.

Additional controls:

• Have internally and externally available alternatives been checked for their effectiveness?

• Are the configuration, capacity and compatibility of internal and external alternatives being adapted to the current status of procedures?

• Are the integrity and confidentiality of IT application and data moved to external resources ensured in the case of recourse to external alternatives?