V. otRAs MANiFEstACioNEs dE LA CooPERACiÓN iNtERMuNiCiPAL
2. Las redes de cooperación territorial de la Ley andaluza
17.1 Information security continuity 4040
Objective: Information security continuity should be embedded in the organization’s business continuity management systems.
17.1.1 Planning information security continuity
4041
Control 4042
The organization should determine its requirements for information security and the continuity of 4043
information security management in adverse situations, e.g. during a crisis or disaster. 4044
Implementation guidance 4045
An organization should determine whether the continuity of information security is captured within 4046
the business continuity management process or within the disaster recovery management process. 4047
Information security requirements should be determined when planning for business continuity and 4048
disaster recovery. 4049
In the absence of formal business continuity and disaster recovery planning, information security 4050
management should assume that information security requirements remain the same in adverse 4051
situations, compared to normal operational conditions. Alternatively, an organization could perform a 4052
business impact analysis for information security aspects to determine the information security 4053
requirements applicable to adverse situations. 4054
Other information 4055
In order to reduce the time and effort of an ‘additional’ business impact analysis for information security, 4056
it is recommended to capture information security aspects within the normal business continuity 4057
management or disaster recovery management business impact analysis. This implies that the 4058
information security continuity requirements are explicitly formulated in the business continuity 4059
management or disaster recovery management processes. 4060
Information on business continuity management can be found in ISO/IEC 27031, ISO/IEC 22313 and 4061
ISO/IEC 22301. 4062
17.1.2 Implementing information security continuity
4063
Control 4064
The organization should establish, document, implement and maintain processes, procedures 4065
controls, and contingency plans to ensure the required level of continuity for information security 4066
during an adverse situation and ensure availability of the IACS for business processes are at the 4067
required level and in the required time scales following interruption to, or failure of, critical business 4068
processes. The organization shall develop and implement a contingency plan for the IACS 4069
addressing contingency roles, responsibilities, assigned individuals with contact information, and 4070
activities associated with restoring the system after a disruption or failure. Designated officials 4071 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
within the organization review and approve the contingency plan and distribute copies of the plan 4072
to key contingency personnel. The contingency plan shall include training, testing, and updates to 4073
the contingency plan as required by the organization. 4074
In order to assure business continuity, the organization shall identify an alternate storage site and 4075
implement the necessary agreements as required by the organization and all contractual parties 4076
to permit the storage of IACS backup information. 4077
The organization shall develop and implement a contingency plan for the IACS addressing 4078
contingency roles, responsibilities, assigned individuals with contact information, and activities 4079
associated with restoring the system after a disruption or failure. Designated officials within the 4080
organization review and approve the contingency plan and distribute copies of the plan to key 4081
contingency personnel. 4082
(1) The organization coordinates contingency plan development with organizational elements 4083
responsible for related plans. 4084
Foundational Requirement: 4085
Rationale/Supplemental Guidance: Examples of related plans include Business Continuity 4086
Plan, Disaster Recovery Plan, Continuity of Operations Plan, Business Recovery Plan, 4087
Incident Response Plan, and Emergency Action Plan. 4088
(2) The organization conducts capacity planning so that necessary capacity for information 4089
processing, telecommunications, and environmental support exists during crisis situations. 4090
(1) The organization shall include a full recovery and reconstitution of the IACS as part of 4091
contingency plan testing. 4092
4093
Implementation guidance 4094
An organization should ensure that: 4095
a) an adequate management structure is in place to prepare for, mitigate and respond to a 4096
disruptive event using personnel with the necessary authority, experience and competence; 4097
b) incident response personnel with the necessary responsibility, authority and competence to 4098
manage an incident and maintain information security are nominated; 4099
c) documented plans, response and recovery procedures are developed and approved, detailing 4100
how the organization will manage a disruptive event and will maintain its information security to 4101
a predetermined level and determine the priority of critical business and IACS in order to re- 4102
establish operationsbased on management-approved information security continuity objectives 4103
(see 17.1.1). 4104
According to the information security continuity requirements, the organization should establish, 4105
document, implement and maintain: 4106
a) information security controls within business continuity or disaster recovery processes, 4107
procedures and supporting systems and tools; 4108
b) processes, procedures and implementation changes to maintain existing information security 4109
controls during an adverse situation; 4110
c) compensating controls for information security controls that cannot be maintained during an 4111
adverse situation. In the event of a significant disruption, the organization should determine 4112
the priority of critical business and IACS to re-establish operations. 4113 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Other information 4114
Within the context of business continuity or disaster recovery, specific processes and procedures may 4115
have been defined. Information that is handled within these processes and procedures or within 4116
dedicated information systems to support them should be protected. Therefore an organization should 4117
involve information security specialists when establishing, implementing and maintaining business 4118
continuity or disaster recovery processes and procedures. 4119
Information security controls that have been implemented should continue to operate during an 4120
adverse situation. If security controls are not able to continue to secure information, other controls 4121
should be established, implemented and maintained to maintain an acceptable level of information 4122
security. 4123
The contingency planning policy and procedures are consistent with applicable laws, directives, 4124
policies, regulations, standards, and guidance. The contingency planning policy can be included 4125
as part of the general information security policy for the organization. Contingency planning 4126
procedures can be developed for the security program in general, and for a particular IACS, when 4127
required. 4128
The organization defines contingency plans for categories of disruptions or failures. In the event 4129
of a loss of processing within the IACS or communication with operational facilities, the IACS 4130
executes predetermined procedures (e.g., alert the operator of the failure and then do nothing, 4131
alert the operator and then safely shut down the industrial process, alert the operator and then 4132
maintain the last operational setting prior to failure). These examples are not exhaustive. 4133
IACS recovery and reconstitution to a known secure state means that all system parameters (either 4134
default or organization-established) are set to secure values, security-critical patches are 4135
reinstalled, security-related configuration settings are reestablished, system documentation and 4136
operating procedures are available, application and system software is reinstalled and configured 4137
with secure settings, information from the most recent, known secure backups is loaded, and the 4138
system is fully tested and functional. 4139
17.1.3 Verify, review and evaluate information security continuity
4140
Control 4141
The organization should verify the established and implemented information security continuity 4142
controls at regular intervals in order to ensure that they are valid and effective during adverse situations. 4143
The organization shall: (i) test and/or exercise the contingency plan for the IACS [Assignment: 4144
organization-defined frequency, at least annually] using [Assignment: organization-defined tests 4145
and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute 4146
the plan; and (ii) review the contingency plan test/exercise results and initiates corrective actions. 4147
(1) The organization coordinates contingency plan testing and/or exercises with 4148
organizational elements responsible for related plans. 4149
(2) The organization tests/exercises the contingency plan at the alternate processing site 4150
to familiarize contingency personnel with the facility and available resources and to 4151
evaluate the site’s capabilities to support contingency operations. 4152
(3) The organization employs automated mechanisms to more thoroughly and effectively 4153
test/exercise the contingency plan by providing more complete coverage of contingency 4154
issues, selecting more realistic test/exercise scenarios and environments, and more 4155
effectively stressing the IACS and supported missions. 4156
The organization shall review the contingency plan for the IACS [Assignment: organization-defined 4157
frequency, at least annually] and revises the plan to address system/organizational changes or 4158
problems encountered during plan implementation, execution, or testing. 4159 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Implementation guidance 4160
Organizational, technical, procedural and process changes, whether in an operational or continuity 4161
context, can lead to changes in information security continuity requirements. In such cases, the 4162
continuity of processes, procedures and controls for information security should be reviewed against 4163
these changed requirements. 4164
Organizations should verify their information security management continuity by: 4165
a) exercising and testing the functionality of information security continuity processes, procedures 4166
and controls to ensure that they are consistent with the information security continuity 4167
objectives; 4168
b) exercising and testing the knowledge and routine to operate information security continuity 4169
processes, procedures and controls to ensure that their performance is consistent with the 4170
information security continuity objectives; 4171
c) reviewing the validity and effectiveness of information security continuity measures when 4172
information systems, information security processes, procedures and controls or business 4173
continuity management/disaster recovery management processes and solutions change. 4174
There are several methods for testing and/or exercising contingency plans to identify potential 4175
weaknesses (e.g., full-scale contingency plan testing, functional/tabletop exercises). The depth 4176
and rigor of contingency plan testing and/or exercises increases with the 𝑆𝑠𝑦𝑠𝑡𝑒𝑚𝑡𝑎𝑟𝑔𝑒𝑡 level of the IACS.
4177
Contingency plan testing and/or exercises also include a determination of the effects on 4178
organizational operations and assets (e.g., reduction in mission capability) and individuals arising 4179
due to contingency operations in accordance with the plan. 4180
Organizational changes include changes in mission, functions, or business processes supported 4181
by the IACS. The organization communicates changes to appropriate organizational elements 4182
responsible for related plans (e.g., Business Continuity Plan, Disaster Recovery Plan, Continuity 4183
of Operations Plan, Business Recovery Plan, Incident Response Plan, Emergency Action Plan). 4184
Other information 4185
The verification of information security continuity controls is different from general information security 4186
testing and verification and should be performed outside the testing of changes. If possible, it is 4187
preferable to integrate verification of information security continuity controls with the organization’s 4188
business continuity or disaster recovery tests. 4189
Examples of related plans include Business Continuity Plan, Disaster Recovery Plan, Continuity 4190
of Operations Plan, Business Recovery Plan, Incident Response Plan, and Emergency Action Plan. 4191
17.2 Redundancies and Availability 4192
Objective: To ensure availability of information processing facilities and the IACS
17.2.1 Availability of information processing facilities and the IACS
4193
Control 4194
Information processing facilities and the IACS shall be implemented with redundancy and proper 4195
safety systems and equipment sufficient to meet availability requirements required by the 4196
organization for business continuity. 4197
In order to assure information processing facilities and the IACS have sufficient availability and 4198
meet the organization’s safety objectives emergency lighting shall be properly implemented that 4199
activates in the event of a power outage or disruption and that covers emergency exits and 4200
evacuation. Additionally, the organization shall employ and maintain fire suppression and detection 4201
devices/systems that can be activated in the event of a fire. 4202 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
In order to assure IACS availability, the IACS shall include the following within its software and/or 4203
hardware configuration: 4204
a) Assure software backup and an alternate site for the IACS per the organization’s needs; 4205
b) Adequate power to the IACS 4206
c) Proper networking and network redundancy for the IACS and the organization; 4207
d) Emergency shutoff for all IACS components that assures safe shutdown 4208
e) Emergency short-term uninterruptible power supply to facilitate an orderly shutdown of the IACS 4209
in the event of a primary power source loss; 4210
f) Maintain, within acceptable levels, and monitor the required environmental requirements 4211
and water damage possibilities within the facility where the IACS resides. 4212
The organization shall identify an alternate control site and initiates necessary agreements to 4213
permit the resumption of IACS operations for critical mission/business functions within 4214
[Assignment: organization-defined time period] when the primary processing capabilities are 4215
unavailable. 4216
(1) The organization identifies an alternate processing site that is geographically separated 4217
from the primary processing site so as not to be susceptible to the same hazards. 4218
(2) The organization identifies potential accessibility problems to the alternate processing site 4219
in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. 4220
(3) The organization develops alternate processing site agreements that contain priority-of- 4221
service provisions in accordance with the organization’s availability requirements. 4222
(4) The organization fully configures the alternate processing site so that it is ready to be used 4223
as the operational site supporting a minimum required operational capability. 4224
Implementation guidance 4225
Organizations should identify business requirements for the availability of information systems. Where 4226
the availability cannot be guaranteed using the existing systems architecture, redundant components 4227
or architectures should be considered. 4228
Where applicable, redundant information systems and IACS should be tested to ensure the failover 4229
from one component to another component works as intended. 4230
Equipment and supplies required to resume operations within the organization-defined time period 4231
are either available at the alternate site or contracts are in place to support delivery to the site. 4232
Timeframes to resume IACS operations are consistent with organization-established recovery time 4233
objectives. 4234
Other information 4235
The implementation of redundancies can introduce risks to the integrity or confidentiality of information 4236
and information systems, which need to be considered when designing information systems. 4237
18 Compliance