Policy for information security aspects of business continuity management (A.17)

On this page you will find the current emergency response policy. The policy helps ensure that appropriate security measures are taken in critical situations.


Objective

The objective of Aarhus University's policies and rules regarding information security aspects of business continuity management is:

  • information security continuity shall be embedded in the organisation’s business continuity management
  • to ensure availability of information processing facilities

Information security continuity (A.17.1)

The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. (A.17.1.1)

One aspect of this is the individual unit’s risk management and disaster planning, the purpose of which is to reduce the risk and impact of unforeseen events. Contingency plans will help to maintain operations and minimise damage.

System owners in the individual units are responsible for ensuring that employees are sufficiently trained in the agreed contingency procedures, including crisis management.

In all units, it must be clearly defined who is responsible for activating contingency plans.

Employees who form part of contingency plans must be informed of this responsibility.

All employees must be informed about the existence of the contingency plans.

The organisation shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. (A.17.1.2)

Aarhus University has several types of contingency plan:

- Procedure for crisis management in connection with acute physical threats, e.g. fire

- Procedures for IT system failures

- Unit-specific contingency plans

The university director is responsible for the emergency management team’s overall contingency plan. Responsibility for managing IT system failures in services offered by AU IT lies with AU IT. Responsibility for handling IT system failures in services offered by other units lies with the management of the unit in question. The unit management is responsible for ensuring that the unit is sufficiently covered by contingency plans to achieve the objective.

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. (A.17.1.3)

As a minimum, contingency plans must be revised annually to ensure that they are up-to-date and effective.

Units must test contingency plans for critical information assets. As a minimum, the test must include a desk test of relevant crisis scenarios and, at regular intervals, a simulation.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.17.1.2 Implementation of information security continuity:

This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.  

If you have other needs based on your risk assessment, this must be ensured locally.

Redundancies (A.17.2)

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. (A.17.2.1)

For critical information assets, the contingency plans should reflect the possibility that the physical locations may be inaccessible or may be destroyed, and that it should therefore be possible to establish emergency operations at other locations.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.17.2.1 Availability of information processing facilities:
    • For equipment in the secure areas administered by AU IT, accessibility is secured through redundancy.

This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.  

If you have other needs based on your risk assessment, this must be ensured locally.

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:

  • What is the procedure if a system becomes inaccessible? (business continuity plan)
  • How is the system restore? (response)
  • What are peoples’ roles in an emergency response situation? Do they know what they have to do?
  • Who needs to be informed in an emergency situation?
  • How often are contingency plans reviewed?
  • How is sufficient redundancy ensured in order to meet requirements for accessibility?
  • Are critical solutions procured or developed by the unit subject to appropriate technical and/or business continuity procedures?