The objective of Aarhus University's policies and rules regarding information security aspects of business continuity management is:
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. (A.17.1.1)
One aspect of this is the individual unit’s risk management and disaster planning, the purpose of which is to reduce the risk and impact of unforeseen events. Contingency plans will help to maintain operations and minimise damage.
System owners in the individual units are responsible for ensuring that employees are sufficiently trained in the agreed contingency procedures, including crisis management.
In all units, it must be clearly defined who is responsible for activating contingency plans.
Employees who form part of contingency plans must be informed of this responsibility.
All employees must be informed about the existence of the contingency plans.
The organisation shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. (A.17.1.2)
Aarhus University has several types of contingency plan:
- Procedure for crisis management in connection with acute physical threats, e.g. fire
- Procedures for IT system failures
- Unit-specific contingency plans
The university director is responsible for the emergency management team’s overall contingency plan. Responsibility for managing IT system failures in services offered by AU IT lies with AU IT. Responsibility for handling IT system failures in services offered by other units lies with the management of the unit in question. The unit management is responsible for ensuring that the unit is sufficiently covered by contingency plans to achieve the objective.
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. (A.17.1.3)
As a minimum, contingency plans must be revised annually to ensure that they are up-to-date and effective.
Units must test contingency plans for critical information assets. As a minimum, the test must include a desk test of relevant crisis scenarios and, at regular intervals, a simulation.
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. (A.17.2.1)
For critical information assets, the contingency plans should reflect the possibility that the physical locations may be inaccessible or may be destroyed, and that it should therefore be possible to establish emergency operations at other locations.
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
QUESTION GUIDE
Consider the question guide as a tool to navigate the requirements of the policy: