Availability

From The Secure Arc Wiki

Jump to: navigation, search

Contents

Assertion

The systems and security controls providing access to information transactions should be available when required.

Rationale

The best way to put the Availability principle into a Security context is to think about it's antonym, the Denial of Service Attack (DSA). The unavailability of a system or part of a system can be as costly as a direct security breach. Both the availability of the system is equally dependent on the middleware delivering the systems and the security solutions granting access to the systems. A failure of either one should result in the the unavailability of the entire system.

The kind of Value at Risk associated with Availability can include Service Level Agreements, online sales and transactions to customers, partners and suppliers. For organisations such as banks and other financial institutions, this can reach billions of dollars a day.

Further detailed information is available on Wikipedia.

Related References

Policies & Standards

ISO 17799:2005

  • Section 11.5.4 - Use of System Utilities
    • There should be a limitation on some system availability. (ie for the duration of a change)
    • Not making systems available to certain users, in order to enforce [Segregation of Duties].
  • Section 14.1 - Business Continuity
    • The consequences of disasters, security failures, loss of service, and service availability should be subject to a business impact analysis.
    • Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.

Standard of Good Practice for Information Security

  • Section CB1.3 - Availability Requirements
    • The business impact of business information stored in or processed by the application being unavailable for any length of time should be assessed.
  • Section NW1.3 - Network Resilience
    • The network should be run on robust, reliable hardware and software, supported by alternative or duplicate facilities.

COBIT Security Baseline

  • Section - Framework
    • relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Design Patterns

Navigation

Personal tools