Availability Policy
Purpose and Scope
a. The purpose of this policy is to define requirements for proper controls to protect the availability of the organization’s information systems.
b. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
Background
a. The intent of this policy is to minimize the amount of unexpected or unplanned downtime (also known as outages) of information systems under the organization’s control. This policy prescribes specific measures for the organization that will increase system redundancy, introduce failover mechanisms, and implement monitoring such that outages are prevented as much as possible. Where they cannot be prevented, outages will be quickly detected and remediated.
b. Within this policy, an availability is defined as a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
Policy
a. Information systems must be consistently available to conduct and support business operations.
b. Information systems must have a defined availability classification, with appropriate controls enabled and incorporated into development and production processes based on this classification.
c. System and network failures must be reported promptly to the organization’s lead for Information Technology (IT) or designated IT operations manager.
d. Users must be notified of scheduled outages (e.g., system maintenance) that require periods of downtime. This notification must specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
e. Prior to production use, each new or significantly modified application must have a completed risk assessment that includes availability risks. Risk assessments must be completed in accordance with the Risk Assessment Policy (reference (a)).
f. Capacity management and load balancing techniques must be used, as deemed necessary, to help minimize the risk and impact of system failures.
g. Information systems must have an appropriate data backup plan that ensures:
h. Information systems must have an appropriate redundancy and failover plan that meets the following criteria:
i. Information systems must have an appropriate business continuity plan that meets the following criteria:
Availability Classification
Availability Requirements
Scheduled Outage
Recovery Time Requirements
Data Loss or Impact Loss
High
High to Continuous
30 minutes
1 hour
Minimal
Medium
Standard Availability
2 hours
4 hours
Some data loss is tolerated if it results in quicker restoration
Low
Limited Availability
4 hours
Next business day
Some data loss is tolerated if it results in quicker restoration
Table 1: Recovery Time and Data Loss Limits
Last updated