|
Article 12
|
An organization shall perform exercise designed for various scenarios and business conditions to achieve an effective operation of exercise and test procedures.
- An organization shall design exercise scenarios based on the identified risk scenarios that may cause interruption to core business (including natural disasters, man-made disasters and information and communication security incidents).
- An organization shall perform operations based on scenarios of disasters or accidents, considering to incorporate operating staff needed for the core system, personnel for performance of core business and suppliers required for recovery. It shall have a plan for system quantity, size and levels (dedicated server, virtual hosting, middleware, etc.) needed for the exercise.
- Prior to exercise, an organization shall identify possible risks (e.g. errors or losses of formal data that may be caused during the exercise, decreased information protection level that may be caused by the exercise, damage to client rights that may be caused by the exercise), and prepare protection measures in advance.
- Exercise shall cover verification of standard operational procedures created for various core systems (including but not limited to monitoring, tiered exercises, reporting, response and recovery).
- An organization shall perform regular exercise and verify feasibility of its core system every year, and make plans for on-site and remote system backup exercise, on-site and remote system reconstruction exercise (for system without backup), or on-site and remote data backup restorage tests based on needs to ensure the staff’s familiarity and effectiveness of the procedures, with the records of these exercises to be retained.
- During remote system backup exercise, Category 1 organizations shall incorporate verification of actual business operation to validate internal resource arrangement and labor force deployment, coordination of external partners and adjustment and interfacing of information network on which minimum acceptable service level relies can effectively operate at all key moments. Category 2 organizations are encouraged to take the same action.
- An organization shall convene a review meeting after the exercise to confirm whether the recovery mechanism and results of exercise have met the recovery time objective (RTO) and recovery point objective (RPO) requirements established by the organization, and examine the core system to see if the existing on-site and remote system backup mechanism and on-site and remote data backup system meet the needs of core business.
|