One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 3529756 |
| Date de publication | 2021-10-19 16:00:00 (vue: 2021-10-19 04:05:15) |
| Titre | Topic-specific policy 7/11: backup |
| Texte | This is an interesting policy example to have been selected for inclusion in ISO/IEC 27002:2022, spanning the divide between 'cybersecurity' and 'the business'.Why do data need to be backed up? What's the purpose? How should it be done? Questions like these immediately spring to mind (mine anyway!) when I read the recommendation for a topic-specific policy on backup ... but as usual, there's more to it than that.Play along with me on this worked example. If you already have a backup policy (or something with a vaguely similar title), I urge you to dig it out at this point and study it (again!) before returning to read the remainder of this blog. Think about it. Does it address those three questions? What else does it cover? What is its scope? Is it readable, understandable, motivational - not just for you but for its intended audience/s? Does it state who those audiences are? Any spelling mistakes, grammatical errors or layout problems? Is it lengthy, officious, boring? Conversely, is it short, cryptic and puzzling? Is it more of a detailed plan for what backups to do, when and how, than a clear and unequivocal statement of management's overall expectations re backups? Is it consistent both internally (no contradictions or omissions) and externally (e.g. does it accord with other policies and adequately reflect any applicable compliance requirements)? All good so far? If not, hopefully this blog series has given you food for thought! Either way, what is it missing? What relevant matters does your backup policy not cover, either failing to mention them at all or perhaps gloss over them too superficially to have any impact?That's a harder question to answer, even if you were the one who wrote the existing policy. We all (me included!) tend to focus on our areas of interest and expertise. Policies are often formulated and written with particular scenarios, situations or incidents in mind, typically forming part of the response that drives continuous improvement. We don't always take the trouble to consult with colleagues, research the topic, explore the risks and controls, and think both broadly and deeply about the subject area - the topic of the policy. Frankly, we just don't think, failing to recognise and address our own biases and failings. Don't agree? OK, look again at the start of my second paragraph. I consciously slipped "data" in there, just as I deliberately mentioned "cyber" in the first one. Did you even notice the bias towards IT? Is your backup policy exclusively about backing up computer data, most likely digital data from corporate IT systems? Does it lay out the technologies, plus the frequencies and types of backup, in some detail?Don't get me wrong, that's a very important topic, essential in fact for virtually all modern organisations and indeed individuals today. My concern is that it still only covers part of the problem space, a peak on the risk landscape you could say.What about information in other forms and locations: |
| Envoyé | Oui |
| Condensat | all creative data don either if intangible is software think 2006 27002:2022 400 7/11: about accepted access accord according actively adapt additional address adequately afford again agree agreements aim/s align all along already also although always among amount annotated answer any anyway appears applicable appreciate appropriate archival archives are area areas aren around arrangements aspects audience/s audiences authorised availability available avoid away backed backing backup backup/fallback backups based bearing become been before begging belonging best between bias biases blog boilerplate boring both boundaries briefcases broadly bus business but byod came can cannot car care central challenge challenging check chewing chips chris city clauses clear cloud clues cockroaches coffee collaborate colleagues community completed complexity compliance comply computer concern configuration conflicts consciously consistent constraints consult continuity continuous contracts contradictions contrast controls conventional conversely copies corporate corridor could cover covers covid critical cross cryptic customers cyber cybersecurity dares data data: databases date deeply definitions deliberately demand depends detail detailed details develop development devices did differences dig digital discussion disks divide does don donating done down draft drafted drive drives during dvds dynamically either else emphasise employees encourage end ensuring entire entry equipment errors essential etc even eventually ever everything example exclusively existing expectations expenditure expensive expertise explore expressed extent externally facilities fact failing failings fails fancy fans far firmware first flavour flicker floppy focus focusing food form formally formats forming forms formulated forum frankly frequencies from fun functions gaps generic generously get given global gloss good grammatical greybeards guidelines gum hall happen hardcopy harder hardware has have having heads hence here historical home hopefully horror hour how hung immediately impact implying importance important importantly improvement incidents included inclusion incorporate indeed indexed individuals information instance integral intended interest interesting internally internet interviews inventory iot irrelevant iso/iec iso27k items its itself just kept landscape laptops last lay layout least leds legitimate lengthy like likely limit limitations linkedin for locations:data lockdowns look lose loses lost lower machine make management mandated matters may means media meetings mention mentioned metadata method might mind mine missing mistakes modern more most motivational movie moving must naming narrowing need needs negotiate new nomenclature non not notes notice now obscure obsolete obvious offices officious often omissions on information one only organisation organisations originally other others out outcome over overall own pages paper paragraph part particular parties partly passport peak pens people performance perhaps person personal piece placed plan play plus pocket point policies policy poor potential potentially practices private problem problems procedures process processing procurement product proliferating properly purpose purposes purses puzzling question questions ram rapidly read readable reading chris really reason recognise recommend recommendation recorded recovery reduce reflect relevant remainder reports required requirements research resort response returning right risk risks running rural say scenarios scheme scope scope/coverage scoping scribbled searchable second security see selected separate separated separately series services several shared shifting short should side signed similar simply since situations six size slipped slow smart smartphones software some something somewhere sorted space spanning special specific specifics spelling spring stale star start stashed state statement storage store stored structure structured struggled stuck study stuff su |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.