ISO/IEC 27001 Control 5.30: ICT readiness for business continuity
Control
ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can be used to quickly prepare replacement system in case of disruption. Pre-configure emergency access control can be used during incident response.
Implementation Details
MidPoint is designed to work with systems (identity resources) that are not constantly available. Operations are re-tried, resource can be explicitly configured for maintenance mode, synchronization capability can be used to restore data consistency. Provisioning consistency capability of midPoint automatically corrects all inconsistencies it discovers, which can be used to gradually recover from disruption. Auto-scaling capability can provide resilience to unexpected load peaks. Policy-driven RBAC mechanism can be used to activate pre-configure emergency access control during disruption, providing controlled and panic-free elevation of privileges for responders. Simulation can be used to validate such pre-configured privileges and policies and their effect on the system, to make sure they can be used to maintain critical business processes following interruption or failure. Certification campaigns can be used to make sure emergency privileges are reviewed at regular intervals - both assignment of emergency privileges to users, as well as content of the emergency roles. Application inventory provides essential data on systems during failure, e.g determining number of users affected by the disruption. Should there be a need to create a replacement system during disruption, midPoint RBAC mechanisms together with efficient provisioning engine can be used to quickly and automatically grant access to the replacement system, maintaining appropriate access levels for individual users. E.g. midPoint can quickly provision access to a new application in case that an existing cloud application is disrupted. MidPoint identity repository contains copies of identity data, which can be used to quickly restore the data to any application. This is further supplemented by organizational structure, personas and the dynamic rules of policy-driven RBAC, which together form a flexible policy platform to quickly populate replacement systems. Replacement system can be either provisioned automatically, using ConnId identity connectors, or manually/semi-manually using midPoint built-in manual connector. Live synchronization can be used to keep replacement systems updated with the latest identity data, as a copy from other systems.
Implementation Notes
-
MidPoint has a built-in high-availability features.
-
Unavailability of MidPoint does not mean unavailability of identity and access management capabilities. MidPoint is designed to provision changes to identity resources, allowing resources to operate independently. Unavailability of midPoint means limitation of identity management capabilities, however it does not usually limit operational capabilities of applications.
Rationale
MidPoint can be used as supporting tool for business continuity.
Related Features
-
Policy (concept) (planned)
Related Controls
-
ISO/IEC 27001 5.24: Information security incident management planning and preparation
-
ISO/IEC 27001 5.25: Assessment and decision on information security events
-
ISO/IEC 27001 5.26: Response to information security incidents
-
ISO/IEC 27001 5.27: Learning from information security incidents
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 8.14: Redundancy of information processing facilities