Generally Accepted System Security Principles

P-15 Continuity Principle

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


Information security professionals should identify their organization's needs for continuity of operations and should prepare the organization and its information systems accordingly.


Organizations' needs for continuity may reflect legal, regulatory, or financial obligations of the organization, organizational goodwill, or obligations to customers, board of directors, and owners. Understanding the organization's continuity requirements will guide information security professionals in developing the information security response to business interruption or disaster. The objectives(4) of this principle are to ensure the continued operation of the organization, to minimize recovery time in response to business interruption or disaster, and to fulfill relevant requirements.

The continuity principle may be applied in three basic concepts: organizational recovery, continuity of operations, and end user contingent operations. Organizational recovery is invoked whenever a primary operation site is no longer capable of sustaining operations. Continuity of operations is invoked when operations can continue at the primary site but must respond to less than desirable circumstances (such as resource limitations, environmental hazards, or hardware or software failures). End user contingent operations are invoked in both organizational recovery and continuity of operations.