2. Information Security
2
December/2021
Document change control
VERSION DATE MODIFICATIONS
0 15/12/2021 Initial document
ELABORATE REVISED APPROVED
Date: 25/10/2021 Date: 30/11/2021 Date: 15/12/2021
Name: María José
Álvarez
Name: Sergio Rodríguez Name: José Luis Moral
3. Information Security
3
December/2021
Table of Contents
1. OWNER4................................................................................................................................5
....................................................................................................................................................5
2. INTRODUCTION4..................................................................................................................5
....................................................................................................................................................5
3. OBJECTIVES5.......................................................................................................................6
....................................................................................................................................................6
3.1. General objectives5 .....................................................................................................6
.............................................................................................................................................6
3.2. Specific objectives6......................................................................................................6
.............................................................................................................................................6
4. SCOPE6.................................................................................................................................7
....................................................................................................................................................7
5. BASICS6 ................................................................................................................................7
....................................................................................................................................................7
6. BUSINESS CONTINUITY STAGES7....................................................................................8
....................................................................................................................................................8
7. Analysis of the organization9...........................................................................................10
..................................................................................................................................................10
7.1. Asset inventory10.......................................................................................................10
...........................................................................................................................................10
7.2. Business Impact Analysis (AI)10 ...............................................................................11
...........................................................................................................................................11
7.3. Risk assessment12....................................................................................................13
...........................................................................................................................................13
7.4. Risk identification13 ...................................................................................................13
...........................................................................................................................................13
...........................................................................................................................................13
7.5. Running PCN13 .........................................................................................................13
...........................................................................................................................................13
...........................................................................................................................................13
7.6. Identification of detected threats and vulnerabilities18 .............................................18
...........................................................................................................................................18
...........................................................................................................................................18
...........................................................................................................................................18
...........................................................................................................................................18
...........................................................................................................................................18
7.7. Calculation of inherent risk18 ....................................................................................18
...........................................................................................................................................18
...........................................................................................................................................18
...........................................................................................................................................18
...........................................................................................................................................18
7.8. Calculation of residual risk24.....................................................................................25
...........................................................................................................................................25
...........................................................................................................................................25
...........................................................................................................................................25
7.9. Treatment of residual risk24 ......................................................................................25
...........................................................................................................................................25
...........................................................................................................................................25
7.10. Incident reporting25 .................................................................................................26
...........................................................................................................................................26
...........................................................................................................................................26
4. Information Security
4
December/2021
8. Determination of the Continuity Strategy25....................................................................26
..................................................................................................................................................26
..................................................................................................................................................26
9. Causes of interruption of services and processes25 ....................................................26
..................................................................................................................................................26
..................................................................................................................................................26
10. Contingency Response26...............................................................................................27
..................................................................................................................................................27
..................................................................................................................................................27
11. TESTING, MAINTENANCE AND OVERHAUL26.............................................................27
..................................................................................................................................................27
..................................................................................................................................................27
11.1. Maintenance and overhaul plan27 ..........................................................................28
...........................................................................................................................................28
...........................................................................................................................................28
11.2. Test plan28...............................................................................................................28
...........................................................................................................................................28
...........................................................................................................................................28
12. TRAINING OF STAFF ON BUSINESS CONTINUITY28..................................................29
..................................................................................................................................................29
..................................................................................................................................................29
13. BUSINESS CONTINUITY STRATEGIES29......................................................................29
..................................................................................................................................................29
..................................................................................................................................................29
14. EVIDENCE33 .....................................................................................................................33
..................................................................................................................................................33
..................................................................................................................................................33
14.1. Periodic verification of action practices34...............................................................34
...........................................................................................................................................34
...........................................................................................................................................34
15. REFERENCE DOCUMENTATION35................................................................................34
..................................................................................................................................................34
..................................................................................................................................................34
ANNEX I: CONTINGENCY VERIFICATION AND DISASTER RECOVERY PLAN36 ..........35
..................................................................................................................................................35
16. ANNEX II: INCIDENT REPORT0........................................................................................0
....................................................................................................................................................0
....................................................................................................................................................0
5. Information Security
5
December/2021
1. OWNER
The staff responsible foractivatingthe crisisplan
2. INTRODUCTION
Inrecentyears,the conceptof service andavailabilityof serviceshaschanged considerably,since
the irruptionof technologyinoursocietyhascausedsubstantial changesthathave affectedboth
the way in which services are offered and provided, as well as the needs and expectations of
customers and consumers regarding the availability of services.
Thisnew wayof providingservicesentailsthe appearance of new risksand threatsthat affector
may affectnotonlythe businessoractivityof GOFLUENT,butalsothe businessandactivityof its
customers.
The dependenceof companies onthe use of new technologieshasbeenverysignificantformany
years,butitisincreasingwitheachpassingday,beingnecessarytotake intoaccountthatafailure
in them can cause a significant interruption of the services of GOFLUENT, which can lead to
significant financial and reputational costs.
At present,the levelsof riskof sufferingseriousincidentsthatcan cause a decrease or eventhe
interruption of services, is increasing, because in the Internet of Things (IoT) society and within
the framework of the so-called "digital transformation", many companies are experiencing
significantinterruptionsintheirservicesdue toviruses, Trojans(suchas rasomware),denial-of-
service attacks, etc...
GOFLUENTiswell aware of the existence of importantthreatsthatcanmaterialize inincidentsor
disastersthatcan considerablyaffectourdayto day,as well asisaware of the needtorecoverin
the shortest possible time, guaranteeing business continuity.
For this reason, GOFLUENT establishes as one of its priority objectives to ensure Business
Continuity, emphasizing the availability requirements established by customers, in order to
minimize the damages that a reduction or interruption of GOFLUENT's services .
WithBusinessContinuity,itwillbe possibletoquicklyandefficientlyrecoveressentialoperations
at a pre-establishedminimumlevel incase of any disasteror incidentseriousenoughandof any
kind that puts at risk the continuity of GOFLUENT or part of its activities.
Ultimately,it'saboutprovidingstrengthtothe businessthroughtheabilitytoprovideaneffective
response that safeguards the interests of the owners, their reputation, brand, and their value-
added activities.
To ensure businesscontinuity,riskmitigationandrecoveryof businessactivitiesinthe eventof a
disaster or crisis is necessary.
The BusinessContinuity Planisthe policythat GOFLUENTimplementstorespondinanorganized
manner to events that interrupt the normal functioning of its processes,and that may generate
significant impacts on the achievement of the Company's objectives.
The Business ContinuityPlan is a tool that mitigates the risk of non-availability of the necessary
resourcesforthe normal developmentof operations,andassuch, ispart of the Operational Risk
6. Information Security
6
December/2021
Management System, offering elements of prevention and control of emergency care, crisis
management, contingency plans and ability to return to normal operation.
3. OBJECTIVES
3.1. General objectives
The objective is to establish a business continuity plan that allows GOFLUENT to respond
optimally and effectively to any emergency, recovering from them in the times and conditions
established within the Company or agreed with our clients, and thus be able to mitigate the
impacts caused, allowing the continuity of the services provided.
Business Continuity Plans (PCNs) help:
Maintain the level of service within the limits established, either internally by the
Company itself or externally by the clients themselves.
Establish a minimum amortization period for the business.
Recover or return to the initial situation before any security incident occurs.
Analyze the results and the reasons or causes of the security incidents that cause the
implementation of the Continuity Plans.
Prevent the company's activities from being interrupted.
The approachisbasedonasetof principlesbasedonbusinessneedsandhow the associatedrisks
are understood. The Business Continuity plan focuses on responding as soon as possible to any
contingency, and is aimed at protecting people.
Training: Every worker must have training in business continuity, knowing the role they
play in any contingency.
Communication: Communications have to be very coordinated, since it will be the
beginning of any procedure in terms of continuity.
All personnel who play a leadership role must act in accordance with established procedures.
Regarding the prevention phase:
Impact Analysis (IA) - It will be reviewedaccording to the modificationof the project.
Failing that, it will be reviewed every (1) year.
Monitoring of continuity risks shall be carried out every six months
Testing should be done on all processes involved in the plan.
Strategies will be reviewed annually and during business continuity plan testing.
3.2. Specific objectives
Note: The objectives of the ISMS are defined in the document Objectives of the SI Management
System
1. Increase the level of maturity of THE GOFLUENT Business Continuity Plan
7. Information Security
7
December/2021
2. Improve the structuring of the NCP and crisis management and administration.
3. Minimize service interruption times as much as possible.
4. Ensure prompt start-up of affected processes and reduce service restoration times.
5. Adapt and reinforce strategies aimed at maintaining Business Continuity in critical health
situations caused by pandemics such as the recent coronavirus (COVID 19).
6. Reinforce the training and awarenessof staff on business continuity to reduce the number
of incidents that may arise from the business continuity plan.
4. SCOPE
The business continuity plan is a document that brings together all the phases before any
contingency,definingthe methodologytofollow.Itcoversthe businessline of servicesprovided
by GOFLUENT and the office from which they are provided.
To definethe scopeof GOFLUENT'sBusinessContinuityPlan,the internalissuesaffectingbusiness
continuity,the needsandexpectationsof interestedparties,the legalrequirementsapplicableto
this Plan and the contractual requirementsthat have been taken into account have been taken
into account. GOFLUENT has signed with its clients, the technological infrastructure, the
personnel affectedbythe ContinuityPlan,aswell as the criticality of the processesandservices
identified within the Plan.
5. BASICS
Business Impact Analysis (AI): It is the stage that allows to identify the urgency of
recovery of each area, determining the impact in case of interruption.
Impact: The effectcausedbythe occurrence of anincidentorlossThe implicationof risk
is measured in economic aspects, reputational image, decreased responsiveness and
competitiveness,interruption of operations, legal consequences and physical harm to
people.Itmeasuresthe levelof degradationof one of the followingcontinuityelements:
reliability, availability, and resilience.
Business Continuity Plan (PCN): Detailed set of actions that describe the procedures,
systems and resources necessary to return and continue operation, in case of
interruption.
Continuity Plan (ICT) (or ICT Contingency Plan): it is one of the plans that make up the
businesscontinuityplanof our organization,butrestrictedtothe ICT field.While aPCN
servesasa triggerfor differentcontingencyplans, aPCTICislimitedtothe technological
field.
Disaster RecoveryPlan (PRD): In thiscase,itsanalysisphase islessdeepandfocuseson
the most technical field, so it is a reactive plan in case of a possible catastrophe. For
example,if we have a disasterplanfor the existence of a failure inour servers,the PRD
will contain all the steps for the recovery of the application.
Recovery Time Objective (OTR): Period of time after an incident, within which:
8. Information Security
8
December/2021
• a product or service must be resumed; or
• an activity must be resumed; or
• resources must be recovered.
NOTE:For services and activities,the recovery time objective must be less than the time
it would take for the unfavorable impacts that would result from the non-delivery of a
product or service, or the non-performance of an activity, to be unacceptable.
Maximum Tolerable Time (TMT): The time needed for unfavorable impacts that may
arise as a result of not supplying a product/service or not carrying out an activity to
become unacceptable.
Revised Operating Level (NOR): Minimum level of recovery that an activity must have
for us to consider it as recovered, even if the level of service is not optimal.
Recovery Point Objective (OPR): Point from which it must be possible to retrieve the
information usedby an activity, so that it can function after an interruption.This value
determines the impact of data loss on the activity. This value is critical to determining
your organization's copy policies and is not related to the OTR seen above.
Minimum Business Continuity Objective (OCMN): Minimum level of services and/or
productsthat isacceptable forthe organizationtoachieve itsbusinessobjectivesduring
an outage.
Work Recovery Time (TRT): This is the time spent searching for lost data and making
repairs.Itis calculatedasthe time betweensystemrecoveryandprocessnormalization.
6. BUSINESS CONTINUITY STAGES
It is divided into the following phases:
• Phase 0. Coping: The decision to conduct a process to improve continuitymay involve the
use of anumberof resourcesandexcessive time.Therefore,itisadvisabletostartwiththose
departments or areas with the greatest importance and progressively extend continuity to
the entire organization. For this, there is always the commitment and involvement of the
Management.
In thisPhase, GOFLUENT has decidedtostart with those servicesthathave a higherdegree
of criticality in the field of its business.
During this Phase, the following tasks are carried out, among others:
- Definitionof the contextof the organization(internal andexternal issues,needs
and expectations of stakeholders, etc.).
- Definition of the scope of the Continuity Plan.
Phase 1. Analysis of the organization: During this phase we collect all the necessary
informationtoestablishthe critical businessprocesses,the assetsthatsupportthemand
what are the needs of time and resources.
During this Phase, the following tasks are carried out, among others:
9. Information Security
9
December/2021
- Definition of the Business Continuity Committee.
- Asset inventory.
- Risk analysis.
- The Impact Assessment (IA).
• Phase 2. Determinationofthe continuitystrategy:Once the assetsthatsupportthe critical
processes are known, we must determine if,in the event of a disaster, we will be able to
recoverthese assetsinthe necessarytime.Inthose cases,inwhichthisisnot the case,we
must establish the different recovery strategies.
During this Phase, the following tasks are carried out, among others:
- The Risk Treatment Plan (PTR).
- Identification of scenarios.
- Determination of business continuity strategies.
• Phase 3. Contingency response: Based on the defined recovery strategies, the necessary
initiatives are selected and implemented, and the Business Continuity Plan and the
respective documents for the recovery of the environments are documented.
During this Phase, the following tasks are carried out, among others:
- Incident Management Plan.
- Technical procedures for work or incidents.
• Phase 4. Testing,maintenance and overhaul:Fromthe technological infrastructure of our
company, we will develop test and maintenance plans.
During this Phase, the following tasks are carried out, among others:
- Maintenance Planof the ContinuityPlan(revisions,measurementsestablishedin
the indicators defined by GOFLUENT, audits, etc.).
- Verification plan.
- Execution of tests.
- Analysis of test results.
• Phase 5. Awareness and Training of Personnel: In addition to the analysis and
implementation, it is necessary that both the technical staff and those responsible for
GOFLUENTknow whatthe BusinessContinuityPlanisand what it entails,aswell aswhat is
expected of them.
During this Phase, the following tasks are carried out, among others:
- Training plan and awareness of staff on business continuity.
- Execution of staff training actions and staff awareness talks.
- Other staff awareness actions (newsletters, awareness pills, etc ...).
- Evaluation of the effectiveness of training and awareness actions on business
continuity
10. Information Security
10
December/2021
7. Organizationanalysis
The main objective of the business continuity manager is to face in the best possible way, the
creation of a business continuity plan and, subsequently, to monitor the implementation. Apart
from the main objective, which consists of a correct implementation in a timely manner, other
types of objectives have been established, no less important:
Annual monitoring of the implemented part
Annual control of operations and decision making
New annual goals
Discussion of the methodology to follow
New implants / procedures
Training methodology.
Onthe otherhand,the personresponsiblefor BusinessContinuity isresponsible forthe decisions
forthe unifiedmanagementof thistype of situation,althoughthe decisionsare made jointlywith
the Management and the committee in crisis situations.
Its mainfunctionisto accelerate the decision-makingprocesstoresolve incidentsand/or crises
by defining priorities, establishing the strategy and tactics to follow.
Before whathappened,youmustdefine the mainscenariosto take into account and how to act
before each of them.
The person responsible for business continuity, in a critical situation, must have the teamwork
and supportof the Management,as well asother people necessaryforthe optimal coordination
and execution of the Business Continuity Plan.
The Headof BusinessContinuity andmanagementwillparticipateinthe annual review meetings
of the Business Continuity Plan.
7.1. Asset inventory
Inthe assetinventory,the assetsinvolvedin GOFLUENT'scritical servicesandprocessesare taken
into account, which are within the scope of this Business Continuity Plan.
The categories of assets that have been taken into account for the preparation of this Business
Continuity Plan are those listed below:
Services.
Processes.
Technological infrastructure (hardware, software, network electronics, etc.).
Physical infrastructure (office, server room, etc.).
Human resources (personnel involved in services that are within reach).
11. Information Security
11
December/2021
Servicesprovidedbysuppliers(these are the servicesprovidedbycritical suppliers,
suchas,for example:servicesprovidedbythoseresponsible forexternal servers,but
also hosting services, electricity, internet connection, etc.).
The asset inventory is included in the document called "Asset Inventory"
7.2. Business Impact Analysis (AI)
In the assetinventory,the assetsinvolvedin GOFLUENT'scritical servicesandprocesses thatare
within the scope of this Business Continuity Plan are taken into account.
a. Concept. Process of analyzing activities and the effect that a business interruption
can have on them. It allows us to identify the risks, and urgency of recovery by
procedures(assessthe critical andthe non-critical),andestimate the recoverytime.
b. Objective. It is the guide that will determine what needs to be recovered and the
time required for recovery.
c. Scope. Through the development of AI, it is obtained:
- Establishment of valuation and criticality processes
- Interrupt and boot impact.
- Prioritize maximum application recovery time and system activity.
- Order of recovery.
- Establishmentof maximumrecoverytimesof datavolume at riskof lossthat
the organization considers tolerable.
- Definition of the necessary resources for the correct development of
proceduresatthe level of:Technology,personnel,infrastructureandsupport
to suppliers
d. Posing. Three phases have been identified:
- Identification of processes and procedures: We obtain the list of processes
and procedures to be able to do the AI.
- Evaluation of the impact of interruptions in business processes.
- Calculation of business recovery time parameters
e. Methodology. All ANSWER procedures , as well as the technological resources on
which these activities are based, are classified according to their recovery priority.
To do this,the time you can stop performingsuchactivitywithoutcausingfinancial
losses, customer complaints and / or legal or contractual sanctions is measured. In
case of continuity, everything revolves around the impact, seeking to sustain the
critical functioning of GOFLUENT.
f. Impact assessment. Taking into account the operational elementsof GOFLUENT, it
is necessary to evaluate the level of impact of an interruption within the
organization. The operational impact makesit possible to assess the negative level
12. Information Security
12
December/2021
of an interruption in variousaspects of business operations. Three levels of impact
will be assessed:
- High impact on the operation/process: The operation is critical to the
business. An operation is critical when, not having it, the business function
cannot be carried out
- Medium impact on the operation/process: The operationis an integral part
of the business, without it the business could not operate normally, but the
function is not critical.
- Low impactonthe operation/process:The operationisnotanintegralpartof
the business
In the assetinventory,the assetsinvolvedin GOFLUENT'scritical servicesandprocesses thatare
within the scope of this Business Continuity Plan are taken into account.
Process Process type Impact
Organization, context and risk analysis Strategic Low
System Planning Strategic Low
Performance evaluation Strategic Low
Business Processes Operational Low
Purchasing processes Operational Low
Formation Operational Alto
Human Resources Processes Support Environment
Management processes Support Environment
Technological processes Support Alto
Once the critical processes have been identified, recovery times are established for each one:
Process OTR OPR TMT TRT
Organization, context and risk
analysis
24
hours
12 hours
72
hours
7 days
System Planning
24
hours
24 hours (local
CPD)
72
hours
7 days
Performance evaluation
24
hours
12 hours
72
hours
7 days
Business Processes 4 hours
24 hours (local
CPD)
72
hours
7 days
Purchasing processes 4 hours 12 hours
72
hours
7 days
Training services 4 hours
24 hours (local
CPD)
24
hours
7 days
Communication processes
24
hours
12 hours
72
hours
24 hours
13. Information Security
13
December/2021
Process OTR OPR TMT TRT
Documented information
management
4 hours
24 hours (local
CPD)
72
hours
24 hours
Human resources management 4 hours 12 hours
72
hours
24 hours
Financial management 4 hours
24 hours (local
CPD)
72
hours
24 hours
Infrastructure management 4 hours 12 hours
72
hours
24 hours
7.3. Risk assessment
At this stage, possible threats and/or vulnerabilities of people, systems, infrastructure and
processesthat couldcause continuityrisksforthe Entityare identifiedandanalyzed,inorderto
measure the level of risk.
a) Objectives. Continuity risk management has a special function to reduce the
likelihood of a potential threat or vulnerability and to reduce the impact that a
disaster event or significant disruption to services can cause.
b) Methodology. The methodology to be followed covers the following aspects:
- Identification of continuity risk scenarios
- Calculation of the risk inherent in the assets, without security
measures.
- Evaluation of Controls and Mitigation Measures
7.4. Risk identification
The person responsible for the preparation of the Business Continuity Plan will determine the
critical processes and establish the necessary resources for the continuity of the critical
procedures, parameters identified in the Business Impact Analysis (AI) stage.
7.5. Running the NCP
Situations that may lead to the invocation and execution of the Business Continuity Plan:
14. Information Security
14
December/2021
NATURAL
ORIGIN
INDUSTR
IAL
ORIGIN
TECHNOLOGIC
AL
HUMAN
RESOURCE
S
SOCIAL FINANCIAL OPERATIONAL
Fire in the
building
Fire in the
building
Electrical
overload
Epidemics /
Pandemics
Fraudulent use of
passwords
Bankruptcy Absence of staff
Fire in the
surrounding area
Fire in the
surroundi
ng area
Power outage
(blackouts)
Strikes Improper
payments
Suspension of
payments
Unauthorized use, destruction and/or
disclosure of information to which personnel
have access
Flooding/water
damage in the
building
Flooding/
water
damage in
the
building
Hard drive
corruption
Extortion Identity theft Judicial
intervention
Environmental damage, poisoning, injury
and/or illness of people, epidemics/pandemics
Flooding/water
damage in the
surrounding area
Flooding/
water
damage in
the
surroundi
ng area
Poor
management of
systems and
tools
Attempt Introduction of false information
Extreme weather
conditions
(strong winds,
torrential rains,
thunderstorms,
frost, snowfall,
etc ...)
High
levels of
pollution
Use of
unauthorized
programs/'pirate
d' software
Sabotage Alteration of information
Earthquake Dust /
dryness
Lack of testing of
new software
with productive
data
Poisonings Information corruption
Epidemics /
Pandemics
Excess
static
electricity
Data loss Holiday
periods
Destruction of information
Bacterial
contamination
Strong
vibrations
Improper
handling of
Absenteeism Interception of information (listening)
15. Information Security
15
December/2021
(example:
legionella, etc...)
produced
by works
in the
building,
etc ...
critical data
(encryption,
deletion, etc.)
Pests Collapse
of the
surroundi
ng
building or
buildings
Improper
password
handling
(insecure, do not
change, shared,
centralized
database)
Critical breaches of the supplier's contract
Terrorist
attack
Sharing
passwords or
permissions with
unauthorized
third parties
Disruption of critical provider services
Transmission of
passwords by
phone
Serious incidents suffered by critical providers
that have a high impact on services
Exposure or loss
of equipment,
storage units,
etc.
Lack of staff
profile definition,
privileges and
restrictions
Lack of physical
maintenance
(process, spare
parts and
supplies)
16. Information Security
16
December/2021
Lack of software
update (process
and resources)
User permission
errors (file
access)
Unauthorized
electronic
access to
external systems
Unauthorized
electronic
access to
internal systems
Wired network
exposed for
unauthorized
access
Wireless
network exposed
to unauthorized
access
Lack of
mechanisms for
verifying
standards and
rules /
Inadequate
analysis of
Control data
Lack of
documentation
Internal network
downtime
18. Information Security
18
December/2021
7.6. Identification of detected threats and
vulnerabilities
1- Description of vulnerabilities. (see descriptive table below)
2- Description of the risk considering the variables of threat and
vulnerability.
3- Group vulnerabilities into 4 sets: People, General Infrastructure, IT
Infrastructure, Processes
PEOPLE
PHYSICAL
INFRASTRUCTURE
IT
INFRASTRUCTURE
PROCESSE
S
Lack of training
in the face of
incidence
Fire
Absence of alternative
processing sites
Lack of
processes
Lack of culture in
business
continuity
Floods Lack of Asset Control
Alternative
procedures
are lacking
Lack of
communication
Increased electrical
energy
Lack of recovery and
return testing, restore
from backup tapes
Dependence
and lack of
control of
suppliers
Lack of staff
interest
Lack of restricted access
to rooms specifically for
safe areas
High dependence on
suppliers
Insufficient
definition of
plans in the
scope of the
Business
Continuity Plan
Failure to define care and
evacuation plans in the
event of fire, terrorist
threats, earthquakes or
similar situations that put
human lives at risk
Lack of technological
procedures
Lack of training,
culture and
awareness of
workers to carry
out their work
from their private
homes
Control over critical
supplies, such as water,
essential to maintain
hygienic conditions within
buildings, as well as
temperature and ambient
control equipment.
Lack of technology
needed for staff to
perform their work
from other locations,
such as their private
homes
7.7. Calculation of inherent risk
Inherent risk is assessedthrough the product of two measurement variables: Riskimpact,
frequency/probability of occurrence.
- Frequency/Probability of occurrence: To establish the result of the
frequency and probability of occurrence, the ratings assigned in the
different vulnerabilities that make up the risk are averaged.
- Impact: The impact is measured by risk and analyzed taking into
account the level of impact on the following influencing factors
19. Information Security
19
December/2021
Havingassessedbothasset(orstakeholder)'svalue,impact,andprobabilityof occurrence,
the three scores are multiplied together to give the inherent risk score. Since both the
probability of occurrence and the Impact are classified from 1 to 6, the maximum total or
inherent risk score is 36 and the minimum is 1.
CRITICALITY LEVEL
VALUE CRITERIA
25 - 36 WORRISOME
The survival of companies or services
threatened
18 - 24 ALTO
Services with SLA's that may involve
penalties for non-compliance, loss of
customers or claims for damages. High
penalties for the Company. Very high
percentage of turnover. Business
Continuity Plan as a contractual
requirement of the contract for the
provision of services signed with the
client.
10 - 16 ENVIRONMENT
Services with SLA's or without SLA's that
may involve high penalties for the
Company or claims for damages. High
percentage of turnover.
1 – 9 LOW
Services whose interruption may cause
slight damage to the Client and the
Company.
In order to enhance the importance (valuation) of an asset or an interested party, even
withinthe same typology,the riskfactor iscalculatedbymultiplyingthe previousvalueby
the corresponding valuation (asset, interested party). In this way, risk factors are
emphasized according to the importance of the asset or interested party for the
organization.
As for the impact assessment criteria, they are detailed in the following table:
20. Information Security
20
December/2021
VALUE
CRITICALITY
LEVEL
FINANCIAL
IMPACT
PROCESS
IMPACT
REPUTATIONAL
IMPACT
LEGAL
IMPACT
IMPACT ON
CUSTOMER
SERVICE
HUMAN
IMPACT
IMPACT OF
GENERIC
INFRASTRUCTURE
1 – 9 LOW
During an
interruption of
normal operations
lasting more than
7 days, the
Company could
lose a profit or
lose revenue
below 30% of the
expected annual
turnover.
Suspends
operation
or
generates
delays of
up to 1
hour.
Internally, from
the people
involved in the
process
During an
interruption
of the
normal
operation of
the
procedure of
more than 7
days, the
penalties for
non-
compliance
could reach
30,000
Euros and /
or the period
of time
within which
the result of
the breach
would lead
to
Sanctions,
sanctions,
fines and /
or
Investigation
against the
Company, is
The maximum
time in which the
procedure must
be recovered
without causing a
significant impact
to the Firm or the
External
Customer
Service is greater
than 7 days or
the number of
external clients
affected daily is
equal to or less
than 5.
No health
and safety
issues for
employees
Does not affect
physical facilities or
information systems
21. Information Security
21
December/2021
VALUE
CRITICALITY
LEVEL
FINANCIAL
IMPACT
PROCESS
IMPACT
REPUTATIONAL
IMPACT
LEGAL
IMPACT
IMPACT ON
CUSTOMER
SERVICE
HUMAN
IMPACT
IMPACT OF
GENERIC
INFRASTRUCTURE
greater than
7 days.
10 - 16 ENVIRONMENT
During an
interruption of
normal operations
whose duration
exceeds 48 hours
up to 7 days, the
Company may
lose a profit or
stop receiving
income for a value
that can range
between 30 and
60% of the
expected annual
turnover.
Suspends
the
operation
or
generates
delays
greater
than 1
hour up to
4 hours.
At the level of
entity and limited
knowledge of
customers.
During an
interruption
of the
normal
operation of
the
procedure of
more than
48 hours up
to 7 days,
the
penalties for
non-
compliance
could range
between
30,000 and
100,000
Euros and /
or the period
of time
within which
the result of
the breach
would result
in
Sanctions,
sanctions,
The maximum
time in which the
procedure must
be recovered
without causing a
significant impact
to the Company
or the External
Customer
Service for more
than 48 hours up
to 7 days or the
number of
external clients
affected daily is
greater than 5 to
10.
Possibility
of minor
injuries
Restricted access to
physical facilities
(80% accessible) or
20% impact on
information systems.
22. Information Security
22
December/2021
VALUE
CRITICALITY
LEVEL
FINANCIAL
IMPACT
PROCESS
IMPACT
REPUTATIONAL
IMPACT
LEGAL
IMPACT
IMPACT ON
CUSTOMER
SERVICE
HUMAN
IMPACT
IMPACT OF
GENERIC
INFRASTRUCTURE
fines and /
or
investigation
against the
Company, is
greater than
48 hours up
to 7 days.
18 - 24 ALTO
During an
interruption of
normal operations
lasting more than
24 hours to 48
hours, the
Company could
lose a profit or
stop receiving
income worth
between 60 and
89%
Suspends
the
operation
or
generates
delays
greater
than 4
hours and
up to 1
day.
The problem is
known to a
considerable
number of
customers.
During an
interruption
of the
normal
operation of
the
procedure of
more than
24 hours to
48 hours,
the
penalties for
non-
compliance
could range
between
100,000 and
300,000
euros and/or
the period
within
which, the
The maximum
time in which the
procedure must
be recovered
without causing a
significant impact
to the Company
or the External
Customer
Service greater
than 24 hours to
48 hours or the
number of
external clients
affected daily is
greater than 10
to 20.
Wound
requiring
hospital
treatment
to more
than one
staff
member.
Reduction
of
personnel
at the
local level.
Restricted access to
physical facilities
(60% accessible) or
60% impact on
information systems.
23. Information Security
23
December/2021
VALUE
CRITICALITY
LEVEL
FINANCIAL
IMPACT
PROCESS
IMPACT
REPUTATIONAL
IMPACT
LEGAL
IMPACT
IMPACT ON
CUSTOMER
SERVICE
HUMAN
IMPACT
IMPACT OF
GENERIC
INFRASTRUCTURE
result of the
non-
compliance
would give
rise to
sanctions. ,
sanctions,
fines and /
or
Investigation
against the
Company, is
greater than
24 hours to
48 hours.
25- 36 WORRISOME
During an
interruption of
normal operations
whose duration
exceeds 4 hours
up to 24 hours, the
Company may
lose a profit or
stop receiving
income worth
between 90 and
100% of the
expected annual
turnover.
Suspends
the
operation
or
generates
delays of
more than
one day
up to 2
days.
At the sectoral
level / Control
Entities.
During an
interruption
of the
normal
operation of
the
procedure
greater than
4 hours to
24 hours,
the
penalties for
non-
compliance
could range
The maximum
time in which the
procedure must
be recovered
without causing a
significant impact
to the Company
or the External
Customer
Service for more
than 4 hours to
24 hours or the
number of
external
customers
Significant
injuries
Potential
death
Significant
reduction
of
personnel.
Impossibility of
access to physical
facilities (0%
accessible) or
impact of 90 to
100% of information
systems.
Total destruction of
physical facilities
25. Information Security
25
December/2021
7.8. Calculation of residual risk
Afterevaluatingthe Controls,the mitigationeffectonthe probabilityandimpactof the risk
isidentified,forwhichthe ContinuityRiskMatrix determinesthe residual risk, as follows:
Locate the Control value obtainedonthe frequencyvariable inthe "Control Rating"Table,
establishing the mitigation effect indicatedin the "Quadrants to decrease in frequency"
column. This value is subtracted from the frequency obtained in the inherent risk.
The Residual Risk is found in the following Risk Classification Scale:
VALUE CLASSIFICATION
25 - 36 WORRISOME
18 - 24 ALTO
10 - 16 ENVIRONMENT
1 – 9 LOW
7.9. Treatment of residual risk
From the evaluation and analysis of risks, they are prioritized from highest to lowest
"criticality", in order to make decisionson how to act on them. This methodology aimsto
act on risksthatare outside the range of acceptability.Treatmentof residual riskshouldbe
directed towards any of the following options:
- Accept the risk, its impact and its responsibilities: We consider in good
judgment that this is the last option to adopt and, in any case, as long as it is
risksthatdo nothave ahighimpactonthose affectedand,onthe contrary,the
implementation of risk corrective measures implies a disproportionate effort
for the organization in relation to the consequencesthat would arise in the
event that the risk occurred.
- Avoid risks: This can be done, for example, by avoiding the use of certain
technologies,processes,dataordecisioncriteria,forexample, byavoidingthe
processing of sensitive data. If the perceived risk stems from the use of a
specificapplicationortechnologyindataprocessing,the avoidancemeasureto
be recommended, as far as possible, should be to redesignthe processing by
replacingthatapplicationortechnologywithanotherthatcarriesa lower risk.
- Mitigate risk: The impact or probability of risk is not totally avoided, but an
attempt is made to reduce it by adopting certain security measures.
For risks that,in theirresidual rating,are classifiedasseriousor critical,action plansmust
be established for their correction.
Acceptable ortolerablerisksmustbe continuouslyevaluated,ensuringthe effectivenessof
the Control.
26. Information Security
26
December/2021
The risks and effectiveness of the Controls and Action Plans are monitored to determine
that the Business Continuity plan is working. It will be monitored annually.
7.10. Incident Reporting
Incidents affecting BusinessContinuity must be reported to the Business Continuity Plan
Managerinthe committee,withinthree(3) businessdaysaftertheoccurrence ofthe event.
8. Determination of the Continuity Strategy
To determine the Continuity Strategy, the following information is available:
• Critical business processes and services.
• The resources or assets involved in each of the processes or services.
• Recovery times for each of the resources that our technical staff can guarantee.
9. Causes of interruption of services and
processes
The Business Continuity Plan has been designed according to the causes that can cause
possible interruptions,andbasedonthese,reference ismade tothe actionstobe followed
in the event that they arise. These can be unified in the following scenarios:
• Absence orunavailabilityofpersonnel- Occurswhenstaff are unabletogotowork
to carry out their activity.
• Inability to access the usual workplace - Occurs when a case of force majeure
occurs, such as natural disaster, epidemics, strikes, transport problems, etc ... In
this case and in order not to interrupt the critical process of the operation, an
alternative job site must be available.
• Crash of technological systems - Occurs whenproblemsare generatedinsoftware
or hardware due to: application failure, telecommunications failure, downed
servers, etc ...
• Unavailability of external suppliers - Occurs when we cannot count on critical
suppliersincritical processes.Giventhiscasuistry,we mustreflectinthe contract
the importance of having a business continuity plan.
Once the specific causes and scenarios that would cause the activation and executionof
the Continuity Planhave been defined, the most appropriate recoverystrategies for each
case will be determined, taking into account that some processes may require several
recovery strategies depending on their nature and characteristics.
These strategies are implemented in a later phase, and for each of them we must assess
the cost and viabilityof their implementation, maintenance,necessary resources, etc.,so
that we obtain a set of initiatives to be implemented to improve the continuity of the
process.
27. Information Security
27
December/2021
10. Contingency response
In this phase, the recovery strategies previouslydefined by the Company,in the previous
step, are implemented. Within this phase of implementation, the following elements are
distinguished:
• Contingency/CrisisPlan(orIncident):Itis the central elementinthe management
of the crisis situation, whose objective is to prevent us from making improvised
decisionsthatmayworsenthe crisisorthatare simplynottaken.ThisPlancontains
the initial elements of crisis management:
- Identification of extreme situations that would lead to the declaration of
the crisis situation.
- The flow of decision-making.
- The means for the declaration of the crisis situation.
- Levelsof prioritizationinthe recoveryof the organization'sinfrastructure.
- Temporary start-up requirements.
• Technical work procedures (or incidents): This is all the documentation that
describes how we have to carry out the tasks necessary for the management and
recovery of an application, system, infrastructure or environment. Although they
are not intrinsicallypart of BusinessContinuity butof dailyoperation,itisinacrisis
situation that they become more important.
Therefore,these documentscontainalarge amountof informationspecifictoeach
of the environments: IP addresses, Program Version Control, detailed list of
commands,routingtables,recoveryof database copies, application start-up, etc.
11. TESTING, MAINTENANCE AND
OVERHAUL
For this Phase, GOFLUENT will carry out tests for the different scenarios identified in this
Plan, so that the tests will be carried out every year, although the periodicity with which
they will be carried out will vary depending on the type of scenario on which the drill will
be carried out.
The testswill be planned insuchaway thattheyhave the leastimpacton the servicesthat
GOFLUENT provides to its clients. To do this, some measures will be taken, such as
schedulingverywellthe datesandtimesof thetests,whichmustbe announcedandagreed
with the clients to avoid losses in the services that GOFLUENT provides to its clients, if
necessary.
It is important to establish a baseline for the configuration of services and technological
infrastructure inorderto return to normal,that is, to the situationthat existedbeforethe
time of the incident that caused the crisis situation or simulate the materialization of a
security incident that leads to the implementation of the Plan.
28. Information Security
28
December/2021
For the planning of continuity tests, the following aspects shall be taken into account:
- Technical staff involved in the test.
- User of the application involved in the test.
- The external staff involved in the test: customers, suppliers, etc.
- The description of the test to be performed
- The description of the expected result after the execution of the test
- The time anddate of completion;Keepinmindthatwheneverthe testmayinvolve
a loss of service, whether successfullyexecuted or not, it should be plannedon a
schedule with minimal impact.
Once the testshave beencarriedout,a reportwill be drawnup that will reflectthe results
of the testsandthatwill includeacomparisonbetweentheexpectedresultsandtheresults
obtained. From these reports, relevant information will be obtained to analyze and
introduce improvements in continuity plans.
11.1. Maintenance and overhaul plan
The purpose is to keep all documentation updated, therefore, whenever there is a
significantchange inthe organization,atthe level of ICT infrastructures,personnel,orany
otheraspectinvolvedincritical processes,itwillbe necessarytoreviewand update all the
documentationthatdescribesthe BusinessContinuityManagementSystem, especially
the documentationrelatedtotheBusinessContinuity Plan(PCN)andthe DisasterRecovery
Plans (PRD).
It is important to note that all the documents necessaryto address a crisis situation must
faithfully reflect the information relating to the actors involved in the processes and
services:technical infrastructure,personnel,external suppliersandthirdpartiesthatmust
be taken into account in a contingency situation.
Annually,areviewmeetingwillbe convenedbythe MANAGEMENTof GOFLUENT,inwhich
the members of the Business Continuity Committee and the Crisis Committee will
participate and, among other matters, the changes made and that affect the parties
involvedinservicesandprocessesandhow these have beenreflectedinthe documentsof
the BusinessContinuityManagementSystem will be discussed.Duringthisreview meeting
bythe Management,all the documentationthathasbeenmodifiedduringthatyearwillbe
approved.
11.2. Test Plan
The Test Plan shows the different types of Teststhat GOFLUENT will carry out during the
current year.
Among the main objectives of the Test Plan are the following:
- Make sure your plan information is kept up to date.
29. Information Security
29
December/2021
- Ensure that, in a contingency situation, the organization can recover within the
establishedtimes,anaspectthatcandetermine the continuityof the organization.
- Increase the cohesion of the personnel involved in a possible contingency.
- Improve users' knowledge of continuity testing.
- Increased user trust in the organization.
12. TRAINING OF STAFF ON BUSINESS
CONTINUITY
For the Business Continuity Plans to be effective and meet the objectives set by the
Company, it is essential to have the participation and commitment of the staff.
It is for this reasonthat the businesscontinuityteamhasthe responsibilitytoensure that
the staff hasthe mostappropriate trainingtoactcorrectlyinanycontingency,whichallows
them to become aware of the importance of the Business Continuity Plan.
The training should address aspects of Business Continuity management for those
employees who have greater responsibility and more active participation in business
continuity management and assist in decision-making that must be carried out during
stated critical situations.
Staff shouldbe trainedonspecificaspectsof the ContinuityPlanthatshouldbe addressed
withspecificknowledge, such as training on evacuation plans, information security, etc.
The restof the staff mustreceivetrainingoncompliancewiththeContingencyandBusiness
ContinuityPlansthatreallyaffectthemandtothe extentthattheyaffect them, since they
must know how to act in this type of situation.
GOFLUENT sets itself the objective of achieving a high level of awareness among its staff
regardingbusinesscontinuity,sincethe Managementisveryaware of itsimportance.If the
staff is aware of the advantagesthat BusinessContinuity hasforGOFLUENT,itisverylikely
thatthiswill translateintoagreaterinvolvementof theminthe ContinuityPlans,whichwill
be reflected in:
• Better compliance with the continuity strategies defined by the Firm.
• Greater agility when identifying and analyzing crisis situations.
• Ease in preventingacrisissituationif anemployee isable toidentifyvulnerabilities
that can lead to a situation of these characteristics.
• Staff will be able to contribute more efficiently to the improvement of Continuity
Plans.
13. BUSINESS CONTINUITY STRATEGIES
The business continuity plan has been designed in line with the causes that the
Management and the Head of Business Continuity have identified as incidents or causes
30. Information Security
30
December/2021
that may leadto possible interruptions,sothat,basedonthem, the strategiesandactions
to be followedin case they materialize. These can be unified in the following scenarios:
STAGE
CATEGORY
SCENARIO TYPE STRATEGIES
Absence or
unavailability of
personnel
Strikes, Inadequate
temperature or humidity
conditions, Unavailability
of personnel, Extortion,
Sabotage of facilities,
Epidemic, Pandemic,
Attack, Bad weather
conditions that prevent
staff from attending their
work normally, Vacation
periods, Absenteeism,
Environmental damage,
Poisoning, injury and / or
illness of people.
Operational staff, but
not available in the
office:
1. Reincorporation of
staff in teleworking
mode.
Non-operational staff, but
partially available in a
contingency situation:
1. Reincorporation of
staff in teleworking
mode.
2. Reinstatement in the
GOFLUENT Center
available
Non-operational,
unavailable or
contingency
personnel:
1. Activate the Plan with
the available staff.
2. Incorporate into the
projects GOFLUENT
staff dedicated to other
projects, but trained to
work on any of the
projects managed by
GOFLUENT.
3. Open an urgent
selection process to
incorporate in serious
situations of
unavailability of
personnel.
Inability to
access the
usual workplace
Fire in the building or
surroundings, Flood /
Water damage in the
building or surroundings,
Extreme weather
conditions (strong winds,
torrential rain,
thunderstorm, frost,
snowfall, etc ...),
Epidemic / Pandemic,
Earthquake, High levels
of pollution, Dust /
dryness, Bacteriological
Completely inoperative
center:
1. Relocation in Telework
mode.
2. Relocation to a
contingency office rented
to a Networking Center.
Partially inoperative
centre:
1. Relocation in telework
mode.
31. Information Security
31
December/2021
STAGE
CATEGORY
SCENARIO TYPE STRATEGIES
contamination of the
office, Existence of pests
in the building, Excess
static electricity, Strong
vibrations produced by
works in the building,
etc..., Bankruptcy,
Suspension of payments,
Judicial intervention,
Lack of financial
foresight, Identity theft.
2. Transfer to operating
rooms of the affected
headquarters.
Failure / Failure
of technological
systems
Electrical overload,
Power failure
(blackouts), Hard drive
damage, System failures
caused by mishandling
of systems and tools,
Use of unauthorized
programs/'pirated'
software, Failures
caused by lack of testing
of new software with
productive data, Data
loss, Errors caused by
improper handling of
critical data (code,
delete, etc.), Failures
caused by improper
handling of passwords
(insecure, do not
change, share,
centralized database),
Errors or intentional
attacks caused by
sharing passwords or
permissions to
unauthorized third
parties, Errors or
intentional attacks
caused by transmission
of passwords over the
phone, Exposure or loss
of equipment, storage
drives, etc., Failures
caused by lack of profile
definition, personnel
privileges and
restrictions, Failures
caused by lack of
physical maintenance
(process, spare parts
and supplies), Failures
caused by lack of
Technological means
available in a situation
of failure of the main
infrastructure or part of
the infrastructure:
1. Backups that are
made every 7 days.
2. Servants of other
Centers.
3. Copies of the virtual
machine to facilitate the
restoration of information
systems.
4. Alternative suppliers.
5. Availability of
alternative portable
equipment prepared for
use in teleworking mode.
32. Information Security
32
December/2021
STAGE
CATEGORY
SCENARIO TYPE STRATEGIES
software update re
(process and resources),
Failure of user
permissions (access to
files), Unauthorized
electronic access to
external systems,
Unauthorized electronic
access to internal
systems, Wired network
exposed for
unauthorized access,
Wireless network
exposed to unauthorized
access, Lack of rule and
regulation verification
mechanisms / Improper
analysis of Control data,
Lack of documentation,
Internal network crash,
Internet access crash,
Fall of telephone
providers,
Viruses/Trojans,
Phishing, Rasomware,
Denial of service (DDS)
attacks, Other hacking
attacks, Unauthorized
use, destruction
and/or disclosure of
information to which
personnel have access,
Introduction of false
information, Alteration of
information, Corruption
of information,
Destruction of
information, Interception
of information
(eavesdropping),
Fraudulent use of
passwords, Destruction
of information,
Interception of
information
(unauthorized
eavesdropping).
Unavailability of
external
suppliers
Critical breaches of
supplier contracts,
Serious incidents
suffered by critical
suppliers that have a
1. Relocation in telework
mode.
2. Alternative suppliers.
33. Information Security
33
December/2021
STAGE
CATEGORY
SCENARIO TYPE STRATEGIES
high impact on services,
Improper payments,
Unavailability of
the service for
reasons
attributable to
the client
Any incident that causes
the unavailability of the
service for reasons
attributable to the client
and that cause the
activation of the
continuity plan by the
client.
In this case, the
instructions provided by
the customer himself will
be followed.
14. TESTS
It consists of testing the effectivenessof the plan. This stage will give us informationthat
will help us identify and prevent problems in case of any contingency.
The objectives are:
- Implement the procedures implemented.
- Identifying improvements
- Allow the plan to remain active, up-to-date, understandable, and usable.
- See what skills we have when it comes to regaining business continuity.
The tests will be run in situations that affect the minimum dailyperformance of workers,
or outside working hours. The following tasks will be included:
- Verification of the plan, including procedures.
- Evaluation of the performance of the personnel involved.
- Identificationof the ability to retrieve vital information, along with applications.
- Role of systems
34. Information Security
34
December/2021
14.1. Periodic verification of performance practices
GOFLUENT must carry out periodic checks of the action practices defined in the
Contingency Plans, on those assets that are considered critical for Business Continuity.
To do this, the Business Continuity Manager must coordinate the realizationof a Periodic
Test Plan (Annex tothisdocument),where the operationstobe carried out on the assets
are planned, as well as the necessary resources, in order to evaluate the degree of
effectiveness and efficiency of the measures foreseen through the Contingency Plan.
The Business Continuity Manager must record the Results Report of the Continuityand
AvailabilityPlan,the resultsobtainedderivedfromtheexecutionof theoperationsplanned
throughthe PeriodicVerificationPlan,onthe situationsforeseeninthe Contingency Plan.
With the preparation of the corresponding report, it is intended to evaluate and analyze
the degree of effectiveness and efficiency of the contingency plan defined, assessing its
possible modification, based on the conclusions obtained.
If afterregisteringandanalyzingthe simulationof the event,possibleactionsthatcouldbe
improved are detected, the SGI Manager must update the PCN.
15. REFERENCE DOCUMENTATION
• ISO 27001: 2017 Information Security Management System (ISMS).
Type of test Technique used Operation
Integrated • Creatinga scenario.
• Live monitoringof all
recoverystrategies.
• It will be done withprior
notice.
• Supportto providers
involvedinrecovery.
Integrated testing
with all the elements
that are part of the
plan.
Components (edit) • Creatingthe stage.
• Strategymonitoring
• It will be done withprior
notice.
• Supportingproviders
involvedinrecovery
Recovery strategies
and procedures are
executed for each
of the components
of the technological
infrastructure.
Desk • Withprior notice
• Create a scenario
An exercise is
performed on the
role of a disaster
scenario that takes
place anywhere in
the office.
35. Information Security
35
December/2021
ANNEX I: CONTINGENCY VERIFICATION
AND DISASTER RECOVERY PLAN
CONTINGENCY VERIFICATION AND DISASTER RECOVERY PLAN
POTENTIAL
EVENT:
CREATED BY:
DATE OF
PREPARATION:
1. RISK STATEMENT:
Definition of the risks associated with the potential event.
2. ASSETS INVOLVED IN THE EVENT OR INCIDENT:
Include adescription,asdetailedaspossible,of the assetsthatmaybe affectedby
the event.
3. PERSONNEL INVOLVED:
Describe the responsibilities of the staff at the event.
4. IMPACT CAUSED:
Description of the consequences that the potential event could generate.
5. PREVENTIVE PLAN:
Definitionof the plannedoperations,sothat, as far as possible,the occurrence of
the potential event could be avoided.
6. ACTION PLAN TO FORCE THE EVENT:
Description of the operations to be carried out to force the occurrence of the
potential event and to be able to evaluate the degree of effectiveness of the
response and recovery plan.
7. RESPONSE AND RECOVERY PLAN
Definition of the plannedoperations to be carried out, in case of detection of the
potential event, as well as the expected action times.
8. OTR - Recovery Time Objective:
Definitionof the objective recoverytimesforeseenforthe recoveryof the normal
situation.
9. TMT - Maximum tolerable downtime:
36. Information Security
36
December/2021
The definitionof the time necessary forthe unfavorable impactsthatmay arise as
a resultof notsupplyingaproduct/service ornotcarryingoutanactivity,becomes
unacceptable.
10. OPR - Degree of dependence on current data (Recovery Point Objective):
Definition of the Pointfrom which it must be possible to retrieve the information
usedbyan activity,sothat it can workafteran interruption.Thisvaluedetermines
the impact of data loss on the activity. This value is critical to determiningyour
organization's copy policies.
11. TRT - Recovery time from work:
Define the time spentsearchingforlostdataand makingrepairs.Itis calculatedas
the time between system recovery and process normalization.
12. NOR - Minimum Service Recovery Levels (Revised Operational Level):
Definition of the minimum level of recovery that an activity must have for us to
consider it as recovered, even if the level of service is not optimal.
13. OCMN - Minimum Business Continuity Objective:
Definition of the minimum level of services and/or products that is acceptable for
the organization to achieve its business objectives during an outage.
37. Information Security
December/2021
16. ANNEX II: INCIDENT REPORT
REPORTING OF EVENTS OR INCIDENTS
EVENT
IDENTIFICATION:
DETECTED BY:
EVENT DATE:
1. ACTION PLAN CARRIED OUT
Descriptionof the actionsthat have beencarriedout to ensure BusinessContinuity inthe eventof
an event.
2. DEGREE OF EFFECTIVENESS OF THE PLANNED CONTINGENCY PLAN
Definition of the effectiveness of the actions foreseenin the contingency plan with respect to the
actions actually carried out in the event of an event.
3. DEFICIENCIES IDENTIFIED IN THE PLANNED CONTINGENCY PLAN
Possible unforeseen actions that had to be carried out before the event to ensure business
continuity.
4. PROPOSAL FOR AN IMPROVEMENT PLAN
Definition of possible actions that would improve the level of response on other occasions to the
same event, improving the level and response times.
5. OTR - Recovery Time Objective:
Indicationof the recoverytimesof the normal situationduringthe eventoccurredand verification
with the theoretical times foreseen in the Contingency Plan and in the Results Report.
6. TMT - Maximum tolerable downtime:
Indication of whether the time necessary to consider the service stoppage unacceptable has
elapsed. Indicate whether the initially planned TMT time is in line with the actual situation of the
organization.
7. OPR - Degree of dependence on current data (Recovery Point Objective):
Indication of whether the OPR was sufficient or, on the contrary, it was necessary to manually
retrieve the information.Indicate whetherthe OPRtime available tothe organizationisinlinewith
the actual needs of the organization.
8. TRT - Work Recovery Time:
Indicationof the time spentsearchingforlostdata and carrying out the necessaryrepairs.Indicate
if this time has been adjusted to the real needs of the organization.
9. NOR - Minimum Service Recovery Levels (Revised Operational Level):
38. Information Security
1
November/2021
Indication of whether the recovery levels of the services have remained within the Minimum
Recovery Level previously defined by the organization. Check if these minimum levels have been
adjusted to the real needs of the organization.
10. OCMN - Minimum Business Continuity Objective:
Indication of whether, during the interruption of the service, the minimum service objectives,
previously defined by the organization in the Contingency Plan, have been met. Check if the
minimum objectives of continuity have been adjusted to the real needs of the organization.