S 6.1 Development of a survey of availability requirements
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Persons responsible for individual applications
The availability requirements for the IT applications running on an IT system and their data must be determined. Since an IT application does not necessarily require every component of the IT system, the availability requirements of the IT applications on the main components of the IT system must be analysed. The result of this analysis can be presented in the form of a survey containing the following:
| IT System | IT Component | IT Application | Tolerable downtime |
|---|---|---|---|
| Central system | Host | Travel expenses | 5 work days |
| Accounting | 3 hours | ||
| Data transmission | Via e-mail | 3 work days | |
| Accounting | 1 work day | ||
| Printer | Travel expenses | 10 work days | |
| Accounting | 2 work days | ||
| Project planning | 1 work day | ||
| LAN | Servers | Data acquisition | 1 work day |
| Control station | 4 hours | ||
| PC | Data acquisition | 10 work days | |
| PC | Control station | 4 hours |
(Interpretation: The "Host" IT component in the IT system "Central system" has a maximum tolerable downtime of 3 hours due to the "Accounting" IT application.)
A practical approach is to ask the staff responsible for the procedure for the IT applications with respect to the tolerable downtimes of the IT components used for each of the various IT applications and to subsequently list the results according to the IT systems and components in a table.
The overview provided by the survey makes it easier to determine which components of the IT system are particularly time-critical and which require contingency planning. In addition, this survey provides information on the affected IT applications and their availability requirements if one of the components should fail.
The users and the specialised departments must provide justification for the availability requirements they pose if this has not already been done elsewhere. The availability requirements must be confirmed by the company management or the management of government agency.
When a component of the IT system fails, this survey makes it possible to determine quickly when the emergency started. Whether or not an emergency exists when a particularly time-critical component fails can be determined based on the replacement procurement plan and on the study of the alternatives available internally and externally.
Review questions:
- Are the availability requirements defined for the applications operated in the IT systems and their data?
- Is documentation on the tolerable downtimes available?