Page 711 - StudyBook.pdf
P. 711

Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  695


                      ■  An SLA may also be used to specify the services the organization expects
                         IT staff to provide, to support applications that are developed internally, or
                         to address other issues related to the computers and network making up
                         the organization’s electronic infrastructure.

                    An SLA often includes information on the amount of downtime that can be
                 expected from systems, where customers will be unable to use a Web site, server, or
                 other software and equipment.This information usually provides the expected
                 availability of the system in a percentage format, which is commonly called the
                 “Number of Nines.”As Table 12.1 shows, the Number of Nines can be translated
                 into the amount of time a system may be down in a year’s time. If this estimate is
                 longer than specified in the SLA, additional losses may be experienced, because
                 employees are unable to perform their jobs or customers are unable to purchase
                 items from an e-commerce site.

                 Table 12.1 Availability Expectations (“Number of Nines”)

                 Percentage Availability (%)             Allowed Downtime per Year

                 99.9999                                 32 seconds
                 99.999                                  5.3 minutes

                 99.99                                   53 minutes
                 99.9                                    8.7 hours
                 99.0                                    87 hours



                 Disposal/Destruction

                 Nothing lasts forever.After a while, equipment becomes outdated and data is no
                 longer needed.When this occurs, you need to determine what to do with it.You
                 do not want people recovering data on hard disks that are thrown away, reading
                 printed materials they find in the garbage, or acquiring other information that has
                 been removed from service. Due to the sensitive nature of some data, a policy
                 dealing with the safe disposal and destruction of data and equipment is necessary.
                    The first step regarding disposal and destruction is deciding what needs to be
                 disposed of and destroyed. Because data can become obsolete or is legally required
                 to be removed after a period of time, certain data needs to be removed from a
                 system.As we’ll see later in this chapter, the period of time when data and printed
                 records become obsolete may be outlined in a data retention policy.



                                                                              www.syngress.com
   706   707   708   709   710   711   712   713   714   715   716