Sat Aug 30 13:01:55 PDT 2014

Redundancy: Interdependencies: How should redundancy be applied to interdependent mechanisms?


Options:

Option 1: Interdependencies should be ignored.
Option 2: All components and systems should be treated equally.
Option 3: Only internal dependency analysis should be undertaken.
Option 4: Interdependency analysis and proper planning for interdependencies should be done.

Decisions:

IF no business continuity or disaster planning is done, THEN Interdependencies should be ignored.
OTHERWISE IF there are a small number of systems and mechanisms or everything operates with the same risk profiles, THEN All components and systems should be treated equally.
OTHERWISE IF the enterprise is medium or smaller in size information technology is medium risk or below, THEN Only internal dependency analysis should be undertaken.
OTHERWISE Interdependency analysis and proper planning for interdependencies should be done.

Basis:

Interdependencies should be ignored.
If no business continuity or disaster planning is done, it is likely that no interdependency analysis will be required either because the time and effort spent in analysis will not be applied to provide for recovery or continuity, and this is typically the most important reason to apply it.

All components and systems should be treated equally.
In cases where risk levels are spread amongst all systems and capabilities relatively equally, there is no requirement to do specific analysis of different components or their interdependencies. Rather, everything can be treated uniformly, with redundancy for one component implying the need for redundancy for all. While this will give an imprecise solution, it is reasonable and saves time and effort that would be spent in analysis on redundancy.

Only internal dependency analysis should be undertaken.
For enterprises that are largely outsourced or have only external dependencies on larger or more reliable entities than themselves, contract mechanisms should be relied upon to provide the necessary level of assurance for external dependencies and only internal dependency analysis should be done.

Interdependency analysis and proper planning for interdependencies should be done.
Analysis of interdependencies should indicate risk aggregations, timeliness, and other requirements that apply to those resources, and the redundancy analysis for each of the interdependent items should be provided for according to their redundancy requirements.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved