IT/DR Standards, Regulations, Guidelines

International

COBIT 5 (2009) – COBIT provides an internationally accepted set of guidance materials used for IT governance, dealing specifically with the creation, testing and monitoring of IT-specific continuity plans.

ISO/IEC 24762 (2008) – provides guidelines on disaster recovery sites, with a focus on information and communications technology disaster recovery (ICT DR) services.

ISO/IEC 27001/17999 (2005) – an Information Security Management System (ISMS) standard aimed at providing structured management of information security within an organization.

ITIL 3.0 Service Management (2007) – the IT Infrastructure Library (ITIL), originally developed on behalf of the British government, is now the worldwide de-facto standard for service management and contains broad and publicly available professional documentation on how to plan, deliver and support IT service features.

Australia/New Zealand

AS/NZS ISO/IEC 38500:2010 – outlines the principles for evaluating, managing and monitoring the use of IT within an organization.

Canada

Information Technology Control Guidelines (1998) – published by the Canadian Institute of Chartered Accountants, the Guidelines aim to provide a practical means of identifying, understanding, assessing and implementing information technology controls in all types of enterprise.

China

IT Security Guidelines [PDF] – published by the Office of the Government Chief Information Officer of the Government of the Hong Kong Special Admin Region, the Guidelines aim to introduce general concepts relating to Information Technology (IT) security, elaborate on relevant security concepts and best practices related to the usage of IT, and find guidelines and considerations in defining security requirements in the system development process.

United Kingdom

BS EN ISO 11354-1 (2009) – outlines automation technologies and their application. Includes section on risk analysis.

BS ISO/IEC 27002 (2005) – the British Standard that establishes the guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization.

United States

California SB 1386 – governs security of non-encrypted customer information.

The Computer Fraud and Abuse Act – governs criminal penalties for fraud and related activity in connection with computers.

FDA 21 CFR Part 11 (2010) – defines criteria related to electronic records and electronic signatures, including validation procedures and backup requirements.

NIST 800-30: Risk Management Guide for Information Technology Systems (2002) [PDF] – this set of guidelines developed by the National Institute of Standards (NIST) provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.

NIST 800-34: Contingency Planning Guide for Information Technology Systems (2010) [PDF] – addresses instructions and recommendations for government IT contingency planning.

NIST 800-84: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities [PDF] – provides guidance on designing, developing, conducting, and evaluating TT&E events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions.