3.2 KiB
8.6 Capacity management
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive #Detective | #Integrity #Availability | #Identify #Protect #Detect | #Continuity | #Governance_and_Ecosystem #Protection |
Control The use of resources should be monitored and adjusted in line with current and expected capacity requirements.
Purpose To ensure the required capacity of information processing facilities, human resources, offices and other facilities.
Guidance Capacity requirements for information processing facilities, human resources, offices and other facilities should be identified, taking into account the business criticality of the concerned systems and processes.
System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems.
The organization should perform stress-tests of systems and services to confirm that sufficient system capacity is available to meet peak performance requirements.
Detective controls should be put in place to indicate problems in due time.
Projections of future capacity requirements should take account of new business and system requirements and current and projected trends in the organization’s information processing capabilities.
Particular attention should be paid to any resources with long procurement lead times or high costs. Therefore, managers, service or product owners should monitor the utilization of key system resources.
Managers should use capacity information to identify and avoid potential resource limitations and dependency on key personnel which can present a threat to system security or services and plan appropriate action.
Providing sufficient capacity can be achieved by increasing capacity or by reducing demand. The following should be considered to increase capacity:
a) hiring new personnel; b) obtaining new facilities or space; c) acquiring more powerful processing systems, memory and storage; d) making use of cloud computing, which has inherent characteristics that directly address issues of capacity. Cloud computing has elasticity and scalability which enable on-demand rapid expansion and reduction in resources available to particular applications and services.
The following should be considered to reduce demand on the organization’s resources:
a) deletion of obsolete data (disk space); b) disposal of hardcopy records that have met their retention period (free up shelving space); c) decommissioning of applications, systems, databases or environments; d) optimizing batch processes and schedules; e) optimizing application code or database queries; f) denying or restricting bandwidth for resource-consuming services if these are not critical (e.g. video streaming).
A documented capacity management plan should be considered for mission critical systems.
Other information For more detail on the elasticity and scalability of cloud computing, see ISO/IEC TS 23167.