During an audit, an IS auditor notes that an organization’s business continuity plan (BCP) does not
adequately address information confidentiality during a recovery process. The IS auditor should
recommend that the plan be modified to include:
the level of information security required when business recovery procedures are invoked.
information security roles and responsibilities in the crisis management structure.
information security resource requirements.
change management procedures for information security that could affect business continuity
Business should consider whether information security levels required during recovery should be
the same, lower or higher than when business is operating normally. In particular, any special rules
for access to confidential data during a crisis needto be identified. The other choices do not directly
address the information confidentiality issue.