Just want to get some best practices on the following plus what is the
source of the answer.
1. What is the review frequency of an IT information systems?
2. Best practice for the maximum limit of invalid login.
3. How long will the limit in no. 2 be defined in the system?
4. How long will the session be inactive before it will be terminated?
5. What are the standard auditable events?
6. What is the common practice if there is an system audit failure or
audit storage capacity being reached?
7. How long should an audit log be retain?
8. How often should personnel be train as a refresher for contigency
planning?
9. How often should a contingency plan be tested?
10. How often should a contingency plan be reviewed?
11. What is the generally acceptable up-time of the alternate
processing site if the primary site went down?
12. How about for the telecom services?
13. How often should a complete system back-up be made?
14. How long before an inactive user be inactive in the USERID system
before all access be disabled?
15. How frequent should an incident capability response be tested?
16. How often should an uthorized personnel list be updated?

I can't find any source in the internet for the list above.

Thanks in advance