Review the contingency planning control family

Assignment Help Business Management
Reference no: EM131032366

Project #4: Prepare a Business Continuity IT Security Policy

Introduction

In Project 2, you developed an IT security policyfor a specific facility - a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2). You should reuse applicable sections of your earlier projects for this project (e.g. your organization overview and/or a specific section of your outline).

If you wish to change to a different organization for project #4, you must first obtain your instructor's permission.

Background

Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man-made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable time frame.

Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy - guidance for DR/BCP planning for a particular data center.

DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2.

Sometimes, it is necessary to create supplementary policies which address specific circumstances or needs which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy - the Business Continuity IT Security Policy. The "Tasks" section of this assignment explains the content requirements for your policy.


Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from https://www.ready.gov/business/implementation/continuity)

Phase 1: Business Impact Analysis

• Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business
• Conduct follow-up interviews to validate responses to survey & obtain additional info

Phase 2: Develop Recovery Strategies • Identify resource requirements based on BIAs

• Perform gap analysis (recovery requirements vs current capabilities.
• Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites)
• Document & Implement recovery strategies (acquire / contract for products & services)

Phase 3: Develop Business Continuity Plan

• Develop plan framework (follow policy)
• Identify personnel forDR/BCP teams
• Develop Recovery and/or Relocation Plans
• Write DR/BCP Procedures
• Obtain approvals for plans & procedures

Phase 4: Testing & Readiness Exercises

• Develop testing, exercise and maintenance requirements
• Conduct training for DR/BCP teams
• Conduct orientation exercises for staff
• Conduct testing and document test results
• Update BCP to incorporate lessons learned from testing and exercises

Table 4-2. Outline for a Business Continuity Plan

Purpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption.

Objective: to identify the processes or steps involved in resuming normal business operations.

Scope: work locations or departments addressed.

Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc.

Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc.

Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if "loss of work area" is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center.

Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on.

Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a "living" document that is updated as personnel/workforce changes are made.

Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline.

Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.

Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.

Tasks

The Business Continuity Security Policy is being written by you as the data centerfacility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1).Your policy must also address required content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections.

Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers from whom your organization purchases or will purchase IT services and products to implement its recovery strategies.

Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business continuity plan. Different RTO's may be set for different IT systems and services.

Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP(used to determine backup frequency for data during normal operating periods and the maximum allowable amount of "lost data" which can be tolerated).

Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan.

The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans.Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.

Tasks:

1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53.(See Table 4-3). Identify policy statements which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.

Table 4-3. Contingency Planning Control Family (from NIST SP 800-53)

881_Contingency Planning Control Family.png

2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4).

3. Review the outline for a Business Continuity Plan (Table 4-2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan.(Your policy statements will tell Business Continuity Planners where and how to "build security in.")

4. Write your Business Continuity Security Policy usingthe outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3.

Table 4-4. Outline for an IT Security Policy

 

I. Identification

a. Organization: [name]
b. Title of Policy: Data Center Business Continuity Policy
c. Author: [your name]
d. Owner: [role, e.g. Data Center Manager]
e. Subject: Business Continuity for [data center name]
f. Review Date: [date submitted for grading]
g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager]
h. Distribution List
i. Revision History

II. Purpose

a. Provide a high level summary statement as to the policy requirements which are set forth in this document.

III. Scope

a. Summarize the business continuity activities and operations that this policy will apply to.
b. Identify who is required to comply with this policy.

IV. Compliance

a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.)
b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy.
c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.)

V. Terms and Definitions

VI. Risk Identification and Assessment

a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations.
b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact).

VII. Policy

a. Present policies which will ensure that IT security is addressed

i. In all phases of DR/BCP planning
ii. In all relevant sections of the DR/BCP plan
iii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP family
iv. By specifying roles and responsibilities for IT security during data center recovery operations
v. Using RTO/RPO metrics for restoral of IT security services and functions

b. Include an explanatory paragraph for each policy statement.

5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.).

6. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately.

Formatting:

1. Submit your policy as an MS Word document using your assignment folder.

2. Format your policy such that it presents a professional appearance. Use headings and outline formatting to organize information for clarity.

3. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style includinguse of footnotesor end notes.(Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.)

4. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.

Attachment:- Project one and two.rar

Reference no: EM131032366

Questions Cloud

Block design for comparing wine : Outline a block design for comparing wine, beer, and spirits. Be sure to say how many subjects you will put in each group in your design.
In reference to amendment 1 of the us constitution : In reference to amendment 1 of the US Constitution. .... how exactly does this section of the Constitution allow a business to operate in any manner they chose? Would the Commerce Clause relate more to this ability? Why or why not?
A separate post for learning activity : Create a separate posting for each learning activity, i.e, one post for Learning Activity 1, a separate post for Learning Activity 2.Label each learning activity with appropriate titles, for example, "Learning Activity 1" and "Learning Activity 2".
How to use textual evidence : For your final research paper, you will imitate the process of responding to a CFP (Call for Papers) relating to your research interest within the field of gender in American pop culture. While I know that many of you have never heard of a CFP (I..
Review the contingency planning control family : Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53. Review the phases in the Business Continuity Planning Process.
Obtained some cash and executed a professional note : Case 1: Ahmed, a minor, obtained some cash and executed a professional note for it. In the wake of achieving the period of lion's share, he executed a second master note in settlement of the main note.
An asx listed company : QuestionsPear Ltd (Pear) is an ASX listed company, with many corporate and retail customers in Australia and overseas. It has made headlines with Springboard, a program that addresses a key interoperability issue between Macs and PCs. Pear is due to ..
Effect of inhaling oxygen : Discuss the design of such an experiment to investigate the effect of inhaling oxygen during the rest period.
What techniques did you use to persuade them : Clarify for the reader how you demonstrated leadership in your call to action for the reader. How did you communicate your vision, and what techniques did you use to persuade them?

Reviews

Write a Review

Business Management Questions & Answers

  Caselet on michael porter’s value chain management

The assignment in management is a two part assignment dealing 1.Theory of function of management. 2. Operations and Controlling.

  Mountain man brewing company

Mountain Man Brewing, a family owned business where Chris Prangel, the son of the president joins. Due to increase in the preference for light beer drinkers, Chris Prangel wants to introduce light beer version in Mountain Man. An analysis into the la..

  Mountain man brewing company

Mountain Man Brewing, a family owned business where Chris Prangel, the son of the president joins. An analysis into the launch of Mountain Man Light over the present Mountain Man Lager.

  Analysis of the case using the doing ethics technique

Analysis of the case using the Doing Ethics Technique (DET). Analysis of the ethical issue(s) from the perspective of an ICT professional, using the ACS Code of  Conduct and properly relating clauses from the ACS Code of Conduct to the ethical issue.

  Affiliations and partnerships

Affiliations and partnerships are frequently used to reach a larger local audience? Which options stand to avail for the Hotel manager and what problems do these pose.

  Innovation-friendly regulations

What influence (if any) can organizations exercise to encourage ‘innovation-friendly' regulations?

  Effect of regional and corporate cultural issues

Present your findings as a group powerpoint with an audio file. In addition individually write up your own conclusions as to the effects of regional cultural issues on the corporate organisational culture of this multinational company as it conducts ..

  Structure of business plan

This assignment shows a structure of business plan. The task is to write a business plane about a Diet Shop.

  Identify the purposes of different types of organisations

Identify the purposes of different types of organisations.

  Entrepreneur case study for analysis

Entrepreneur Case Study for Analysis. Analyze Robin Wolaner's suitability to be an entrepreneur

  Forecasting and business analysis

This problem requires you to apply your cross-sectional analysis skills to a real cross-sectional data set with the goal of answering a specific research question.

  Educational instructional leadership

Prepare a major handout on the key principles of instructional leadership

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd