Complete the Final project template and fill the blanks using other 4task documents attached.

User Generated

nahivaah5

Writing

Description

I have sent the all files and in that task 1 to task 4 is reference documents and after review those documents you can fill the" Final Project Part 2 - BIA-BCP-DRP-CIRT template" and also you can see the attached screenshot "Project" for your understanding.


Unformatted Attachment Preview

ISOL 533 - Information Security and Risk Management University of the Cumberlands Task 1. Complete the BIA table below and use it for the remainder of the assignment. You may want to review your Lab #07 assignment where you developed a BIA table. Information needed to create the Business Functions and Processes below are in the “Project Management Plan” scenario and the “Project Health Network Visual”. Hint: look at the processes that go from the customers and into the systems/applications in the “Project Health Network Visual”. Business Function or Process Business Impact Factor Recovery Time Objective IT Systems/Apps Infrastructure Impacts ISOL 533 - Information Security and Risk Management University of the Cumberlands Task 1: Business Impact Analysis – extracts from the Boiler Plate 1. Overview This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was prepared for Health Network, Inc (Health Network). 2. System Description 3.1.1 Identify Outage Impacts and Estimated Downtime Estimated Downtime The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. Mission/Business Process For HNetExchange MTD RTO RPO Mission/Business Process For HNetConnect MTD RTO RPO Mission/Business Process For HNetPay MTD RTO RPO ISOL 533 - Information Security and Risk Management University of the Cumberlands Task 2: Business Continuity Plan – extracts from the Boiler Plate EMERGENCY MANAGEMENT STANDARDS Data backup policy Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards. Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization. IT follows these standards for its data backup and archiving: Tape retention policy Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system. Billing tapes • • • Tapes greater than three years old are destroyed every six months. Tapes less than three years old must be stored locally off-site. The system supervisor is responsible for the transition cycle of tapes. System image tapes • • • A copy of the most current image files must be made at least once per week. This backup must be stored offsite. The system supervisor is responsible for this activity. Off-site storage procedures • Tapes and disks, and other suitable media are stored in environmentally secure facilities. • Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor. Access to backup databases and other data is tested annually ISOL 533 - Information Security and Risk Management University of the Cumberlands ISOL 533 - Information Security and Risk Management University of the Cumberlands Task 3: Disaster Recovery Plan – extracts from the Boiler Plate DISASTER RECOVERY PLAN FOR OVERVIEW PRODUCTION SERVER IT INFRASTRUCTURE Location: Enter location Provide details on what systems, applications, databases and equipment are involved. BACKUP STRATEGY FOR SYSTEM ONE DAILY / MONTHLY / QUARTERLY Choose which strategy on the left is use. DISASTER RECOVERY PROCEDURE RISK #1: LOSS OF COMPANY DATA DUE TO HNETPAY HARDWARE REMOVED FROM PRODUCTION SYSTEMS. Provide details RISK #2: LOSS OF CUSTOMERS DUE TO PRODUCTION OUTAGES. Provide details ISOL 533 - Information Security and Risk Management University of the Cumberlands DISASTER RECOVERY PLAN FOR OVERVIEW PRODUCTION SERVER IT INFRASTRUCTURE Location: Enter location Provide details on what systems, applications, databases and equipment are involved. BACKUP STRATEGY FOR SYSTEM ONE DAILY / MONTHLY / QUARTERLY Choose which strategy on the left is use. DISASTER RECOVERY PROCEDURE RISK #1: LOSS OF COMPANY DATA DUE TO HNETCONNECT HARDWARE REMOVED FROM PRODUCTION SYSTEMS. Provide details RISK #2: LOSS OF CUSTOMERS DUE TO PRODUCTION OUTAGES. Provide details ISOL 533 - Information Security and Risk Management University of the Cumberlands DISASTER RECOVERY PLAN FOR OVERVIEW PRODUCTION SERVER IT INFRASTRUCTURE Location: Enter location Provide details on what systems, applications, databases and equipment are involved. BACKUP STRATEGY FOR SYSTEM ONE DAILY / MONTHLY / QUARTERLY Choose which strategy on the left is use. SYSTEM DISASTER RECOVERY PROCEDURE RISK #1: LOSS OF COMPANY DATA DUE TO HNETEXCHANGE HARDWARE REMOVED FROM PRODUCTION SYSTEMS. Provide details RISK #2: LOSS OF CUSTOMERS DUE TO PRODUCTION OUTAGES. Provide details ISOL 533 - Information Security and Risk Management University of the Cumberlands Task 4: Computer Incident Response Team Plan – extracts from the Boiler Plate Appendix A – Incident Response Worksheet Preparation: What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach? Identification: When an incident is reported, it must be identified, classified, and documented. During this step, the following information is needed: • Identify the nature of the incident o What Business Process was impacted o What threat was identified o What weakness was identified o What risk was identified o What was the Risk Factor/Impact of the incident o What was the RTO, MTD and RPO assigned to the business process o What hardware, software, database and other resource were impacted Containment: The immediate objective is to limit the scope and magnitude of the computer/securityrelated incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator. • What needs to be done to limit the scope of the incident Eradication: The next priority is to remove the computer/security-related incident or breach’s effects. • What needs to be done to mitigate the risk of the incident Recovery: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident. • What needs to be done to recover the IT systems o What procedures need to be used and are they covered in the Disaster Recovery Plan o Would the Business Continuity Plan be executed in response to this incident o Would any issues be identified that would lead to updates to the BIA, BCP or DR plans. ISOL 533 - Information Security and Risk Management University of the Cumberlands 1. BUSINESS IMPACT ANALYSIS Overview This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was prepared on Health Network, Inc (Health Network). 1.1 Purpose The purpose of the BIA is to identify and prioritize system components by correlating them to the mission/business process(es) the system supports, and using this information to characterize the impact on the process(es) if the system were unavailable. The BIA is composed of the following three steps: 1. Determine mission/business processes and recovery criticality. Mission/business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum that an organization can tolerate while still maintaining the mission. 2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records. 3. Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can more clearly be linked to critical mission/business processes. Priority levels can be established for sequencing recovery activities and resources. This document is used to build the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system Business Contingency Plan (BCP) and is included as a key component of the BCP. It also may be used to support the development of other contingency plans associated with the system, including, but not limited to, the Disaster Recovery Plan (DRP). 2. System Description {Provide a general description of system architecture and functionality as provided in the scenario instructions. Indicate the operating environment, physical location, general location of users, and partnerships with external organizations/systems. Include information regarding any other technical considerations that are important for recovery purposes, such as backup procedures. Provide a diagram, as an appendix, of the architecture, including inputs and outputs and telecommunications connections.} BUSINESS IMPACT ANALYSIS ISOL 533 - Information Security and Risk Management University of the Cumberlands 3. BIA Data Collection {Normally data collection can be accomplished through individual/group interviews, workshops, email, questionnaires, or any combination of these. For this assignment, review the scenario and include information you would expect to obtain during the normal data collection process} 3.1 Determine Process and System Criticality Step one of the BIA process - Working with input from users, managers, mission/business process owners, and other internal or external points of contact (POC), identify the specific mission/business processes that depend on or support the information system. Mission/Business Process 3.1.1 Description Identify Outage Impacts and Estimated Downtime Outage Impacts The following impact categories represent important areas for consideration in the event of a disruption or impact. Values for assessing category Risk Factors/Impact:    Critical = “1” Major = “2” Minor = “3” Values for assessing category Recovery Time Objectives (RTO):  Critical-1 = 4 hours  Critical-2 = 8 hours  Critical-3 = 24 hours  Major-1 = 36 hours  Major-2 = 48 hours  Minor = 1 week The table(s) below summarizes the impact on each mission/business process if the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system were unavailable. ISOL 533 - Information Security and Risk Management University of the Cumberlands Mission/Business Process for HNetExchange Mission/Business Process for HNetConnect Mission/Business Process for HNetPay BUSINESS IMPACT ANALYSIS Impact Category Risk Factor RTO Describe the Impact if unavailable Impact Category Risk Factor RTO Describe the Impact if unavailable Impact Category Risk Factor RTO Describe the Impact if unavailable Estimated Downtime Working directly with mission/business process owners, departmental staff, managers, and other stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.  Maximum Tolerable Downtime (MTD). The MTD represents the total amount of time leaders/managers are willing to accept for a mission/business process outage or disruption and includes all impact considerations. Determining MTD is important because it could leave continuity planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content.  Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information ISOL 533 - Information Security and Risk Management University of the Cumberlands BUSINESS IMPACT ANALYSIS system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD.  Recovery Point Objective (RPO). The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data must be recovered (given the most recent backup copy of the data) after an outage. The table below identifies the MTD, RTO, and RPO for the organizational mission/business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. 3.2 Mission/Business Process For HNetExchange MTD RTO RPO Mission/Business Process For HNetConnect MTD RTO RPO Mission/Business Process For HNetPay MTD RTO RPO Identify Resource Requirements The following table identifies the resources that compose the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system including hardware, software, and other resources such as data files. System Resource/Component Description It is assumed that all identified resources support the mission/business processes identified in Section 3.1 unless otherwise stated. ISOL 533 - Information Security and Risk Management University of the Cumberlands 3.3 BUSINESS IMPACT ANALYSIS Identify Recovery Priorities for System Resources The table below lists the order of recovery for resources. The table also identifies the expected time for recovering the resource following a “worst case” (complete rebuild/repair or replacement) disruption.  Recovery Time Objective (RTO) - RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for selecting appropriate technologies that are best suited for meeting the MTD. Priority # System Resource/Component Recovery Time Objective ISOL 533 - Information Security and Risk Management University of the Cumberlands BUSINESS IMPACT ANALYSIS Table 1 – BIA worksheet Business Function or Process Business Impact Factor Recovery Time Objective IT Systems/Apps Infrastructure Impacts ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Purpose The purpose of this business continuity plan is to prepare Health Network, Inc. (Health Network) in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. All Health Network, Inc. (Health Network) sites are expected to implement preventive measures whenever possible to minimize operational disruptions and to recover as rapidly as possible when an incident occurs. The plan identifies vulnerabilities and recommends necessary measures to prevent extended voice communications service outages. It is a plan that encompasses all Health Network, Inc. (Health Network) system sites and operations facilities. Scope The scope of this plan is limited to the three major systems used by Health Network, Inc. (Health Network); the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. This is a business continuity plan, not a daily problem resolution procedures document. Plan objectives        Serves as a guide for the Health Network, Inc. (Health Network) recovery teams. References and points to the location of critical data. Provides procedures and resources needed to assist in recovery. Identifies vendors and customers that must be notified in the event of a disaster. Assists in avoiding confusion experienced during a crisis by documenting, testing and reviewing recovery procedures. Identifies alternate sources for supplies, resources and locations. Documents storage, safeguarding and retrieval procedures for vital records. Assumptions     Key people (team leaders or alternates) will be available following a disaster. A national disaster such as nuclear war is beyond the scope of this plan. This document and all vital records are stored in a secure off-site location and not only survive the disaster but are accessible immediately following the disaster. Each support organization will have its own plan consisting of unique recovery procedures, critical resource information and procedures. Disaster definition Any loss of utility service (power, water), connectivity (system sites), or catastrophic event (weather, natural disaster, vandalism) that causes an interruption in the service provided by Health Network, Inc. (Health Network) operations. The plan identifies vulnerabilities and recommends measures to prevent extended service outages. 1 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Recovery teams    Emergency management team (EMT) Disaster recovery team (DRT) IT technical services (IT) Team member responsibilities    Each team member will designate an alternate All of the members should keep an updated calling list of their work team members’ work, home, and cell phone numbers both at home and at work. All team members should keep this plan for reference at home in case the disaster happens after normal work hours. All team members should familiarize themselves with the contents of this plan. Instructions for using the business continuity plan Invoking the plan This plan becomes effective when a disaster occurs. Normal problem management procedures will initiate the plan, and remain in effect until operations are resumed at the original location or a replacement location and control is returned to the appropriate functional management. Disaster declaration The senior management team, with input from the EMT, DRT and IT, is responsible for declaring a disaster and activating the various recovery teams as outlined in this plan. In a major disaster situation affecting multiple business units, the decision to declare a disaster will be determined by senior management. The EMT and DRT will respond based on the directives specified by senior management. Notification Regardless of the disaster circumstances, or the identity of the person(s) first made aware of the disaster, the EMT and DRT must be activated immediately in the following cases:    Two or more critical systems and/or sites are down concurrently for three of more hours Any critical or major systems are down concurrently for eight or more hours Any problem at any system or network facility that would cause the above conditions to be present or there is certain indication that either of the conditions are about to occur 2 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands External communications Corporate public relations personnel are designated as the principal contacts with the media (radio, television, and print), regulatory agency, government agencies, and other external organizations following a formal disaster declaration. Emergency management standards Data backup policy Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards. Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization. IT follows these standards for its data backup and archiving: Tape retention policy Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system. Billing tapes  Tapes greater than three years old are destroyed every six months.  Tapes less than three years old must be stored locally off-site.  The system supervisor is responsible for the transition cycle of tapes. System image tapes  A copy of the most current image files must be made at least once per week.  This backup must be stored offsite.  The system supervisor is responsible for this activity. Off-site storage procedures  Tapes and disks, and other suitable media are stored in environmentally secure facilities.  Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.  Access to backup databases and other data is tested annually. Emergency management procedures 3 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands The following procedures are to be followed by system operations personnel and other designated organizational personnel in the event of an emergency. Where uncertainty exists, the more reactive action should be followed to provide maximum protection and personnel safety. Note: Anyone not recognized by the IT staff as normally having business in the area must be challenged by the staff who should then notify security personnel. These procedures are furnished to management personnel to take home for reference. Several pages have been included to supply emergency contacts. In the event of any situation where access to a building housing a system is denied, personnel should report to alternate locations. Primary and secondary locations are listed below. Alternate locations Workplace:  Attempt to contact your immediate supervisor or management via telephone. Home and cell phone numbers are included in this document Workplace:  Attempt to contact your immediate supervisor or management via telephone. Home and cell phone numbers are included in this document In the event of a natural disaster In the event of a major catastrophe affecting company facility, immediately notify the BCP Project Manager. Procedure STEP 1 ACTION Notify EMT and DRT of pending event, if time permits. 4 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands 2 3 If the impending natural disaster can be tracked, begin preparation of site within 48 hours as follows:  Deploy portable generators with fuel within 100 miles.  Deploy support personnel, tower crews, and engineering within 100 miles.  Deploy tractor trailers with replacement work space, antennas, power, computers and phones.  Facilities department on standby for replacement shelters  Basic necessities are acquired by support personnel when deployed:  Cash for one week  Food and water for one week  Gasoline and other fuels  Supplies, including chainsaws, batteries, rope, flashlights, medical supplies, etc. 24 hours prior to event:  Create an image of the system and files  Back up critical system elements  Verify backup generator fuel status and operation  Create backups of e-mail, file servers, etc.  Fuel vehicles and emergency trailers  Notify senior management 5 RESTRICTED BUSINESS CONTINUITY PLAN ISOL 533 - Information Security and Risk Management University of The Cumberlands In the event of a fire If fire or smoke is present in the facility, evaluate the situation, determine the severity, categorize the fire as major or minor and take the appropriate action as defined in this section. Call 9-1-1 as soon as possible if the situation warrants it.  Personnel are to attempt to extinguish minor fires (e.g., single hardware component or paper fires) using hand-held fire extinguishers located throughout the facility. Any other fire or smoke situation will be handled by qualified building personnel until the local fire department arrives.  In the event of a major fire, call 9-1-1 and immediately evacuate the area.  In the event of any emergency situation, system security, site security and personal safety are the major concerns. If possible, the operations supervisor should remain present at the facility until the fire department has arrived.  In the event of a major catastrophe affecting the facility, immediately notify senior management. Procedure STEP 1 2 3 ACTION Dial 9-1-1 to contact the fire department. Immediately notify all other personnel in the facility of the situation and evacuate the area. Alert emergency personnel on: Provide them with your name, extension where you can be reached, building and room number, and the nature of the emergency. Follow all instructions given. 4 Alert the EMT and DRT. Note: During non-staffed hours, security personnel will notify the Senior Executive responsible for the location directly. 5 6 Notify Building Security. Local security personnel will establish security at the location and not allow access to the site unless notified by the Senior Executive or his/her designated representative. Contact appropriate vendor personnel to aid in the decision regarding the protection of equipment if time and circumstance permit. 6 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands 7 All personnel evacuating the facilities will meet at their assigned outside location (assembly point) and follow instructions given by the designed authority. Under no circumstances may any personnel leave without the consent of supervision. In the event of a network services provider outage In the event of a network service provider outage to any location, the guidelines and procedures in this section are to be followed. Procedure STEP 1 ACTION Notify senior management of outage. Determine cause of outage and timeframe for its recovery. 2 If outage will be greater than one hour, route all calls via alternate services. If it is a major outage and all carriers are down and downtime will be greater than 12 hours, deploy satellite phones, if available. 7 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands In the event of a flood or water damage In the event of a flood or broken water pipe within any computing facilities, the guidelines and procedures in this section are to be followed. STEP ACTION Procedure 1 2 3 4 Assess the situation and determine if outside assistance is needed; if this is the case, dial 9-1-1 immediately. Immediately notify all other personnel in the facility of the situation and be prepared to cease voice operations accordingly. Immediately notify all other personnel in the facility of the situation and be prepared to cease operations accordingly. Water detected below the raised floor may have different causes:  If water is slowly dripping from an air conditioning unit and not endangering equipment, contact repair personnel immediately.  If water is of a major quantity and flooding beneath the floor (water main break), immediately implement power-down procedures. While power-down procedures are in progress, evacuate the area and follow management’s instructions. Plan review and maintenance This plan must be reviewed semiannually and exercised on an annual basis. The test may be in the form of a walk-through, mock disaster, or component testing. Additionally, with the dynamic environment present within the organization, it is important to review the listing of personnel and phone numbers contained within the plan regularly. The hard-copy version of the plan will be stored in a common location where it can be viewed by site personnel and the EMT and DRT. Electronic versions will be available via the organization’s network resources as provided by IT. Each recovery team will have its own directory with change management limited to the recovery plan coordinator. 8 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Notification of incident affecting the site On-duty personnel responsibilities If in-hours: Upon observation or notification of a potentially serious situation during working hours at a system/facility, ensure that personnel on site have enacted standard emergency and evacuation procedures if appropriate and notify the EMT and DRT. If outside hours: IT personnel should contact the EMT and DRT. Provide status to EMT and DRT Contact EMT and/or DRT and provide the following information when any of the following conditions exist: (See Appendix B for contact list.)   Two or more facilities are down concurrently for three or more hours. Any problem at any system or location that would cause the above condition to be present or there is certain indication that the above condition is about to occur. The EMT will provide the following information:      Location of disaster Type of disaster (e.g., fire, hurricane, flood) Summarize the damage (e.g., minimal, heavy, total destruction) Meeting location that is a safe distance from the disaster scene An estimated timeframe of when a damage assessment group can enter the facility (if possible)  The EMT will contact the respective market team leader and report that a disaster involving voice communications has taken place. The EMT and/or DRT will contact the respective team leader and report that a disaster has taken place. Decide course of action Based on the information obtained, the EMT and/or DRT need to decide how to respond to the event: mobilize IT, repair/rebuild existing site (s) with location staff, or relocate to a new facility. 9 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Inform team members of decision If a disaster is not declared, the location response team will continue to address and manage the situation through its resolution and provide periodic status updates to the EMT/DRT. If a disaster is declared, the EMT and/or DRT will notify IT Tech Services immediately for deployment. Declare a disaster if the situation is not likely to be resolved within predefined time frames. The person who is authorized to declare a disaster must also have at least one backup person who is also authorized to declare a disaster in the event the primary person is unavailable. Contact general vendors Disaster declared: Mobilize incident response/Technical services teams/Report to command center Once a disaster is declared, the DRT is mobilized. This team will initiate and coordinate the appropriate recovery actions. Members assemble at the designated location as quickly as possible. See Appendix E for emergency locations. Conduct detailed damage assessment (This may also be performed prior to declaring a disaster.) 1. Under the direction of local authorities and/or EMT/DRT, assess the damage to the affected location and/or assets. Include vendors/providers of installed equipment to ensure that their expert opinion regarding the condition of the equipment is determined ASAP. A. Participate in a briefing on assessment requirements, reviewing: (1) Assessment procedures (2) Gather requirements (3) Safety and security issues NOTE: Access to the facility following a fire or potential chemical contamination will likely be denied for 24 hours or longer. B. Document assessment results using assessment and evaluation forms contained in Appendix G. Building access permitting: 10 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands  2. 3. Conduct an on-site inspection of affected areas to assess damage to essential hardcopy records (files, manuals, contracts, documentation, etc.) and electronic data.  Obtain information regarding damage to the facility (s) (e.g., environmental conditions, physical structure integrity, furniture, and fixtures) from the DRT. Develop a restoration priority list, identifying facilities, vital records and equipment needed for resumption activities that could be operationally restored and retrieved quickly. Recommendations for required resources. Contact DRT: Decide whether to continue to business recovery phase The EMT and DRT gather information regarding the event; contacts senior management and provides them with detailed information on status. Based on the information obtained, senior management decides whether to continue to the business recovery phase of this plan. If the situation does not warrant this action, continue to address the situation at the affected site(s). Business recovery phase (xx hours - full recovery) This section documents the steps necessary to activate business recovery plans to support full restoration of systems or facility functionality at an alternate/recovery site that would be used for an extended period of time. Coordinate resources to reconstruct business operations at the temporary/permanent system location, and to deactivate recovery teams upon return to normal business operations. system and facility operation requirements The system and facility configurations for each location are important to re-establish normal operations. A list for each location will be included in Appendix F. 11 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Notify IT staff/Coordinate relocation to new facility See Appendix A for IT staff associated with a new location being set up as a permanent location (replacement for site). Secure funding for relocation Make arrangements in advance with suitable backup location resources. Make arrangements in advance with local banks, credit card companies, hotels, office suppliers, food suppliers and others for emergency support. Notify EMT and corporate business units of recovery startup Using the call list in Appendix B, notify the appropriate company personnel. Inform them of any changes to processes or procedures, contact information, hours of operation, etc. (This may be used for media information.) Operations recovered Assuming all relevant operations have been recovered to an alternate site, and employees are in place to support operations, the company can declare that it is functioning in a normal manner at the recovery location. 12 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Appendixes Appendix A: recovery teams Emergency management team (EMT) Note: See Appendix B for contact list. Suggested members to include: senior management, human resources, corporate public relations, legal, IT services, risk management and operations Charter: Responsible for overall coordination of the disaster recovery effort; evaluation and determining disaster declaration; and communications with senior management. Support activities: The EMT:  Evaluate which recovery actions should be invoked and activate the recovery teams  Evaluate damage assessment findings  Set restoration priority based on the damage assessment reports  Provide senior management with ongoing status information  Act as a communication channel to corporate teams and major customers  Work with vendors and IRT to develop a rebuild/repair schedule Disaster recovery team Note: See Appendix B for contact list Charter: Responsible for overall coordination of the disaster recovery effort; establishment of the emergency command area; and communications with senior management and the EMT. Support activities:  Coordinate with EMT and senior management  Determine recovery needs  Establish command center and assembly areas  Notify all company department heads and advise them to activate their plan(s) if applicable, based upon the disaster situation  If no disaster is declared, take appropriate action to return to normal operations using regular staff  Determine if vendors or other teams are needed to assist with detailed damage assessment  Prepare post-disaster debriefing report  Coordinate the development of site-specific recovery plans and ensure they are updated semiannually 13 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands IT technical services (IT) Charter IT will facilitate technology restoration activities. Support activities  Upon notification of disaster declaration, review and provide support as follows: 1. Facilitate technology recovery and restoration activities, providing guidance on replacement equipment and systems, as required 2. Coordinate removal of salvageable equipment at disaster site that may be used for alternate site operations Appendix B: Recovery team contact lists Emergency management team (EMT) Name Address Home Mobile/Cell Phone Address Home Mobile/Cell Phone Address Home Mobile/Cell Phone Disaster recovery team (DRT) Name IT technical services Name 14 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Appendix C: Emergency numbers First responders, public utility companies, others Name Contact Name Phone Appendix D: Contact list Name Address Home 15 RESTRICTED Mobile/Cell Phone ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Appendix E: Emergency command center (ECC) locations Emergency command center - Primary: Address Room XXXX City, State Contact: “coordinator of rooms/space - (xxx) xxx-xxxx Alternate: Address Room XXX City, State Contact: “coordinator of rooms/space - (xxx) xxx-xxxx Emergency command center - Primary: Address Room XXXX City, State Contact: “coordinator of rooms/space - (xxx) xxx-xxxx Alternate: Address Room XXX City, State Contact: “coordinator of rooms/space - (xxx) xxx-xxxx 16 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Appendix F: Forms Incident/disaster form Upon notification of an incident/disaster situation the on-duty personnel will make the initial entries into this form. It will then be forwarded to the ECC, where it will be continually updated. This document will be the running log until the incident/disaster has ended and “normal business” has resumed. TIME AND DATE ________________________________________________________________________ TYPE OF EVENT ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ LOCATION ________________________________________________________________________ ________________________________________________________________________ BUILDING ACCESS ISSUES ________________________________________________________________________ ________________________________________________________________________ 17 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands PROJECTED IMPACT TO OPERATIONS ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ RUNNING LOG (ongoing events) ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 18 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Critical equipment status form CRITICAL EQUIPMENT STATUS ASSESSMENT AND EVALUATION FORM Recovery team: __________________________________________ Equipment [----------STATUS---------] Condition Salvage 1. ___________________ 2. ___________________ 3. ___________________ 4. ___________________ 5. ___________________ 6. ___________________ 7. ___________________ 8. ___________________ 9. ___________________ 10. __________________ 11. __________________ 12. __________________ 13. __________________ 14. __________________ 15. __________________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______________ ______ ______ ______ ______ ______ ______ ______ ______ ______ ______ ______ ______ ______ ______ ______ Comments _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ Legend Condition: OK - Undamaged DBU - Damaged, but usable DS - Damaged, requires salvage before use D - Destroyed, requires reconstruction 19 RESTRICTED ISOL 533 - Information Security and Risk Management BUSINESS CONTINUITY PLAN University of The Cumberlands Appendix G: Building evacuation information Provide evacuation procedures Appendix H: Inventory of primary equipment and network services Provide list of equipment and network services Appendix I: Inventory of backup equipment and systems Provide list of equipment Appendix J: Approved vendor list Server and computer equipment suppliers Company Name Contact Work Mobile phone Work Mobile phone Communications and network services suppliers Company Name Contact 20 RESTRICTED ISOL 533 - Information Security and Risk Management University of the Cumberlands DISASTER RECOVERY PLAN Information Technology Statement of Intent This document delineates Health Network, Inc. (Health Network) policies and procedures for technology disaster recovery, as well as our process-level plans for recovering critical technology platforms and the telecommunications infrastructure. This document summarizes our recommended procedures. In the event of an actual emergency situation, modifications to this document may be made to ensure physical safety of our people, our systems, and our data. Our mission is to ensure information system uptime, data integrity and availability, and business continuity. Policy Statement Corporate management has approved the following policy statement:       The company shall develop a comprehensive IT disaster recovery plan. A formal risk assessment shall be undertaken to determine the requirements for the disaster recovery plan. The disaster recovery plan should cover all essential and critical infrastructure elements, systems and networks, in accordance with key business activities. The disaster recovery plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed. All staff must be made aware of the disaster recovery plan and their own respective roles. The disaster recovery plan is to be kept up to date to take into account changing circumstances. Objectives The principal objective of the disaster recovery program is to develop, test and document a wellstructured and easily understood plan which will help the company recover as quickly and effectively as possible from an unforeseen disaster or emergency which interrupts information systems and business operations. Additional objectives include the following: • • • • • The need to ensure that all employees fully understand their duties in implementing such a plan The need to ensure that operational policies are adhered to within all planned activities The need to ensure that proposed contingency arrangements are cost-effective The need to consider implications on other company sites Disaster recovery capabilities as applicable to key customers, vendors and others Key Personnel Contact Info Name, Title Contact Option Contact Number Work Alternate Mobile Home Email Address Alternate Email Work Alternate Mobile Home Email Address Alternate Email Work Alternate Mobile Home Email Address Alternate Email Work Alternate Mobile Home Email Address Alternate Email Work Alternate Mobile Home Email Address Alternate Email Work Alternate Mobile Home Email Address Alternate Email 2 Notification Calling Tree Person Identifying Incident 3 External Contacts Name, Title Contact Option Contact Number Landlord / Property Manager Account Number None Work Mobile Home Email Address Power Company Account Number Telecom Carrier 1 Account Number Telecom Carrier 2 Account Number Hardware Supplier 1 Account Number Server Supplier 1 Account Number. Workstation Supplier 1 Account Number Office Supplies 1 Account Number C3095783 Work Mobile Home Email Address Work Mobile Fax Home Email Address Work Mobile Home Email Address Work Mobile Emergency Reporting Email Address Work Mobile Fax Email Address Work Mobile Home Email Address Work Mobile Home Email Address Insurance – Name 4 Name, Title Account Number Site Security – Account Number Off-Site Storage 1 Account Number Off-Site Storage 2 Account Number HVAC – Account Number Power Generator – Account Number Other – Account Number Contact Option Contact Number Work Mobile Home Email Address Work Mobile Home Email Address Work Mobile Home Email Address User ID Password Home Email Address Work Mobile Home Email Address Work Mobile Home Email Address Work Mobile Home Email Address 5 External Contacts Calling Tree 6 1 Plan Overview 1.1 Plan Updating It is necessary for the DRP updating process to be properly structured and controlled. Whenever changes are made to the plan they are to be fully tested and appropriate amendments should be made to the training materials. This will involve the use of formalized change control procedures under the control of the IT Director. 1.2 Plan Documentation Storage Copies of this Plan, CD, and hard copies will be stored in secure locations to be defined by the company. Each member of senior management will be issued a CD and hard copy of this plan to be filed at home. Each member of the Disaster Recovery Team and the Business Recovery Team will be issued a CD and hard copy of this plan. A master protected copy will be stored on specific resources established for this purpose. 1.3 Backup Strategy Key business processes and the agreed backup strategy for each are listed below. The strategy chosen is for a fully mirrored recovery site at the company’s alternate sites. This strategy entails the maintenance of a fully mirrored duplicate site which will enable instantaneous switching between the live site (headquarters) and the backup site. KEY BUSINESS PROCESS IT Operations Tech Support - Hardware Tech Support – Software Facilities Management Email Purchasing Disaster Recovery Finance Contracts Admin Warehouse & Inventory Product Sales Maintenance Sales Human Resources Testing Fully Mirrored Recovery site Workshop Fully Mirrored Recovery site Call Center Web Site 1.4 BACKUP STRATEGY Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Off-site data storage facility Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Fully mirrored recovery site Risk Management There are many potential disruptive threats which can occur at any time and affect the normal business process. We have considered a wide range of potential threats and the results of our deliberations are included in this section. Each potential environmental disaster or emergency situation has been examined. The focus here is on the level of business disruption which could arise from each type of disaster. 7 Potential disasters have been assessed as follows: Potential Disaster Probability Rating Impact Rating Probability: 1=Very High, 5=Very Low Brief Description Of Potential Consequences & Remedial Actions Impact: 1=Total destruction, 5=Minor annoyance 2 Emergency Response 2.1 Alert, escalation and plan invocation 2.1.1 Plan Triggering Events Key trigger issues at headquarters that would lead to activation of the DRP are: • Total loss of all communications • Total loss of power • Flooding of the premises • Loss of the building 2.1.2 Assembly Points Where the premises need to be evacuated, the DRP invocation plan identifies two evacuation assembly points: • Primary – Far end of main parking lot; • Alternate – Parking lot of company across the street 2.1.3 Activation of Emergency Response Team When an incident occurs the Emergency Response Team (ERT) must be activated. The ERT will then decide the extent to which the DRP must be invoked. All employees must be issued a Quick Reference card containing ERT contact details to be used in the event of a disaster. Responsibilities of the ERT are to: • • • • • Respond immediately to a potential disaster and call emergency services; Assess the extent of the disaster and its impact on the business, data center, etc.; Decide which elements of the DR Plan should be activated; Establish and manage disaster recovery team to maintain vital services and return to normal operation; Ensure employees are notified and allocate responsibilities and activities as required. 2.2 Disaster Recovery Team The team will be contacted and assembled by the ERT. The team's responsibilities include: • Establish facilities for an emergency level of service within 2.0 business hours; • Restore key services within 4.0 business hours of the incident; • Recover to business as usual within 8.0 to 24.0 hours after the incident; 8 • • Coordinate activities with disaster recovery team, first responders, etc. Report to the emergency response team. 2.3 Emergency Alert, Escalation and DRP Activation This policy and procedure has been established to ensure that in the event of a disaster or crisis, personnel will have a clear understanding of who should be contacted. Procedures have been addressed to ensure that communications can be quickly established while activating disaster recovery. The DR plan will rely principally on key members of management and staff who will provide the technical and management skills necessary to achieve a smooth technology and business recovery. Suppliers of critical goods and services will continue to support recovery of business operations as the company returns to normal operating mode. 2.3.1 Emergency Alert The person discovering the incident calls a member of the Emergency Response Team in the order listed: Emergency Response Team • • • If not available try: • • The Emergency Response Team (ERT) is responsible for activating the DRP for disasters identified in this plan, as well as in the event of any other occurrence that affects the company’s capability to perform normally. One of the tasks during the early stages of the emergency is to notify the Disaster Recovery Team (DRT) that an emergency has occurred. The notification will request DRT members to assemble at the site of the problem and will involve sufficient information to have this request effectively communicated. The Business Recovery Team (BRT) will consist of senior representatives from the main business departments. The BRT Leader will be a senior member of the company's management team, and will be responsible for taking overall charge of the process and ensuring that the company returns to normal working operations as early as possible. 2.3.2 DR Procedures for Management Members of the management team will keep a hard copy of the names and contact numbers of each employee in their departments. In addition, management team members will have a hard copy of the company’s disaster recovery and business continuity plans on file in their homes in the event that the headquarters building is inaccessible, unusable, or destroyed. 2.3.3 Contact with Employees Managers will serve as the focal points for their departments, while designated employees will call other employees to discuss the crisis/disaster and the company’s immediate plans. Employees who cannot reach staff on their call list are advised to call the staff member’s emergency contact to relay information on the disaster. 9 2.3.4 Backup Staff If a manager or staff member designated to contact other staff members is unavailable or incapacitated, the designated backup staff member will perform notification duties. 2.3.5 Recorded Messages / Updates For the latest information on the disaster and the organization’s response, staff members can call a toll-free hotline listed in the DRP wallet card. Included in messages will be data on the nature of the disaster, assembly sites, and updates on work resumption. 2.3.7 Alternate Recovery Facilities / Hot Site If necessary, the hot site at SunGard will be activated and notification will be given via recorded messages or through communications with managers. Hot site staffing will consist of members of the disaster recovery team only for the first 24 hours, with other staff members joining at the hot site as necessary. 2.3.8 Personnel and Family Notification If the incident has resulted in a situation which would cause concern to an employee’s immediate family such as hospitalization of injured persons, it will be necessary to notify their immediate family members quickly. 3 Media 3.1 Media Contact Assigned staff will coordinate with the media, working according to guidelines that have been previously approved and issued for dealing with post-disaster communications. 3.2 Media Strategies 1. Avoiding adverse publicity 2. Take advantage of opportunities for useful publicity 3. Have answers to the following basic questions:  What happened?  How did it happen?  What are you going to do about it? 3.3 • • • 3.4 Media Team Rules for Dealing with Media Only the media team is permitted direct contact with the media; anyone else contacted should refer callers or in-person media representatives to the media team. 4 Insurance As part of the company’s disaster recovery and business continuity strategies a number of insurance policies have been put in place. These include errors and omissions, directors & officers liability, general liability, and business interruption insurance. 10 If insurance-related assistance is required following an emergency out of normal business hours, please contact: Policy Name Coverage Type Coverage Period 5 Financial and Legal Issues 5.1 Financial Assessment Amount Of Coverage Person Responsible For Coverage Next Renewal Date The emergency response team shall prepare an initial assessment of the impact of the incident on the financial affairs of the company. The assessment should include:  Loss of financial documents  Loss of revenue  Theft of check books, credit cards, etc.  Loss of cash 5.2 Financial Requirements The immediate financial needs of the company must be addressed. These can include:  Cash flow position  Temporary borrowing capability  Upcoming payments for taxes, payroll taxes, Social Security, etc.  Availability of company credit cards to pay for supplies and services required post-disaster 5.3 Legal Actions The company legal department and ERT will jointly review the aftermath of the incident and decide whether there may be legal actions resulting from the event; in particular, the possibility of claims by or against the company for regulatory violations, etc. 6 DRP Exercising Disaster recovery plan exercises are an essential part of the plan development process. In a DRP exercise no one passes or fails; everyone who participates learns from exercises – what needs to be improved, and how the improvements can be implemented. Plan exercising ensures that emergency teams are familiar with their assignments and, more importantly, are confident in their capabilities. Successful DR plans launch into action smoothly and effectively when they are needed. This will only happen if everyone with a role to play in the plan has rehearsed the role one or more times. The plan should also be validated by simulating the circumstances within which it has to work and seeing what happens. 11 Appendix A – Technology Disaster Recovery Plan Templates Disaster Recovery Plan for SYSTEM OVERVIEW PRODUCTION SERVER Location: Enter location Server Model: Operating System: CPUs: Memory: Total Disk: System Handle: System Serial #: DNS Entry: IP Address: Other: HOT SITE SERVER APPLICATIONS (Use bold for Hot Site) ASSOCIATED SERVERS KEY CONTACTS Hardware Vendor System Owners Database Owner Application Owners Software Vendors Offsite Storage BACKUP STRATEGY FOR SYSTEM ONE Daily / Monthly / Quarterly Choose which strategy on the left you would use and provide details on why. SYSTEM ONE DISASTER RECOVERY PROCEDURE Provide details Scenario 1 Total Loss of Data Provide details Scenario 2 Total Loss of HW 12 Database/File Systems File System as of Filesystem Mounted on kbytes Used Avail Minimal file systems to be backed-up and restored: %used Other critical files to modify Necessary directories to create Critical files to restore Secondary files to restore Other files to restore 13 Disaster Recovery Plan for Local Area Network (LAN) SYSTEM OVERVIEW SERVER HOT SITE SERVER APPLICATIONS (Use bold for Hot Site) ASSOCIATED SERVERS Location: Server Model: Operating System: CPUs: Memory: Total Disk: System Handle: System Serial #: DNS Entry: IP Address: Other: Provide details KEY CONTACTS Hardware Vendor System Owners Database Owner Application Owners Software Vendors Offsite Storage Provide details Provide details Provide details Provide details Provide details Provide details BACKUP STRATEGY for SYSTEM TWO Daily Monthly Quarterly Provide details Provide details Provide details SYSTEM TWO DISASTER RECOVERY PROCEDURE Provide details Scenario 1 Total Loss of Data Provide details Scenario 2 Total Loss of HW 14 ADDENDUM CONTACTS File Systems File System as of Filesystem Mounted on Minimal file systems to be created and restored from backup: kbytes Used Avail %used Other critical files to modify Necessary directories to create Critical files to restore Secondary files to restore Other files to restore 15 Disaster Recovery Plan for Wide Area Network (WAN) SYSTEM OVERVIEW EQUIPMENT HOT SITE EQUIPMENT SPECIAL APPLICATIONS ASSOCIATED DEVICES Location: Device Type: Model No.: Technical Specifications: Network Interfaces: Power Requirements; System Serial #: DNS Entry: IP Address: Other: Provide details KEY CONTACTS Hardware Vendor System Owners Database Owner Application Owners Software Vendors Offsite Storage Network Services Provide details Provide details Provide details Provide details Provide details Provide details Provide details BACKUP STRATEGY for SYSTEM TWO Daily Monthly Quarterly Provide details Provide details Provide details SYSTEM TWO DISASTER RECOVERY PROCEDURE Provide details Scenario 1 Total Loss of Network Provide details Scenario 2 Total Loss of HW 16 ADDENDUM CONTACTS Support Systems Support system Critical network assets Critical interfaces Critical files to restore Critical network services to restore Other services 17 Disaster Recovery Plan for Remote Connectivity SYSTEM OVERVIEW EQUIPMENT HOT SITE EQUIPMENT SPECIAL APPLICATIONS ASSOCIATED DEVICES Location: Device Type: Model No.: Technical Specifications: Network Interfaces: Power Requirements; System Serial #: DNS Entry: IP Address: Other: Provide details KEY CONTACTS Hardware Vendor System Owners Database Owner Application Owners Software Vendors Offsite Storage Network Services Provide details Provide details Provide details Provide details Provide details Provide details Provide details BACKUP STRATEGY for SYSTEM TWO Daily Monthly Quarterly Provide details Provide details Provide details SYSTEM TWO DISASTER RECOVERY PROCEDURE Provide details Scenario 1 Total Loss of Network Provide details Scenario 2 Total Loss of HW 18 ADDENDUM CONTACTS Support Systems Support system Critical network assets Critical interfaces Critical files to restore Critical network services to restore Other services 19 Disaster Recovery Plan for Voice Communications SYSTEM OVERVIEW EQUIPMENT HOT SITE EQUIPMENT SPECIAL APPLICATIONS ASSOCIATED DEVICES Location: Device Type: Model No.: Technical Specifications: Network Interfaces: Power Requirements; System Serial #: DNS Entry: IP Address: Other: Provide details KEY CONTACTS Hardware Vendor System Owners Database Owner Application Owners Software Vendors Offsite Storage Network Services Provide details Provide details Provide details Provide details Provide details Provide details Provide details BACKUP STRATEGY for SYSTEM TWO Daily Monthly Quarterly Provide details Provide details Provide details SYSTEM TWO DISASTER RECOVERY PROCEDURE Provide details Scenario 1 Total Loss of Switch Provide details Scenario 2 Total Loss of Network 20 ADDENDUM CONTACTS Support Systems Support system Critical network assets Critical interfaces Critical files to restore Critical network services to restore Other services 21 Appendix B – Suggested Forms Damage Assessment Form Key Business Process Affected Description Of Problem Extent Of Damage _____________ Management of DR Activities Form • • • During the disaster recovery process all activities will be determined using a standard structure; Where practical, this plan will need to be updated on a regular basis throughout the disaster recovery period; All actions that occur during this phase will need to be recorded. Activity Name: Reference Number: Brief Description: Commencement Date/Time Completion Date/Time Resources Involved In Charge __________________ 22 Disaster Recovery Event Recording Form • • • • All key events that occur during the disaster recovery phase must be recorded. An event log shall be maintained by the disaster recovery team leader. This event log should be started at the commencement of the emergency and a copy of the log passed on to the business recovery team once the initial dangers have been controlled. The following event log should be completed by the disaster recovery team leader to record all key events during disaster recovery, until such time as responsibility is handed over to the business recovery team. Description of Disaster: Commencement Date: Date/Time DR Team Mobilized: Activities Undertaken by DR Team Date and Time Outcome Follow-On Action Required Disaster Recovery Team's Work Completed: Event Log Passed to Business Recovery Team: _________________ 23 Disaster Recovery Activity Report Form • • • • • • On completion of the initial disaster recovery response the DRT leader should prepare a report on the activities undertaken. The report should contain information on the emergency, who was notified and when, action taken by members of the DRT together with outcomes arising from those actions. The report will also contain an assessment of the impact to normal business operations. The report should be given to business recovery team leader, with a copy to senior management, as appropriate. A disaster recovery report will be prepared by the DRT leader on completion of the initial disaster recovery response. In addition to the business recovery team leader, the report will be distributed to senior management The report will include: • A description of the emergency or incident • Those people notified of the emergency (including dates) • Action taken by members of the DRT • Outcomes arising from actions taken • An assessment of the impact to normal business operations • Assessment of the effectiveness of the BCP and lessons learned • Lessons learned __________ Mobilizing the Disaster Recovery Team Form • • Following an emergency requiring recovery of technology infrastructure assets, the disaster recovery team should be notified of the situation and placed on standby. The format shown below can be used for recording the activation of the DR team once the work of the damage assessment and emergency response teams has been completed. Description of Emergency: Date Occurred: Date Work of Disaster Recovery Team Completed: Name of Team Member Contact Details Contacted On (Time / Date) By Whom Response Start Date Required Relevant Comments (e.g., Specific Instructions Issued) ___________ 24 Mobilizing the Business Recovery Team Form  Following an emergency requiring activation of the disaster recovery team, the business recovery team should be notified of the situation and placed on standby. The format shown below will be used for recording the activation of the business recovery team once the work of the disaster recovery team has been completed.  Description of Emergency: Date Occurred: Date Work of Business Recovery Team Completed: Name of Team Member Contact Details Contacted On (Time / Date) By Whom Response Start Date Required Relevant Comments (e.g., Specific Instructions Issued) ____________ Monitoring Business Recovery Task Progress Form • The progress of technology and business recovery tasks must be closely monitored during this period of time. Since difficulties experienced by one group could significantly affect other dependent tasks it is important to ensure that each task is adequately resourced and that the efforts required to restore normal business operations have not been underestimated. • Note: A priority sequence must be identified although, where possible, activities will be carried out simultaneously. Recovery Tasks (Order of Priority) Person(s) Responsible Completion Date Estimated Actual Milestones Identified Other Relevant Information 1. 2. 3. 4. 5. 6. 7. ___________ 25 Preparing the Business Recovery Report Form     On completion of business recovery activities the BRT leader should prepare a report on the activities undertaken and completed. The report should contain information on the disruptive event, who was notified and when, action taken by members of the BRT together with outcomes arising from those actions. The report will also contain an assessment of the impact to normal business operations. The report should be distributed to senior management, as appropriate. The contents of the report shall include:  A description of the incident  People notified of the emergency (including dates)  Action taken by the business recovery team  Outcomes arising from actions taken  An assessment of the impact to normal business operations  Problems identified  Suggestions for enhancing the disaster recovery and/or business continuity plan  Lessons learned Communications Form     It is very important during the disaster recovery and business recovery activities that all affected persons and organizations are kept properly informed. The information given to all parties must be accurate and timely. In particular, any estimate of the timing to return to normal working operations should be announced with care. It is also very important that only authorized personnel deal with media queries. Groups of Persons or Organizations Affected by Disruption Persons Selected To Coordinate Communications to Affected Persons / Organizations Name Position Contact Details Customers Management & Staff Suppliers Media Stakeholders Others ____________ 26 Returning Recovered Business Operations to Business Unit Leadership     Once normal business operations have been restored it will be necessary to return the responsibility for specific operations to the appropriate business unit leader. This process should be formalized in order to ensure that all parties understand the change in overall responsibility, and the transition to business-as-usual. It is likely that during the recovery process, overall responsibility may have been assigned to the business recovery process lead. It is assumed that business unit management will be fully involved throughout the recovery, but in order for the recovery process to be fully effective, overall responsibility during the recovery period should probably be with a business recovery process team. ____________ Business Process/Function Recovery Completion Form The following transition form should be completed and signed by the business recovery team leader and the responsible business unit leader, for each process recovered. A separate form should be used for each recovered business process. Name Of Business Process Completion Date of Work Provided by Business Recovery Team Date of Transition Back to Business Unit Management (If different than completion date) I confirm that the work of the business recovery team has been completed in accordance with the disaster recovery plan for the above process, and that normal business operations have been effectively restored. Business Recovery Team Leader Name: ________________________________________ Signature: ________________________________________________________________ Date: __________________________ (Any relevant comments by the BRT leader in connection with the return of this business process should be made here.) I confirm that above business process is now acceptable for normal working conditions. Name: ___________________________________________________________________ Title: ____________________________________________________________________ Signature: ________________________________________________________________ Date: __________________________ 27 ISOL 533 - InfoSecurity & Risk Management University of The Cumberlands Computer Incident Response Team Plan Purpose This plan was developed for Health Network, Inc. (Health Network) and it is classified as the confidential property of that entity. Due to the sensitive nature of the information contained herein, this plan is available only to those persons who have been designated as members of one or more incident management teams, or who otherwise play a direct role in the incident response and recovery processes . Policy This document discusses the steps taken by the Computer Incident Response Team during an incident. 1) The person who discovers the incident will call the IT Incident Response department. 2) The IT Incident Response department will create a ticket in the Incident Response database and document: a) The name of the caller. b) Time of the call. c) Contact information about the caller. d) The nature of the incident. e) What equipment or persons were involved? f) Location of equipment or persons involved. g) How the incident was detected. h) When the event was first noticed that supported the idea that the incident occurred. Incidents will be classified as either Physical or Electronic. The security department will handle all Physical incidents. The IT department will handle all Electronic incidents. 3) If the incident is validated, the IT Incident Response department will contact the following offices, as appropriate, with details from the Incident Response database, to ensure they are aware of the incident: a) Incident Response manager (via both email and phone messages) b) The security department (via both email and phone messages) c) LAN/WAN and Intrusion detection monitoring personnel (via phone) d) Affected system administrator (via phone) e) Affected database administrator (via phone) 4) The Incident Response department will research the Incident knowledge-base and add the following to the Incident Response ticket: a) Is the equipment affected classified as business critical? b) The Risk Factor/Impact and RTO of the systems affected? c) Name of system being targeted, along with operating system, IP address, and location. d) IP address and any information about the origin of the attack. ISOL 533 - InfoSecurity & Risk Management University of The Cumberlands Computer Incident Response Team Plan 5) The Incident Response manager will determine which response teams will be mobilized and contact the IT Incident Response department to have them contact the team members. 6) The contacted Response Team members will meet or discuss the situation over the telephone and determine a response strategy. a) Is the incident real or perceived? b) Is the incident still in progress? c) What data or property is threatened and how critical is it? d) What is the impact on the business should the attack succeed? Critical, Major, Minor? e) What system or systems are targeted, where are they located physically and on the network? f) Is the incident inside the trusted network? g) Is the response urgent? h) Can the incident be quickly contained? i) Will the response alert the attacker and if so, how will the response proceed? j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage. 7) The Response Team lead will update the Incident Response ticket. The incident will be categorized into the highest applicable level of one of the following categories: a) Category one - A threat to public safety or life. b) Category two - A threat to sensitive data c) Category three - A threat to computer systems d) Category four - A disruption of services 8) Response Team members will follow one of the established Incident Response procedures (if a procedure does not exist, the Response Team will develop and document the new procedure). The following procedures are currently active. a) Worm response procedure b) Virus response procedure c) System failure procedure d) Active intrusion response procedure - Is critical data at risk? e) Inactive Intrusion response procedure f) System abuse procedure g) Property theft response procedure h) Website denial of service response procedure i) Database or file denial of service response procedure j) Spyware response procedure. If a new procedure is developed, it will be forwarded to the Incident Response manager once the incident is resolved so the manager may add it to this document. ISOL 533 - InfoSecurity & Risk Management University of The Cumberlands Computer Incident Response Team Plan 9) Response Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization. 10) Response Team members will recommend changes to the Response Team manager to prevent the occurrence from happening again or infecting other systems. 11) Response Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following: a) Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this. b) Make users change passwords if passwords may have been sniffed. c) Be sure the system has been hardened by turning off or uninstalling unused services. d) Be sure the system is fully patched. e) Be sure real time virus protection and intrusion detection is running. f) Be sure the system is logging the correct events and to the proper level. 12) Response Team members will update the ticket with the following: a) How the incident was discovered. b) The category of the incident. c) How the incident occurred, whether through email, firewall, etc. d) Where the attack came from, such as IP addresses and other related information about the attacker. e) What the response plan was. f) What was done in response? g) Whether the response was effective. 13) Response Team members will: a) Make copies of logs, email, and other communication b) Update the ticket with a list of all witnesses c) Will keep evidence as long as necessary to complete prosecution and beyond in case of an appeal. 14) The Response Team manager will notify the police and other appropriate agencies if prosecution of the intruder is possible. 15) The Response Team manager will assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts. 16) The Response Team manager will review the response, update policies, and take preventative steps so the intrusion can't happen again. a) Consider whether an additional policy could have prevented the intrusion. ISOL 533 - InfoSecurity & Risk Management University of The Cumberlands Computer Incident Response Team Plan b) Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future. c) Was the incident response appropriate? How could it be improved? d) Was every appropriate party informed in a timely manner? e) Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved? f) Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.? g) Have changes been made to prevent a new and similar infection? h) Should any security policies be updated? i) What lessons have been learned from this experience? ISOL 533 - InfoSecurity & Risk Management University of The Cumberlands Computer Incident Response Team Plan Appendix A – Incident Response Worksheet Complete this worksheet for any reported incidents Preparation: What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach? Identification: When an incident is reported, it must be identified, classified, and documented. During this step, the following information is needed:  Identify the nature of the incident o What Business Process was impacted o What threat was identified o What weakness was identified o What risk was identified o What was the Risk Factor/Impact of the incident o What was the RTO, MTD and RPO assigned to the business process o What hardware, software, database and other resource were impacted Containment: The immediate objective is to limit the scope and magnitude of the computer/securityrelated incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.  What needed to be done to limit the scope of the incident Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.  What was done to mitigate the risk of the incident Recovery: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.  What was done to recover the IT systems o What procedures were used and were they covered in the Disaster Recovery Plan o Was the Business Continuity Plan executed in response to this incident o Were any issues identified that would lead to updates to the BIA, BCP or DR plans.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Hello the attachment below is the MTD,PTO AND RTO analysis with similarity index,Thank you

RUNNING HEAD: MTD, RPO and RTO

1

MTD, RPO AND RTO:

STUDENT’S NAME:
COURSE TITLE:
UNIVERSITY AFFILIATION:
DATE:

MTD, RPO and RTO

2

Overview
This Business Impact Analysis (BIA) is created as a major aspect of the possibility
arranging process for the SanGrafix Company SACO. It was set up on 1/11/2017
Purpose
The motivation behind the BIA is to distinguish and organize framework parts by
associating them to the mission/business process(es) the framework backings, and utilizing this
data to describe the effect on the process(es) if the framework were inaccessible.
The BIA is made out of the accompanying three stages:
1.

Determine mission/business procedures and recuperation criticality.

Mission/business forms upheld by the framework are distinguished and the effect of a framework
disturbance to those procedures is resolved alongside blackout impacts and evaluated downtime.
The downtime ought to mirror the most extreme that an association can endure while as yet
keeping up the mission.
2.

Identify asset prerequisites. Sensible recuperation endeavors require a careful

assessment of the assets required to continue mission/business forms and related
interdependencies as fast as could reasonably be expected. Cases of assets that ought to be
recognized incorporate offices, faculty, gear, programming, information documents, framework
parts, and crucial records.
3.

Identify recuperation needs for framework assets. In view of the outcomes from

the past exercises, framework assets would more be able to unmistakably be connected to basic

MTD, RPO and RTO

3

mission/business forms. Need levels can be set up for sequencing recuperation exercises and
assets.
This report is utilized to construct the SanGrafix Company Information System
Contingency Plan (ISCP) and is incorporated as a key segment of the ISCP. It likewise might be
utilized to help the advancement of other alternate courses of action related with the framework,
including, yet not restricted to, the Disaster Recovery Plan (DRP) or Cyber Incident Response
Plan.
System Description
It is situated in California. The center business divisions inside the SanGrafix Company
incorporates, Human asset office, Finance and Accounting, Sales and Marketing offices,
Communicate and systems administration offices lastly the human asset office. The staff number

MTD, RPO and RTO

4

in SanGrafix Company is forty

Internet

Switch

Router Firewall
FTP Server

Ethernet backbone cabling

Enterprise
gateway

Router Firewall

DNS server

Anti-spam

Router

Web serve...

Similar Content

Related Tags