Title:Prepare a Business Continuity IT Security Policy, Research Paper
Deadline 17th Feb 2016 @ 01:28:29 hrs ,Paper format APA, pages 5 ( or 1375 words Minimum)
sources9
Paper Details
Project #4: Prepare a Business Continuity IT Security PolicyIntroductionIn Project 2 (which was order #225, you developed a local IT security policy for a specific facility – a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2, which was Centers for Disease Control and Prevention (CDC), which was the Order # 210 and 225). You should reuse applicable sections of your earlier projects for this project (e.g. your organization (which was CDC) overview and/or a specific section of your outline).BackgroundEvery organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man-made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable time frame. Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy – guidance for DR/BCP planning for a particular data center.DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document, which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2. Sometimes, it is necessary to create supplementary policies, which address specific circumstances or needs, which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy – the Business Continuity IT Security Policy. The “Tasks†section of this assignment explains the content requirements for your policy. Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from http://www.ready.gov/business/implementation/continuity )Phase 1: Business Impact Analysis • Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business• Conduct follow-up interviews to validate responses to survey & obtain additional infoPhase 2: Develop Recovery Strategies • Identify resource requirements based on BIAs • Perform gap analysis (recovery requirements vs current capabilities)• Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites)• Document & Implement recovery strategies (acquire / contract for products & services)Phase 3: Develop Business Continuity Plan • Develop plan framework (follow policy)• Identify personnel for DR/BCP teams • Develop Recovery and/or Relocation Plans • Write DR/BCP Procedures• Obtain approvals for plans & proceduresPhase 4: Testing & Readiness Exercises • Develop testing, exercise and maintenance requirements • Conduct training for DR/BCP teams • Conduct orientation exercises for staff • Conduct testing and document test results • Update BCP to incorporate lessons learned from testing and exercises
Table 4-2. Outline for a Business Continuity PlanPurpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption. Objective: to identify the processes or steps involved in resuming normal business operations. Scope: work locations or departments addressed. Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc. Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc.
Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area†is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center. Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on. Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living†document that is updated as personnel/workforce changes are made. Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline.Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful. Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.
Tasks The Business Continuity Security Policy is being written by you as the data center facility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1). Your policy must also address required content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections. Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers from whom your organization purchases or will purchase IT services and products to implement its recovery strategies.Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business continuity plan. Different RTO’s may be set for different IT systems and services.Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP (used to determine backup frequency for data during normal operating periods and the maximum allowable amount of “lost data†which can be tolerated).Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software, which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan. The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans. Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.Tasks:1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53. (See Table 4-3). Identify policy statements, which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.Table 4-3. Contingency Planning Control Family (from NIST SP 800-53)
2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4).3. Review the outline for a Business Continuity Plan (Table 4-2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan. (Your policy statements will tell Business Continuity Planners where and how to “build security in.†)4. Write your Business Continuity Security Policy using the outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3. Table 4-4. Outline for an IT Security PolicyI. Identificationa. Organization: [name]b. Title of Policy: Data Center Business Continuity Policyc. Author: [your name]d. Owner: [role, e.g. Data Center Manager]e. Subject: Business Continuity for [data center name]f. Review Date: [date submitted for grading]g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager]h. Distribution Listi. Revision HistoryII. Purposea. Provide a high level summary statement as to the policy requirements which are set forth in this document.III. Scopea. Summarize the business continuity activities and operations that this policy will apply to. b. Identify who is required to comply with this policy. IV. Compliancea. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.)b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy.c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.)V. Terms and DefinitionsVI. Risk Identification and Assessmenta. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations.b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact).VII. Policya. Present policies which will ensure that IT security is addressedi. In all phases of DR/BCP planningii. In all relevant sections of the DR/BCP planiii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP familyiv. By specifying roles and responsibilities for IT security during data center recovery operationsv. Using RTO/RPO metrics for restoral of IT security services and functionsb. Include an explanatory paragraph for each policy statement.5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.).6. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting:1. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style including use of footnotes or end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.) You are expected to write grammatically correct.Criteria and Steps to follow (Below in bold are subheadings) ***Please make sure three reference sites per subheading.***Policy Outline & BodyProvided an excellent IT Security Policy, which clearly, concisely, and accurately presents all required information (see outline in assignment for sections, fields, and content requirements). Presentation of information is organized in a logical fashion and uses 3 or more tables to group related information for presentation. All required fields under each section are listed and filled in (e.g. Owner Name in ID Section has a name filled in.)Policy Section: DR/BCP Planning PhasesPresented an excellent policy statement or statements, which will ensure that IT Security is addressed during all four phases of the DR/BCP planning process. Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources.Policy Section: IT Security in DR/BCP PlanPresented an excellent policy statement or statements which will ensure that IT Security is addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address requirements for IT Security during recovery operations. Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources.Policy Section: IT Security Roles & Responsibilities in DR/BCP PlanPresented an excellent policy statement or statements which will ensure that roles and responsibilities for IT Security are addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address who is responsible for ensuring IT security during recovery operations. Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources.Policy Section: Security Controls during DR/BCP Planning, Implementation, & Execution (NIST CP Family)Presented an excellent policy statement or statements which will ensure that NIST recommended security controls for Contingency Planning (CP family) are addressed as part of DR/BCP planning, implementation, and execution. Identified and discussed five or more controls from the CP family which should be implemented (using NIST SP 800-53 guidance) to ensure adequate IT security during recovery operations. Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Crediting SourcesWork credits all sources used in a professional manner using APA format citations/references, footnotes with publication information, or endnotes with publication information. Provides a Bibliography or “Works Cited” if not using APA format. Publication information is sufficient to retrieve all listed resources.
What Students Are Saying About Us
.......... Customer ID: 12*** | Rating: ⭐⭐⭐⭐⭐"Honestly, I was afraid to send my paper to you, but you proved you are a trustworthy service. My essay was done in less than a day, and I received a brilliant piece. I didn’t even believe it was my essay at first 🙂 Great job, thank you!"
.......... Customer ID: 11***| Rating: ⭐⭐⭐⭐⭐
"This company is the best there is. They saved me so many times, I cannot even keep count. Now I recommend it to all my friends, and none of them have complained about it. The writers here are excellent."
"Order a custom Paper on Similar Assignment at essayfount.com! No Plagiarism! Enjoy 20% Discount!"
