Embed Size (px)
Citation preview
2015
Ambika Sample
CSEC650
4/9/2015
Business ContinuityPlan. IA2
Table of Contents
Abstract…………………………………………………………………………….2Introduction…………………………………………………………………………3
Contingency Plan…………………………………………………………………...4
Recovery Plan………………………………………………………………………6
Test Plan……………………………………………………………………………9
BCP 24-month Recommendations………………………………………………….11
Enclosing……………………………………………………………………………12
References…………………………………………………………………………...13
1 | P a g e
Abstract
When keeping information safe and secure from insider
attacks or cyber – attacks organizations need to have a business
continuity plan in place to help safe guard them against future
attacks. The BCP discusses process and procedures such as having
a contingency plan, testing requirements and recovering plan.
Having this plan in place will ensure the organizations vital day
to day operations will remain stable during an attack (Johnson,
2010). The plan outlines decisions that need to be made in
regards to how to secure the networks and strategic concepts are
on how to isolate the threat. Nowadays, security is at the
height of the technology era and the risk of becoming hacked is
more prone to happen. So, the contingency plan and test plan
with the necessary analysis and training will effectively help
any company during an attack.
2 | P a g e
Introduction
In this day and time, hacking is becoming the most common
method of attack and having a business continuity plan will help
in sustaining the situation at hand. Protecting the operating
systems and networks that house confidential information is now
becoming more difficult to maintain and if a disaster were to
happen to those systems it may put a halt to all daily
operations. In the earlier stages of the technology era
companies did not have to worry about the security of their
information being stolen. Having a contingency plan wasn’t a
3 | P a g e
high priory at the time and some companies did not have a plan in
place at all. However, with the boom of the internet companies
are now relying solely on the web to perform daily business
operations and therefore, a security plan has become a necessity.
Within the guidelines of the contingency plan the company will
know the long term and short term recovery process if an attack
occurs. They will also have the resources necessary to address
the problem, know the goals of the mission at hand, develop a
budget in which will be used in addressing the incident, and a
forecasted plan to address any other attacks or issues. Also,
the recommended training and testing of equipment and data will
be address in the business contingency plan as well (Johnson,
2010).
When it comes to computer forensics or any other types of
forensic, having a contingency place plan is very important. The
plan will ensure all testing is performed correctly and there
will not be and hiccups in processing the forensic evidence. If
a business operation is halted do to any form of attack it can
4 | P a g e
drastically hurt a forensic investigation. Therefore, a
contingency plan will help keep the operations running so that
the investigation can run smoothly. Having a continuity plan and
contingency plan for forensic investigators to follow in case of
an attack will help out in recovering evidence. Both plans are
interrelated and need each other. The continuity plan offers an
alternative location to continue operations for a short period of
time while the normal operation site restores its networks.
Those alternative sites or coop sites are sometimes called a hot,
warm, or cold site. A continuity plan is also more frequently
used in government agency’s that can operate independent of a
contingency plan. The contingency plan details procedures and
processes on how to restore a network from an attack. It will
also outline procedures on how to recover a program, application
or the system itself (Johnson, 2010). Both plans play an
important role in recovering daily business operations regardless
of whether they are minor or major loses.
Contingency Plan
5 | P a g e
The contingency plan outlines the part in which an
individual or group will play its part in bringing that
organization back online such as what task and responsibilities
will be given out, procedures for restoration of service as well
as the technical requirements and resources. It will also detail
what the normal procedures are for operating the business under
normal conditions, how the business will be ran under emergency
conditions and reveal the individuals that are to be contacted in
a crisis situation. These include people in the IT department,
HR department, Security department, and stakeholders. It will
also detail how to record and make changes to the plan during the
crisis event. The recovery section in the plan will include how
the system will be brought back to normal operations and what
data is needed for immediate recovery in order to function
normally. The policies and procedures of the contingency plan
should refer to the business current physical and IT security
policies for handling data in an emergency event (Rouse, 2008).
A contingency plan needs to consist of the following things
(Rouse, 2008):
6 | P a g e
Administration - The business should create a disaster response
team for each department that will be working in to regain
operation of the business in case of an emergency event. Each
department team should consist of at least the minimize of a two
parties such as a manager and a team lead to support the response
efforts. Those team members will assure the contingency plan is
ran smoothly and effectively.
Operation - This procedure needs to involve a step by step
guideline on what the process will be in case of an emergency
shut-down event. This section of the plan should also refer to
each individual or groups that have a role in the disaster
response team.
Risk Factors – The business should address any risk that business
will endure if their operations have to shut-down due to un-seen
events. The risk assessment portion in the contingency plan will
display key departments, applications or systems that will need
immediate attention once an event have occurred. Without the risk
assessment being part of the contingency plan and business may or
may not have an effective plan in place.
7 | P a g e
Testing the plan – Every quarterly year testing of the
contingency plan should take place during work hours. The test
should be perform to keep individuals whom are on the response
team abreast of the plan and any changes to the plan that would
affect how timely a response should take the any situation.
Updates and Improvements – Before or after a test scenario is
performed a timely audit of the plan should take place just to
ensure everything is correct. Updates should be address and a
new version of the plan should be given to those participant
parties. A quarterly response team meeting should take place
just to address and security concerns or other issues due to the
current technology industry.
Recovery Plan
A recovery plan plays an important part when trying to
figure out what network systems that are down need to be brought
back up, what data that was backed up needs to be restored
because it was deleted and what coop site needs remain active
while the normal site is trying to recover. Now days, cyber
security threats are at an all-time high and companies need to
8 | P a g e
have an alternative recovery site plan in place. When restoring
a site, the business must keep in mind how to safe guard the
security while quickly and effectively accessing the networks
without compromising the integrity of the business and allot time
for the recovery efforts as well as costs. Figuring out how much
it will cost the business to perform these recovery services will
help determine which practices are the best for them to use
(Castellano, 2005).
A recovery plan needs to consist of these following components
(Walsh, 2013):
Business Impact
Risk Analysis
Creating/Implementing the Plan
Data Recovery
Training
The teams who are responsible for the recovery actions need to
focus on restoring the following services (Walsh, 2013):
Network Servers
9 | P a g e
Database Servers
System Applications
Network Services
Hardware Applications
Software Applications
Other Alternate Recovery Sites
One way to save data and restore it effectively whenever an
incident occurs is to back the data up on a regularly basis.
Once the data is backed up it should be stored at an offsite so
that it can be easily accessible when needed. Within a data
recovery policy there are backup times which are created to
determine when data should be backed up such as whether it should
be performed daily, hourly, monthly or weekly. These times are
determined by the classification of the data such as top secret,
secret or unclassified and how critical the data need to be
accessed. They are also determined by how often new data is
stored on the network. The accessibility of the backup data at
an alternate site needs to be available on a need-to-know basis
10 | P a g e
so the data can remain confidential and the integrity of the
mission will not be compromised (Castellano, 2005).
Businesses that are using an alternative site to store their
backup data and network services have demonstrated how to create
an effective and efficient strategy. Generally speaking an
alternative site should be in a different state or somewhere far
away from the current location that is being targeted. The cost
to maintain the alternative sites and budget cost to staff those
sites once they become active should be considered. Security
requirements for those locations should vary depending on the
data being accessed and maintained. The cost to ship additional
hardware and software to maintain those sites need to also be
considered. As mentioned before, the alternative sites are known
as hot, warm or cold sites. A hot site is typically fully
functional site that be up and running at a moment notice. The
hot site is fully infrastructure site that is equipped with the
latest hardware and software and fully staff with emergency
personnel. A warm site is supported at the operational level
11 | P a g e
meaning it is equipped with just the supported functions to keep
the business running within a minimum timeframe while the actual
site is down. A cold site only housed the equipment to support a
site; therefore if a cold site needs to become active the support
staff will have to bring the current systems their online
(Castellano, 2005).
The recovery plan should be a well thought-out policy that
can be deploy without a hitch. The recovery plan options are as
easy as possible to deploy just in case a disaster event occurs
all participants on the response team can access the data and
facilities quickly as possible to take the business up and
running. Having a contingency plan should be priority and having
a recovery plan should be secondary because if businesses have an
effective contingency plan the recovery plan may or may not need
to be addressed. However it is still important to have a
recovery plan in place (Swanson, 2010).
Test Plan:
12 | P a g e
The testing portion of the contingency plan and recovery
plan is the most important part. Without the testing
requirements when a disaster event happens the response team
wouldn’t know what procedures to follow. Testing requires all
systems are properly functioning correctly and allows for any
improvements to be address and implemented. Each system,
application or device is tested to ensure there are no
vulnerabilities that could cause the system to fail.
Requirements for testing a system varies by the system type,
however there are some standard test requirements that are in the
contingency plan (Codmon, 2013).
Some standard test requirements are (Codmon, 2013):
Warning procedures
Backup storage
Network connectivity
Hardware and Software performance
Time constraints for restoring system operations
13 | P a g e
Mandatory testing and training on the company systems
should be performed quarterly or annually to ensure performance
availability. When testing is performed individuals should
identify any inconsistencies in the contingency and recovery plan
and carry out all of the requirements that are being tasked in
the plans. Company testing will make sure at the minimum that
warning notifications are accurate and distributed in a time
fashion, the recovery efforts are coordinated correctly, data is
backup and storage in the appropriate places and network
connectivity is up and running properly. External equipment
located at alternate sites is functioning correctly, time
management of restoring business operations is tested to ensure
properly availability times and risk assessment reporting will
ensure testing performance is effective (Neal, 2013).
There are several types of testing exercises a company can
perform to test out crisis situations. The first one is a
stimulated exercise where individual can figure-out strategies to
work through in a stress free environment. The type of exercise
is a more cost efficient way to sort out different emergency
situations that doesn’t require disruptions during normal 14 | P a g e
business hours. Depending on what type of emergency situation is
being stimulated it can take anywhere from 1 to 8 hours to
perform. A drill procedure should be used to perform any
stimulated exercise. A drill procedure is perform repetitively
and allows for individual to fully grasp any type of crisis
situation under extreme pressure (Beck, 2014).
A company may also want to perform another test simulation
in a real-time environment. In this environment all of the
individual roles, policies and procedures are tested. This type
of testing procedure may need to be performed after hours and
require every response team personnel in attendance. Scripts may
also be written for certain scenarios to be role played. Due to
the full scaled re-enactment of an emergency situation personnel
may have to not only perform the test procedures outside of
normal business hours but also perform the live re-enactment at
the alternate site as well to ensure every site is capable to
handle the emergency events. Having a full scale disaster
situation played out in a real-time environment will ensure the
business their contingency plan and response team is fully aware
and equipped to handle any crisis event (Beck, 2014). 15 | P a g e
By having those types of disaster situations tested out in a
scaled down environment such as a simulated scenario performed
online or in a more dramatized live scenario where employees
actually perform their roles in a real-time environment the
business should be able to efficiently assess and execute any
type of the crisis event that may occur. Without test scenarios
being performed a business maybe vulnerable to an unforeseen
event that could cause a major shut down of operations. Once the
testing portion is done, risk assessment should be analyzed and
feedback from the test scenarios should be reported to
management. Corrective measures should be put in place and the
plan as well as the policies should be updated to ensure maximum
performance of the business mission without any interruptions to
the business daily operations (Castellano, 2005).
BCP 24-month Recommendations
Testing should be performed on a 24-month scale. The test
should include online and real-time scenarios that pertain to 16 | P a g e
cyber-attacks or other threats that may impact the business. The
test plan should include the standard testing requirements
mentioned in the paper. Test scenarios should be performed at
the alternative sites to make sure they are ready and fully
functional if needed. Management should review the plan
periodically and incorporate and new changes that had been
addressed. Backup of all the data stored on the primary site and
alternate sites need to be backup increments of daily, weekly or
monthly according to the policies in place. Realistically a 24-
month BCP plan may not be need if the initial BCP is created,
tested and implemented correctly according to the business
operation needs (Collett, 2007).
Enclosing
A business contingency plan can help a business function
smoothly through any emergency situation either it be a cyber-
attack or other threats. The plan should be a well thought out
plan that is tested and executed with trained employees that will
be able to handle all types of crisis situations the business may
17 | P a g e
occur. Testing will ensure the notification, response team
procedures, operating systems and applications, backup media
storage, network connections and alternate sites are functional
and available at a moment notice. Some companies may not want to
create and implement a BCP because of budget constraints but in
today’s time’s majority of company operate their business online
and some company’s deals with critical data so having a BCP in
place will ensure their company is safe guarded against attacks.
A BCP doesn’t have to be a complex or expensive plan. It should
only be created and geared to cater the business essential needs
to function under a threat (Swanson, 2010).
18 | P a g e
References
Beck, R. (2014, May 13). Contingency Planning-Developing a Good Plan B Leadership Training. Retrieved from MindTools: http://www.mindtools.com/pages/article/newLDR_51.htm
Castellano, P. (2005, October 5). How to build realistic disaster recovery options. Retrieved from ComputerWorld: http://www.computerworld.com/s/article/77236/How_to_build_realistic_disaster_recovery_options?taxonomyld=83&pageNumber=2
Codmon, B. (2013, August 16). Maintenance Schedules and Contingency Planning. Retrieved from Department of Environment and Primary Industries: http://www.dpi.vic.gov.au/agriculture/dairy/managing-waste/maintenance-schedules-contingency-planning
Collett, S. (2007, December 4). Evaluating business continuity Services. Retrieved from CSO Online: http://www.csoonline.com/article/221306/Five_Steps_to_Evaluating_Business
Johnson, D. (2010, April 14). The Purpose of Contingency Planning. Retrieved from Small Business Chron: http://smallbusiness.chron.com/purpose-contingency-planning-24864.html
Neal, A. (2013, August 2). Famine Early Warning Systems Network (FEWS NET). Retrieved from FEWS: http://fews.net/ml/en/info/Pages/plancpp.aspx
Rouse, M. (2008, November 12). Contingency Plan. Retrieved from Techtarget: http://whatis.techtarget.com/definition/contingency-plan
Swanson, e. a. (2010, May 25). Contingency Planning Guide for Federal Information Systems. Retrieved from CSRC.NIST.GOV:
19 | P a g e
http://csrc.nist.gov/publicatins/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov24-2010.pdf
Walsh, D. (2013, November 26). The 5 Steps of Contingency Planning. Retrieved from Life Science Leader: http://lifescienceleader.com/magazine/past-issues3/item/4349-the-5-steps-of-contingency-planning?list=n
20 | P a g e
