Project #4: Prepare a Business Continuity IT Security Policy

Introduction

In Project 2, you developed an IT security policyfor a specific facility - a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2). You should reuse applicable sections of your earlier projects for this project (e.g. your organization overview and/or a specific section of your outline).

If you wish to change to a different organization for project #4, you must first obtain your instructor's permission.

Background

Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man-made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable time frame.

Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy - guidance for DR/BCP planning for a particular data center.

DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2.

Sometimes, it is necessary to create supplementary policies which address specific circumstances or needs which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy - the Business Continuity IT Security Policy. The "Tasks" section of this assignment explains the content requirements for your policy.

Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from http://www.ready.gov/business/implementation/continuity)

Phase 1: Business Impact Analysis

• Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business
• Conduct follow-up interviews to validate responses to survey & obtain additional info

Phase 2: Develop Recovery Strategies • Identify resource requirements based on BIAs

• Perform gap analysis (recovery requirements vs current capabilities.
• Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites)
• Document & Implement recovery strategies (acquire / contract for products & services)

Phase 3: Develop Business Continuity Plan

• Develop plan framework (follow policy)
• Identify personnel forDR/BCP teams
• Develop Recovery and/or Relocation Plans
• Write DR/BCP Procedures
• Obtain approvals for plans & procedures

Phase 4: Testing & Readiness Exercises

• Develop testing, exercise and maintenance requirements
• Conduct training for DR/BCP teams
• Conduct orientation exercises for staff
• Conduct testing and document test results
• Update BCP to incorporate lessons learned from testing and exercises

Table 4-2. Outline for a Business Continuity Plan

Purpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption.

Objective: to identify the processes or steps involved in resuming normal business operations.

Scope: work locations or departments addressed.

Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc.

Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc.

Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if "loss of work area" is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center.

Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on.

Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a "living" document that is updated as personnel/workforce changes are made.

Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline.

Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.

Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.

Tasks

The Business Continuity Security Policy is being written by you as the data centerfacility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1).Your policy must also address required content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections.

Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers from whom your organization purchases or will purchase IT services and products to implement its recovery strategies.

Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business continuity plan. Different RTO's may be set for different IT systems and services.

Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP(used to determine backup frequency for data during normal operating periods and the maximum allowable amount of "lost data" which can be tolerated).

Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan.

The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans.Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.

Tasks:

1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53.(See Table 4-3). Identify policy statements which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.

Table 4-3. Contingency Planning Control Family (from NIST SP 800-53)

2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4).

3. Review the outline for a Business Continuity Plan (Table 4-2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan.(Your policy statements will tell Business Continuity Planners where and how to "build security in.")

4. Write your Business Continuity Security Policy usingthe outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3.

Table 4-4. Outline for an IT Security Policy

I. Identification

a. Organization: [name]
b. Title of Policy: Data Center Business Continuity Policy
c. Author: [your name]
d. Owner: [role, e.g. Data Center Manager]
e. Subject: Business Continuity for [data center name]
f. Review Date: [date submitted for grading]
g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager]
h. Distribution List
i. Revision History

II. Purpose

a. Provide a high level summary statement as to the policy requirements which are set forth in this document.

III. Scope

a. Summarize the business continuity activities and operations that this policy will apply to.
b. Identify who is required to comply with this policy.

IV. Compliance

a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.)
b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy.
c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.)

V. Terms and Definitions

VI. Risk Identification and Assessment

a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations.
b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact).

VII. Policy

a. Present policies which will ensure that IT security is addressed

i. In all phases of DR/BCP planning
ii. In all relevant sections of the DR/BCP plan
iii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP family
iv. By specifying roles and responsibilities for IT security during data center recovery operations
v. Using RTO/RPO metrics for restoral of IT security services and functions

b. Include an explanatory paragraph for each policy statement.

5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.).

6. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately.

Formatting:

1. Submit your policy as an MS Word document using your assignment folder.

2. Format your policy such that it presents a professional appearance. Use headings and outline formatting to organize information for clarity.

3. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style includinguse of footnotesor end notes.(Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.)

4. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.

Attachment:- Project one and two.rar