SEC591_Business Impact Analysis_PROJ

1 | P a g e
BUSINESS IMPACT ASSESSMENT – OMEGA RESEARCH INC.
Business Impact Analysis (BIA)
Omega Research Consulting & Research
By: James Dawkins
▬▬▬
SEC591-62074
Disaster Recovery/Forensics Analysis
Prof. Patrick Coyle

2 | P a g e
OVERVIEW
The Business Impact Analysis (BIA) is developed as part of the Contingency Planning Process.
The BIA focuses on the firm OMEGA RESEARCH Inc. (to be called OMEGA throughout the report), its
critical business processes, and critical components assisting in critical business processes.
Prepared for release on {November 20, 2016} and must be reviewed annually AS A MINIMUM
REQUIREMENT, but priority of revision depends on business fluidity. Therefore, business adjustments
determine BIA adjustments
PURPOSE
The purpose of the BIA is to identify critical components of OMEGA, analyze
interdependencies, then prioritize components with business processes.
OMEGA
GEOGRAPHIC ARCHITECTURE
(MAIN OFFICE) ▬ Reston, VA
(Branch Offices) ▬ - Kansas City, MO
- Salem, OR
- San Diego, CA
▬▬▬▬▬▬▬▬

3 | P a g e
INTERNET CONNETIVITY
CURRENT GEOGRAPHICAL ARCHITECTURE
▬▬▬▬▬▬▬▬

4 | P a g e
COMPONENTS OF CRITICALITY
SAP BY Sungard AIX ENVIRONMENT BORDER ROUTERS
SYSTEM
PROCESSES
- Data Warehouse
- Finance
- Reporting
- Data Warehouse
- Finance
- Reporting
DATA TRAFFIC
Filter
recovery
criticality
- HIGH→DATA WH
- HIGH → FINANCE
-GH→REPORTING
- HIGH → DATA WH
- HIGH → FINANCE
- HIGH → REPORTING
HIGH → NETWORK
SECURITY
RESOURCE
REQUIREMENTS
(reference –
external points
of contact)
SUNGARD
(vendor)
IBM
(vendor)
OMEGA INC.
(AT&T Internet)
SERVICES - Recovery Services of
Server Environment
- Tape Library
- TSM Server
Network Security
CONTACT
877-456-3966
215-351-1300
401 N Broad St.
Philadelphia, PA
Don Meltin (Test
Coord.)
-Jack Fabrianni (Acct.
Rep)
-Lincoln Balducci
(Resource
Coord)
214-451-7747
522 South Rd
Poughkeepsie, NY
12601
-Steve Barretta
Tiffany Sabers, Omega
Inc. Chief Information
Officer

5 | P a g e
Critical Components – Individual Assessments
▬▬▬▬▬▬▬▬▬▬▬▬▬▬
SAP by SunGard
SAP - All Encompassing Business Tool
Functions: Finance Schedule Data Storage
Physical Location Reston, VA
SunGard (vendor)
Locations
¾ states match Omega’s
locations
1 state neighbors
Reston locations
VENDOR LOCATION COMPARISON
SunGard Omega
▬▬▬▬▬▬▬

6 | P a g e
AIX Environment by IBM
AIX Environment by IBM
Functions: Finance Schedule Data Storage
Physical Location Reston – San Fransisco – Salem – Kansas City
IBM (vendor) Locations 5/5 matching states with
Omega
 Operating System of Network Components (including)
 RAS Server
 DNS Server
 Web Server
 File/Print Server
 SMPT Mail Gateway
 Exchange 2000 Mail Server
AIX ENVIRONMENT EQUIPMENT LIST
▬▬▬▬▬▬▬
Server Name Model Purpose Memory CPU Disk OS Network Services
new NIM RS6000 7025 - F50
NIM
Server 512MB 2-375Mhz 36GB AIX (2)Ethernet 10/100, (2)Fibre 6228
Omega-f1n9 RS6000 7026 - 6H1
TSM
Server 2GB 4-600Mhz 108GB AIX (2)Ethernet 10/100, (2)Fibre 6228,
Omega-odw RS6000 7026 - 6M1 EDW 8GB 4-750Mhz 72GB AIX (2)Ethernet 10/100, (2)Fibre 6228
Omega-f6n1 RS6000 7026 - 6M1
Hyperion/
Express 8GB 4-750Mhz 72GB AIX (2)Ethernet 10/100, (2)Fibre 6228
Omega-f1n11 RS6000 7026 - 6H1 UFS 1GB 2-600Mhz 72GB AIX (2)Ethernet 10/100, (2)Fibre 6228
new BrioSQR RS6000 7026 - 6H1 Brio SQR 2GB 4-600Mhz 108GB AIX (2)Ethernet 10/100, (2)Fibre 6228
new BrioPortal RS6000 7026 - 6H1
Brio
Portal 2GB 4-600Mhz 108GB AIX (2)Ethernet 10/100, (2)Fibre 6228
Omega-f2n7 RS6000 7026 - 6H1
SAPDev
DB/CI 8GB 4-600Mhz 108GB AIX (2)Ethernet 10/100, (2)Fibre 6228
new SAPDB RS6000 7026 - S85
SAPProd
DB/CI 18GB 12-750Mhz 1000GB AIX (2)Ethernet 10/100, (2)Fibre 6228
new SAPApp1 RS6000 7026 - 6M1
SAPProd
App. 8GB 8-600Mhz 27GB AIX (2)Ethernet 10/100
SAPProd
SAPProd
SAPProd
LTO Tape Library No Model Indicator 5 Drives
EMC Disk No Model Indicator 2 TB

7 | P a g e
Omega’s Network Perimeter
Network Perimeter
Functions: Internet Connection Data Security VPN connection
Physical Location Reston – San Fransisco – Salem – Kansas City
Omega Omega owns & operates each router
Router- filter methods:
- Internal Employees, Customers, Vendors, Clients, Public
 border routers - owned & managed by Omega
 Dynamic Filtering ROUTERS
 IT department manages border security
 System Administrator directs IT Department
 POOR policy management by System Admin @ HQ
 Promotes all-around BAD PRACTICES
- INTERNET CONNECTIVITY
 SERVICES
 T-1 Internet-speed
 Reston / San Diego / Kansas City
 256k F-T1 circuit service (speeds)
 Salem

8 | P a g e
► ANALYSIS◄
The analysis gathers INPUT from:
 Internal employees
 Consultant
 Consultant Analysis INCLUDES input of both:
 Internal employees
 Professional self-assessment
Information is accumulated with 1-on-1 interview methods, and personal consultant analysis.
▬▬▬▬
INPUT - INTERNAL EMPLOYEES
OMEGA’S LEADERSHIP TEAM PROVIDES VALUABLE INSIGHT INTO COMPANY PRIORITIES
Omega hierarchy chart
▬▬▬▬
BILL HERMANN – CEO
- PRIORITY: SAP_Cash flow
- SAP sole reliance of cash flow
management
- Max. downtime <=2 days
- Otherwise borrowing cash

9 | P a g e
Omega hierarchy chart - OPERATIONS
▬▬▬▬
Linda Okonleski – COO (Chief Operations
Officer)
- PRIORITY: SAP – schedule / billing
- SAP Business vitality – INVOICE clients
- Legal ramifications of irregular
business-as-usual
Nate Brown – Director of Consultant Services
- PRIORITY: Scheduling / Billing
- Scheduling / Billing – 2 most important
components to business success
Sandy Ales – Director of Sales & Marketing
- PRIORITY - Scheduling / Billing
- Scheduling / Billing
Omega’s competitive advantage
- 30-40% short-term contracts
- depend on up-to-date data
▬▬▬▬
Omega hierarchy chart– Information Technology

10 | P a g e
▬▬▬▬
Tiffany Sabers – CIO (Chief Information
Officer)
- PRIORITY: SAP_Data Backup
- Current Recovery Time, 3-4 days - slow
- Sole dependence on SAP data backup
methods
- Financial Worry - $14M (initial cost)
without data backup implementation
- But cost-effective backup method
required
Rachid Chad – Director of IT Development
- PRIORITY: SAP Implementation
- COST = $14M
- NO backup system in-place
- But cannot afford expensive backup
plan
- Economy-of-Scale
- Backup plans
Tyler Amdahl – Director of IT Operations
- PRIORITY: SAP
- Says REDUNDANCY already in place
- But working with SunGard for solution
- Maximum Downtime 12-16 hours (<24
hours
▬▬▬▬
Omega hierarchy chart – Finance

11 | P a g e
John Sampolous – CFO (Chief Financial
Officer)
- PRIORITY: Cash Flow
- Max Down Time: <= 1 day
- Otherwise, borrowing on day 2
- Cash-flow vitality
- No product as collateral
- $3-500k / day (penalties)
- Interest alone
Reyes Emme– Director of HR & Payroll
- PRIORITY: SAP – Finance
- Priority – Employees Paychecks
- Must Budget 7-10 days of payroll
- Maximum Downtime <=3 days (under
72 hours)
Jackson Davis – Director of Accounting
- PRIORITY: SAP - Finance
- SAP - Sole dependence
- Most vital area – Accounts Payable
- 10% damages per $100,000
▬▬▬▬

12 | P a g e
CONSULTANT INPUT:
- REASONS of Business Impact Analysis
 DAMAGE $550,000.00
 Oracle Database breached
 Reston, VA at off-site DATA CENTER
- Omega hired me, as a consultant, to investigate its data security vulnerabilities and develop
a newly formed Business Impact Analysis.
- Factors that allowed the breach at (Reston OFF-SITE data center)
 POOR PROTOCOLS of data security
 POOR preventive measures
- existing VULNERABILITIES
 REQUIRE IMMEDIATE ATTENTION
 overpowering amount of vulnerabilities
 BELOW PAR factors
 SAP
 Protocol
 Preventive
 Backup
 AIX
 Protocol
 Preventive
 Backup
 Perimeter Protection
 Protocol
 Preventive
 Backup
 BUDGET inefficiencies
 Kansas City – overwhelming and consuming budget
 Inconsistent Budget

13 | P a g e
EQUIPMENT VALUE – OMEGA branches (1of2)
Book Value
Adjusted Value
▬▬▬▬▬▬▬▬▬▬
EQUIPMENT VALUE – OMEGA BRANCHES (2of2)
*Kansas City NOT included in this version (to show scale)
Book Value
Adjusted Value
fd
fd

14 | P a g e
EQUIPMENT VALUE – San Diego
Book Value
Adjusted Value
▬▬▬▬▬▬▬▬▬▬
EQUIPMENT VALUE – Salem, OR
Book Value
Adjusted Value
▬▬▬▬▬▬▬▬▬▬
fd
fd

15 | P a g e
EQUIPMENT VALUE – Kansas City, MO
Book Value
Adjusted Value
▬▬▬▬▬▬▬▬▬▬
EQUIPMENT VALUE – Reston, VA
Book Value
Adjusted Value
▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬
fd
fd

16 | P a g e
Risk Factors (based on analysis)
LOCATION EVENT LIKELIHOOD
IMPACT
(1-3)
RISK
FACTOR
Insurance
Reston flood 1/500 3 .6
YES
$18K/yr
+5%/yr
San Francisco earthquake 1/20 2 10
NO
($25K/yr)
Kansas City tornado 1/5 1 20
YES
$14K/yr
Salem ---- ---- ---- ---- ----
KEY →→ UNLIKELY PROBABLE LIKELY
▬▬▬▬▬▬▬▬▬▬
MAXIMUM DOWNTIMES
…based on input from employees and consultant analysis
SAP AIX
Network
Perimeter
Maximum tolerable downtime < 24 hours (CFO)
12-16 hours
(< 24 hrs.)
< 24 hours
Recovery Time Objective <24 hours 8 hours < 12 hours
Recovery Point Objective <= 6 hours <= 6 hours <= 6 hours
KEY →→ +48 hrs 24-48 hrs <24 hrs
▬▬▬▬▬▬▬▬▬▬

17 | P a g e
▬▬▬▬▬▬▬▬▬▬
OVERALL BUSINESS DIRECTION
(Based on consultant-gathered information)
 RAPID company growth
 Competitive Advantages
 Consulting of local business
 Research of consulting concepts
 SYNERGY
 DECREASE Total-Cost-of-Ownership (TCO)
 isolate Consulting and Research
 Consulting - continued expansion
 research - consolidation
 Reston
 San Francisco
- NECESSARY ADJUSTMENTS
…to assist business objectives...based on critical processes
Primary SITE ▬ Backup HOT SITE
RESTON, VA ▬ SAN FRANCISCO, CA

18 | P a g e
BIA - NECESSARY ADJUSTMENTS
SAP
SAP
PREVENTIVE MEASURES
ISSUES CHANGES RESULT
▬
NO Policy & Procedures
document
No reference to proper security detail
Create document
officially accepted company-wide
Reference material
on proper security
measures
NO training or reminders
No company-wide security culture
Implement training sessions
as standard protocol
Improved culture of
security safeguards
Access Controls
Anyone can access physical data center
▬
Caused $500,000 loss
Improve security standards of
Physical access
IMPROVED security
– reduced disaster
opportunity
Backups (cost)
Desired, but none! Still searching for
economy-of-scale process
Add cluster backup methods &
store at remote location
(branch office NOT at Reston /
SF)
Data quickly
available from
branch site --
trusted /connected
environment
BUDGET
Redundant locations (at each branch)
-
NOT in-line with company goals →SYNERGY
-
NOT utilizing VPN
-
Unnecessary expenses
CONSOLIDATE AIX
Environment to
Reston
& San Francisco
▬
ENHANCE robustness at
Reston / San Francisco
Increase data center budget at
Reston & San Francisco
Cost effective
▬
Increased capacity
& scalability of data
security

19 | P a g e
AIX ENVIRONMENT
AIX
PREVENTIVE MEASURES
AIX incompatibilities
▬
Microsoft OS-friendly
Macintosh OS – enemy
▬
both OS-types currently in-use
Update AIX environment
Make cross-compatible for both OS
Cross –compatible/
preferred choice
work environment
enhanced employee
productivity
BACKUP METHODS
NO OFFICIAL BACKUP PROCEDURE
Setup secondary AIX
environment at San Francisco
(hot-site) in case diasaster
strikes
▬
Work with IBM to produce
“economy of scale” backup
standards
▬
CREATE documents and
procedures
That meet or exceed
NIST standards
Disaster Recovery
Methods set for
rapid response to
HIGH RISK business
components
NETWORK PERIMETER
Network
Perimeter
ROUTERS (FIREWALL)
Currently using
(screening routers)
at each branch location
▬
NOT the most secure firewall option
▬
Expensive – duplicate network equipment
▬
Utilize VPN
use stateful packet filtering
▬
Use only at Reston and San Francisco (HQ
& Hot-Site)
▬
Utilize VPN
More secure
firewall/router combo
▬
Cost effective
consolidation
▬
Stricter
authorization
▬
Packet checks per
session
VPN and (AIX environments) at
branch locations
causing
REDUNDANT budgetary requirements
PRIMARY VPN at Reston, VA
(HQ)
▬
Backup VPN at San Fransisco
(hot-site)
Centralized
network / server
environment
▬
Major Cost Savings

20 | P a g e
WORKSTATIONS
NO routine patches
Major vulnerability of breach
Update virus definitions
▬
Add spyware
Improved tracking
of suspicious
activities
▬
Improve audit
logging
IT MANAGEMENT
Micro-Control by network
administrator at Reston
▬
Branch office IT administrators
control at branch office
CONSOLIDATION of SYNERGY
Merge IT employees to
Reston
▬
Temporary work cycles at San Fransicso –
maintain “hot-site” network components
▬
Effective recovery testing
Cost Effective
Of overall buget via
consolidation
▬
Improved
management

21 | P a g e

22 | P a g e
Recovery Priorities:
- IDENTIFY RECOVERY PRIORITIES

23 | P a g e
[OPERATING ENVIRONMENT]
 EMC Symmetrix
 Reston, VA (main location)
 IBM Tivoli Storage Manager (TSM)
 compatible with most operating systems
 IBM Tape Storage
 IBM installed & managed (location anywhere)
 SunGard – recovery services
 RaaS → Recovery-as-a-Service
 Including → Virginia / Missouri / California
 (3 of 4 states) of Omega office locations
[PHYSICAL LOCATIONS]
 Reston, VA
 EMC Symmetrix
 Tape Library / TSM Server
[GENERAL LOCATION of END-USERS]
 All Omega locations (Reston / San Diego / Kansas City / Salem)
 *****Off-site engineers (quantity / locations?) *****
[EXTERNAL POINTS-OF-CONTACT (POC)]
LAN
***** [BACKUP POLICIES]
***** [DIAGRAM OF ARCHITECTURE]

24 | P a g e
***** [COMMUNICATIONS (INPUT-OUTPUT)]
RESTON, VA ▬ (MAIN OFFICE)
***DAMAGE ►$550,000.00 ▬ Oracle Database***
- Border Routers
 screening router –
 configured for dynamic packet filtering
 reflexive Access Control Lists (ACL’s)
- Servers
 centrally located @ Reston data center
 Data center
 Access controls
 5 keypunch combination lock
 IT department knows combination
 Combination rarely rotated
 Preventive
 HVAC purification – humidity control
 HVAC services – temperature control
 NO static electricity → NO raised floor
 UPS power – mini systems, each component
o NO site-wide UPS
- DNS server
 OMEGAresearch.com
 Publicly accessible web (Email, web) – name resolution
 Web hosting services - Microsoft Windows ® 2000 Server running Internet
Information Services (IIS).
 X.500 directory service
o Mixed environment
o Immature implementation
 Server / Client OS not routinely patched
- Printers
 Network connected throughout (Reston office)
- IT Department
 Manage NETWORK and NETWORKED RESOURCES @ Reston
 > 170 workstations
 6 servers
(BRANCH OFFICES)
San Diego, CA
- AT&T Internet services
- T1 service
- Routers (border), managed by Omega
 screening router - configured for dynamic packet filtering
 using reflexive Access Control Lists (ACL’s)

25 | P a g e
▼▼ MIRROR-network as Reston facility▼▼
- BASELINE ARCHITECTURE
Local Area Architecture (San Diego Office)
▲▲ MIRROR-network as Reston facility▲▲
SAN DIEGO
- …does NOT have
 host a web server
 support VPN or RAS connections
 …at spare office of network resources
 NO Control of
 Access
 Temperature, humidity, static
 Redundant power supply
- San Diego ISSUES
 fewer employees
 ONE engineer – manages all networking resources
 Less-than 50 client machines
 All servers at spare office – (IT engineer likely isolated at this location)

26 | P a g e
Salem, OR
- AT&T Internet service
- 256k F-T1 circuit service
- uters (border), managed by Omega
- 30 workstations
 similar configuration as rest of company
- SERVER - File/print
 Only 1
 Microsoft Windows ® NT 4.0 Server
- EMAIL
 via San Diego exchange server
- Public Availability
 Network resources UNAVAILABLE
- Remote Access (connection)
 Available to HOME and MOBILE employees
 VPN client → to → gateway
- IT Department
 1 IT engineer – manages all network resources
- SERVERS
 ALL located in San Diego isolated office
BASELINE ARCHITECTURE
Local Area Architecture (Salem Office)
Kansas City, MO

27 | P a g e
- AT&T Internet service
- T1 service
- Routers (border), managed by Omega
- similar to Salem office
 Difference
 Runs Microsoft Exchange 2000 server → mail server
- Does NOT use
 Control access
 Control temperature, humidity, static
 redundant power supplies
[PRIORITIZE]
1. [DETERMINE MISSION BUSINESS PROCESSES & RECOVERY CRITICALITY]
 Email INTERNAL
o Microsoft Exchange ® 2000 mail server running on a Microsoft
Windows ® 2000 Server.
o SMTP mail gateway installed by Omega
 Client Machines (operating systems)
o Microsoft Windows ®
 95, 98, NT Workstation 4.0, 2000, and XP.
o Mac
 OS/8 and OS-X, Panther
 Client Machines (applications)

28 | P a g e
o Applications NOT standardized
o various editions of these packages
 Corel OfficeSuite ®
 Microsoft Office ®.
o
2. IDENTIFY RESOURCE REQUIREMENTS
3. IDENTIFY RECOVERY PRIORITIES FOR SYSTEM RESOURCES
1. SYSTEM DESCRIPTION
1.1. GENERAL DESCRIPTION
↓↓[SYSTEM ARCHITECTURE] ↓↓
BASELINE ARCHITECTURE
Local Area Architecture (Reston Office)
AIX Environment

29 | P a g e
Production AIX Server
Complex
IBM AIX
RS6000 (x13)
SD
PowerVault
130T
Tape Library
EMC
Symmetrix
[OPERATING ENVIRONMENT]
[PHYSICAL LOCATIONS]
[GENERAL USERS LOCATION]
[EXTERNAL POINTS-OF-CONTACT (POC)]
[BACKUP POLICIES]
[DIAGRAM OF ARCHITECTURE]
[COMMUNICATIONS (INPUT-OUTPUT)]
2. BIA DATA COLLECTION
[INDIVIDUAL or GROUP]
[INTERVIEWS]
[EMAILS]
[QUESTIONAIRES]
[WORKSHOPS]
[or COMBINATIONS]
2.1. PROCESS & SYSTEM CRITICALITY
MISSION / BUSINESS PROCESS DESCRIPTION
[PAY VENDOR INVOICE]
PROCESS OF…
OBLIGATING FUNDS,
ISSUING CHECK/E-PAYMENT,
[ACK] RECEIPT
3.1.1 IDENTIFY OUTAGE IMPACTS & ESTIMATED DOWNTIME
[SYSTEM OUTAGE IMPACTS]
[CLASSIFICATIONS] (COST,
[RATINGS] (SEVERE – MODERATE – MINIMAL)

30 | P a g e
MISSION/BUSINESS PROCESS IMPACT CATEGORY
INSERT INSERT INSERT INSERT IMPACT
ESTIMATED DOWNTIME
And finally….
______________▼▼▼
▼▼▼
▼▼
Summary Analysis of BIA
(executives’ perspective)
(1 -2 pages)

SEC591_Business Impact Analysis_PROJ

Recommended

Recommended

More Related Content

Similar to SEC591_Business Impact Analysis_PROJ

Similar to SEC591_Business Impact Analysis_PROJ (20)

SEC591_Business Impact Analysis_PROJ