1. City of New Orleans
Response for Proposals
Unit 10 Assignment 1: Team RFP Response Report
Delivery
INFORMATION SECURITY AND CYBERSECURITY
PROGRAM
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE BACHELOR’S DEGREE
Submitted to:
ADVISOR, Mr. Evans
Submitted by:
Mark Milburn
ITT TECHNICAL INSTITUTE
ARLINGTON, TEXAS
May, 2016
2. Table of Contents
I. Research
i. Review of Firm’s Qualifications
II. Data Analysis
i. RFP Clarification Questions
ii. RFP Technical Requirements and Differences from Existing
Controls
iii. Data Privacy Legal Requirements as per RFP’s Compliance
iv. Data Protection and Privacy
v. Risk Assessment Project Plan Definition
vi. Risk Prioritization and Mitigation Project Plan Definition
vii. Risk Mitigation Actions Based on Qualitative Risk
Assessment’s Risk Prioritization
III. Solution Design
i. Benefits of Our Recommendations
ii. Data Privacy Legal Requirements as per RFP’s Compliance
iii. Procedure to Conduct a Security Assessment and Risk
Identification
iv. Data Security Mitigation Actions Based on Qualitative
Risk Assessment
v. Phased Project Approach and High-Level
Project Plan Including Prioritized Security
Controls
IV. Evaluation Design
i. Phased Project Approach and High-Level Project Plan Outline
ii. High-Level Description of Current Client’s Need
iii. IT Security Compliance and Governance Gap Analysis Plan
Outline
iv. Compliance Project Plan Definition
v. Disaster Recovery Plan Outline
vi. Business Continuity Plan Outline
V. Executive Summary
i. Layered Solution Executive Summary
3. I. Research
i. Review of Firm’s Qualifications
We have reviewed the vendor minimum requirements and would like to
provide a statement of our meeting of the RFP requirements.
Must be in business for at least the last five consecutive years: Telecon
Security Services Inc. has been in business now for ten years.
Report annual gross sales of at least one million U.S. dollars: Our
annual gross sales are currently $1.9 million dollars.
Present at least three references of previous engagements-within the
last three years-that are materially similar to the requirements contained
in this document: Telecon Security Services Inc. has won five major
contracts and ten small contracts in the last seven years for vulnerability
assessments and penetration tests.
Must have at least one person who will be a primary participant in
delivering products and services who holds a Certified Information
Systems Security Professional (CISSP), Certified Information Security
Manager (CISM), or equivalent: Our team of thirty-five employees
holds certifications in the areas asked. Of the nine employees that
work on the new prospective products and services, seven hold
Certified Information Systems Security Professional (CISSP)
certifications, six hold Certified Information Security Manager (CISM),
and seven hold Global Information Assurance Certification (GIAC)
4. and seven hold Security Essentials Certification (GSEC).
Cannot have any active managed security service provider contracts
with any other agency in this state: We do not have any active contracts
and are in the process of expanding our own business in the state of
New Orleans. We can provide samples of previous reports for other
clients that contain four of the five fields you requested:
Risk Assessment
Vulnerability Assessment
Penetration Testing
Business Continuity Plan/Disaster Recovery Plan (BCP/DRP)
Telecon Security Services Inc has identified gaps in two areas that the
state of minimum requirements request:
Must maintain at least one permanent office in this state: We are currently
looking to expand our business but have not yet decided on the best location for
our organization.
Provide previous reports for other clients for source code review: Security
Patching Inc. does not have the means to assess source code security and does
not employ development security specialist
5. II. Data Analysis
i. RFP Clarification Questions
After reviewing the RFP for technology consulting services, Telecon Security
Services Inc. has identified the following questions:
1. The scope of the RFP states the State wants a review of its entire system
security program. How many locations and agencies will this comprise of?
2. Task #1 asks Telecon Security Services Inc. to conduct a vulnerability
assessment for the State’s system. In order to do this properly Cyber-Link will
be conduction penetration testing. What limitations, if any, will Cyber-Link have
when it comes to performing penetration testing on the State’s systems?
3. Task #3 asks Telecon Security Services Inc. to provide training to State
employees. Should there be multiple levels of training for different types of
employees or more board training material that covers every user?
ii. RFP Technical Requirements and Differences from Existing Controls
After reviewing the RFP’s description of the current IT security policy and
technical description the following comparisons of the two descriptions have been
made, along with a list of differences and/or gaps.
Application Control - Current Gap
Media Disposal and Reuse - Current control calls for drives to be wiped by a tool
that wipes bit by bit and sanitizes the drive before it is given to a new user.
6. User Identification and Authorization - Current control calls for the users to have
a minimum of username and password with the correct access over network
resources.
User Privilege Control - Current Gap
User Account Lockout - Current control calls for multiple login attempts be
blocked after a certain amount of tries.
Mobile and Workstation Computing - Current control calls for protection from
unauthorized use, modification or destruction.
Mobile Computing - Current control calls for no saving of sensitive organizational
data and mobile workstations require full disk encryption.
Operating System Access Controls - Current Gap
Use of Shared Technology Resource - Current Gap
Personnel Background Investigation - Current Gap
Acceptable Use Policy - Current control is a full access control policy.
Software Control - Current control asks for support of security mechanisms that
provide data integrity, confidentiality and availability as well as an auditing
mechanism.
Malicious Software Control - Current control calls for anti-virus and anti-malware
installed on every workstation to mitigate the risk of data leakage.
Segregation of Duties - Current Gap
7. iii. Data Privacy Legal Requirements as per RFP’s Compliance
After reviewing the RFP’s current IT security policy framework, privacy data legal
requirements, and the security gap analysis the following security gaps that relate to
protecting privacy data have been identified along with the impact it could have on the
client’s organization and its importance.
Compliance with Legal Requirements - All State Government agencies must be
compliant with any State or Federal regulatory requirements which supersede
this policy document
Threat level very high - Could be subject to fines and/or lawsuits if found not in
compliance.
Applicable Legislation - All State Government agencies must be compliant with
any legislation enacted by the State Government in regards to the management
of information resources on behalf of the State.
Agencies must be in compliance with all legislation passed by the state
government.
iv. Data Protection and Privacy
All State Government agency data custodians must ensure that all “Personal
Information” data assets, as defined by applicable State and/or Federal law and
regulations are protected from unauthorized use, Modification, or disclosure.
Threat level very high would be subject to a large amount of torts if personal
information is stolen. - Data Breach and Disclosure Any State Government
agency that discovers a breach of the information security controls set forth in
this which results in disclosure of unencrypted “personal information” about
8. persons to unauthorized third parties shall provide notice of the disclosure in
accordance with State law, mandates, and acts. Threat level very high
Would be subject to a large amount of torts if personal information is
stolen.
v. Risk Assessment Project Plan Definition
The following project plan outlines conducting a qualitative risk analysis to
analyze identified risks, threats, and vulnerabilities with the requirements to implement
the risk analysis solution and mitigation recommendations.
Segmentation and Layered Security
Developers’ implement layered security technologies and configurations
based on role, risk, sensitivity, and access control rules.
Media Handling and Security
Auditing and enforcement to ensure that only licensed software is
installed on systems.
User Access Management
Management and employees to handle procedures such as new
account creation, account transfer, job profile changes, account
termination, and/or account deletion.
Network Access Control
Network designers to design a network that provides the ability to
segregate and control traffic between systems, connected devices, and
third parties based on role, risk, and sensitivity. Employees to keep the
network running.
9. vi. Risk Prioritization and Mitigation Project Plan Definition
After conducting the following review of the data security requirements, current
RFP technical description, and output from the qualitative risk assessment the following
project plan has been developed.
User Identification and Authorization - System in place to that requires the use of
a user ID and password that uniquely identifies the user before providing access
to protected information resources.
User Password Management - Guidelines developed which require user to
create and maintain passwords to protect against unauthorized access.
Segregation in Networks - Design a network that at a minimum has separate
public, demilitarized, and private security zones based on risk.
Data Protection and Privacy - Systems in place to ensure all personal information
is protected from unauthorized use, modification, or disclosure.
vii. Risk Mitigation Actions Based on Qualitative Risk Assessment’s Risk
Prioritization
The initial phase in information security is to cutoff client access. All state
government offices will create, archive, and keep up client get to and account
administration techniques. These systems might incorporate, yet are not constrained to,
new record creation, account exchange, and/or work profile changes and record end
and/or cancellation. Likewise, at least, client access to ensured data assets requires the
use of client distinguishing proof and secret key that exceptionally recognizes the client.
Sharing access qualifications proposed to verify and approve a solitary client between
10. any two or more people is denied. Finally, passwords allotted to clients must be made
and figured out how to ensure against unapproved revelation or utilization and must
meet the base Password prerequisites. The following stride in information insurance is
legitimate system access control. All endeavor system structures worked by, or in the
interest of, the state government might be intended to bolster, at any rate, separate
open, neutralized, and private security zones in view of part, hazard, and affectability.
Connecting between discrete security zones is entirely restricted. All entrance between
discrete security zones might be controlled by a security instrument designed to deny all
entrance of course unless unequivocally approved and affirmed by the security
administration group.
The last stride is to guarantee all administration organizations are in consistence with
the security strategy. All state organizations should likewise be in consistence with any
state or government administrative necessities that supersede the nearby approach.
This is to guarantee that all individual data information resources, as characterized by
pertinent state and/or government law and controls, are shielded from unapproved use,
change, or exposure.
III. Solution Design
i. Benefits of Our Recommendations
Below are a list of the of the IT security gaps that we have identified along with
the recommend mitigation action.
Application Control - Hire a procurement staff to keep track of licenses for
specific applications and purchased applications by the users.
11. User Privilege Control - Set up user groups to certain areas of the network and
limit what departments can see.
Operating System Access Controls - Remove administrative access from non-
power users in order to keep computers from damaging acts/virus installation.
Use of Shared Technology Resources - Time out settings through GPO to a
short period of time so that users cannot use each other’s profiles. Do not allow
users admin rights to see other profile folders.
Personnel Background Investigation - Use a third party background check
company to research potential employees.
Segregation of Duties - Management staff to congregate on the specific job
titles for the organizations personnel. This allows us to segregate access
control.
ii. Data Privacy Legal Requirements as per RFP’s Compliance
After conducting an IT security compliance and governance gap
analysis, the following gaps related to privacy data have been and a
mitigation control has been recommended
Compliance with Legal Requirements - Would have legal experts
review regulatory requirements and create a framework for auditors
and managers to ensure all regulatory requirements are being
followed/enforced.
Applicable Legislation- Would have legal experts review legislation
and create a framework for auditors and managers to ensure all
regulatory requirements are being followed/enforced.
Data Protection and Privacy- Would create standard operating
procedures for acceptable use of personal information, protecting it
unauthorized use, modification, or disclosure. Would empower
12. auditors and managers to ensure policies are being
followed/enforced.
Data Breach and Disclosure - Would train employees to provide
notices of disclosure to those individuals affected.
iii. Procedure to Conduct a Security Assessment and Risk
Identification
The following procedures, explanations, and actions have been developed
in order to conduct a security assessment for the workstation and
system/applications domains.
Workstation Domain
Educating and retraining of users of acceptable use. Educating and
constant training of the users will mitigate most of the risk
experienced the workstation domain. Users will know how to handle
specific situations that can potentially bring harm to the network.
Training the first week of a new employees training. Yearly training
with new threats.
Setting an auto lock policy when the user is away from the PC.This
mitigates the risk of others users seeing/tampering with data they are
not supposed to have access to. Create a GPO policy that will auto
lock the computer within a ten minute of non-use.
Securely deleting data from computers recycle bin. This mitigates the
risk of a user or hacker trying to find hidden data/erased data by
13. writing zeros over any data that has been deleted. Create a GPO
policy that will securely delete all files from the drive.
Securely dispose of computers and drives once the computer has
been deemed inactive. This mitigates data leakage by making sure
the drives have been removed and erased bit by bit. Buy tools to write
zeros over every bit on the drive to safely dispose of.
Installing antivirus on an enterprise level. This mitigates data leakage
and stops malicious software from destroying hardware. Enterprise
level antivirus that can be controlled from a server.
System/Application Domain
Patching servers, firewalls, and workstations.-This mitigates hackers
from using known vulnerabilities with server, firewall, and workstation
operating systems
Software to scan incoming/outgoing emails and server hardening.
The software will scan all incoming and outgoing emails for virus’s
and hidden data. Also removing any services not being used by email
servers. Installation of software like Iron Mail.
Protect database servers from attacks and server hardening. This
mitigates any attack on SQL servers. Also removing any services not
being used by email servers. Programming the cells to the exact type
of information needed.
Protect web servers from attacks and server hardening. Also
removing any services not being used by email servers.
14. Seal off firewalls ports that are not in use. This mitigates attackers
from using unused open ports to gain access to the network. Turn off
ports not being used by system servers/workstations.
iv. Data Security Mitigation Actions Based on Qualitative Risk
Assessment
The following plan aligns the tasks and deliverables for risk
assessment, analysis, and remediation with specific recommendations for
addressing the risks identified.
Segmentation and Layered Security -The State Government’s
operational environment shall support segmentation and layered
security technologies and configurations based on role, risk, and
sensitivity. Developers will implement layered security technologies
and configurations based on access control rules.
Media Handling and Security - Only licensed software procured
through the State Government contracts shall be installed in the
State’s environment. Auditors and managers will ensure that only
licensed software is installed on systems.
User Access Management- All State Government agencies shall
develop, document, and maintain user access and account
management procedures. Management and employees will handle
procedures such as new account creation, account transfer, job
profile changes, account termination, and/or account deletion.
15. Network Access Control - All access and connectivity to the State
Government’s network must comply with the State Government’s
security requirements for network interconnectivity. Network
designers will design a network that provides the ability to segregate
and control traffic between systems, connected devices, and third
parties based on role, risk, and sensitivity.
IV. Evaluation Design
i. Phased Project Approach and High-Level Project Plan Outline
We have develop a phased approach to the scope of work and built an outline for a
high-level project plan.
Definition of scope of analysis
Identification of the State's critical assets
Determination of the best analytical (qualitative/quantitative) base for an
evaluation
Identification of potential risks, threats, and vulnerabilities
Evaluation of the risk profile (risk, threat, & vulnerability assessment)
Risk remediation recommendations: short-term and long-term with cost
magnitude estimates Tasks.
Provide a narrative that illustrates the proposer's understanding of the state's
requirements and project schedule.
Provide a narrative that illustrates how the proposer will complete the scope of
services accomplish required objectives, and meet the state's project schedule.
Provide a narrative that illustrates how the proposer will manage the project,
ensure completion of the scope of services, and accomplish required objectives
within the state's project schedule.
Provide a narrative illustrating your methodology for conducting vulnerability
assessments and penetration tests.
Provide a narrative describing how you apply your vulnerability assessment and
penetration testing's methodologies in performing the services for customers.
Including: project management, incident and emergency procedures, etc.
Provide a narrative detailing the systems that you are able to assess for
vulnerabilities. Including but not limited to: operating systems, databases, and
infrastructure/networking.
16. Provide a narrative illustrating your methodology for reviewing code.
ii. High-Level Description of Current Client’s Need
The state has an immediate requirement for contractual support for technical security
consulting services for its information security program. The state is undertaking a
review of his entire system security program to include risk analysis/vulnerability
assessments of the system, assessment of the automated security program, security
awareness training, development and enhancement of security plans, continuity and
contingency planning, and infrastructure protection review.
Cyber-Link plans to tackle these requests head on. Our organization offers the security
assessments by top-level certified technicians. Our team also offers penetration testing.
Our team takes pride in our work and shows it through the care they provide.
iii. IT Security Compliance and Governance Gap Analysis Plan Outline
The following project plans identifies privacy data and related gaps and recommends a
mitigation action for each.
Segregation of Duties - Management staff to congregate on the specific job titles
for the organizations personnel. This allows us to segregate access control.
Personnel Background Investigation - Use a third party background check
company to research potential employees.
Use of Shared Technology Access Controls - Time out settings through GPO to a
short period of time so that users cannot use each other’s profiles. Do not allow
users admin rights to see other profile folders.
Operating System Access Controls - Remove administrative access from non-
power users in order to keep computers from damaging acts/virus installation.
User Privilege Control - Set up user groups to certain areas of the network and
limit what departments can see.
Application Control - A procurement staff to keep track of licenses for specific
applications.
iv. Compliance Project Plan Definition
We have developed a project plan that identifies gaps related to privacy data and
recommend mitigation actions for each gap outlined in the RFP regarding the current IT
policy framework description.
Data Breach and Disclosure - Workers trained to provide notices of disclosure to
those individuals affected.
Data Protection and Privacy - Policy writers to create standard operating
procedures for acceptable use of personal information, protecting it unauthorized
use, modification, or disclosure. Auditors and managers to ensure policies are
being followed / enforced.
17. Compliance with Legal Requirements - Lawyers and legislation subject matter
experts to review legislation. Auditors and managers to ensure regulatory
requirements are being followed / enforced.
Compliance with Legal Requirements - Lawyers and regulatory requirement
subject matter experts to review requirements. Auditors and managers to ensure
regulatory requirements are being followed / enforced.
v. Phased Project Approach and High-Level Project Plan Outline
We have develop a phased approach to the scope of work and built an outline
for a high-level project plan.
Definition of scope of analysis
Identification of the State's critical assets
Determination of the best analytical (qualitative/quantitative) base for an
evaluation
Identification of potential risks, threats, and vulnerabilities
Evaluation of the risk profile (risk, threat, & vulnerability assessment)
Risk remediation recommendations: short-term and long-term with cost
magnitude estimates Tasks.
Provide a narrative that illustrates the proposer's understanding of the
state's requirements and project schedule.
Provide a narrative that illustrates how the proposer will complete the
scope of services accomplish required objectives, and meet the state's
project schedule.
Provide a narrative illustrating your methodology for conducting
vulnerability assessments and penetration tests.
18. Provide a narrative describing how you apply your vulnerability
assessment and penetration testing's methodologies in performing the
services for customers. Including: project management, incident and
emergency procedures, etc.
Provide a narrative detailing the systems that you are able to assess for
vulnerabilities. Including but not limited to: operating systems,
databases, and infrastructure/networking.
Provide a narrative illustrating your methodology for reviewing code.
Provide a narrative that illustrates how the proposer will manage the
project, ensure completion of the scope of services, and accomplish
required objectives within the state's project schedule.
Provide a narrative illustrating your methodology for conducting
vulnerability assessments and penetration tests.
Provide a narrative describing how you apply your vulnerability
assessment and penetration testing's methodologies in performing the
services for customers. Including: project management, incident and
emergency procedures, etc.
Provide a narrative detailing the systems that you are able to assess for
vulnerabilities. Including but not limited to: operating systems,
databases, and infrastructure/networking.
Provide a narrative illustrating your methodology for reviewing code.
19. vi. High-Level Description of Current Client’s Need
The state has a quick prerequisite for legally binding backing for specialized
security counseling administrations for its data security program. The state is
embraced a survey of his whole framework security project to incorporate danger
investigation/weakness appraisals of the framework, evaluation of the
computerized security program, security mindfulness preparing, advancement and
improvement of security arrangements, congruity and possibility arranging, and
foundation insurance audit.
Telecon Security Services Inc. plans to tackle these requests head on. Our
organization offers the security assessments by top-level certified technicians. Our
team also offers penetration testing. Our team takes pride in our work and shows it
through the care they provide.
vii. I.T Security Compliance and Governance Gap Analysis Plan Outline
The following project plans identifies privacy data and related gaps and
recommends a mitigation action for each.
Segregation of Duties - Management staff to congregate on the specific job
titles for the organizations personnel. This allows us to segregate access
control.
Personnel Background Investigation - Use a third party background check
company to research potential employees.
Use of Shared Technology Access Controls - Time out settings through
GPO to a short period of time so that users cannot use each other’s profiles.
20. Do not allow users admin rights to see other profile folders. Operating
System Access Controls Remove administrative access from non-power
users in order to keep computers from damaging acts/virus installation.
viii. Compliance Project Plan Definition
We have developed a project plan that identifies gaps related to privacy
data and recommend mitigation actions for each gap outlined in the RFP regarding
the current IT policy framework description.
Data Breach and Disclosure - Workers trained to provide notices of
disclosure to those individuals affected.
Data Protection and Privacy - Policy writers to create standard operating
procedures for acceptable use of personal information, protecting it
unauthorized use, modification, or disclosure. Auditors and managers to
ensure policies are being followed/enforced.
Compliance with Legal Requirements - Lawyers and legislation subject
matter experts to review legislation. Auditors and managers to ensure
regulatory requirements are being followed/enforced.
Compliance with Legal Requirements - Lawyers and regulatory requirement
subject matter experts to review requirements. Auditors and managers to
ensure regulatory requirements are being followed/enforced.
ix. Disaster Recovery Plan Outline
Our Business Continuity services offer the following to keep your company
prepared for a wide range of emergency situations:
21. Ready For Any Emergency.
Telecon Security Services Inc. prepares your company for any disaster that
could affect your IT infrastructure, whether it is a natural occurrence, cybercrime,
power outages or human error.
Proactive Planning.
By developing effective policies and procedures, we can help you and your
staff operate effectively and efficiently in the case that your business is affected by
an emergency of any kind.
Reliable Backups.
Telecon Security Services Inc keeps your data up to date, secure, and
stored both locally onsite and virtually through the Cloud. This technology protects
your business from data loss and ensures that in the event of a natural disaster
you can continue to access your systems and files.
Regularly Tested Systems.
By testing the backup systems on a regular basis, we can ensure they are
ready for use at the moment they are needed. With each step New Orleans
business owner’s takes in becoming a more developed and profitable operation,
you need to be sure that your IT systems can support its growth. Arranging one-off
consultations with IT companies is inconvenient and expensive, but without the
right knowledge, your technology may fail to meet the requirements of the next
stage of business grow.
22. In any recuperation arrangement there will be a wide exhibit of catastrophe
potential outcomes and recuperation methods to consider. To pare the issue
down, in this way, preparatory suppositions are produced as rules. For the
recuperation push to be effective, all included staff are required to guarantee that
these suspicions are present and right. Supervisors will keep all work force
influenced by this arrangement mindful of its present systems and practices. All
staff influenced by this arrangement is in charge of comprehension their part under
a catastrophe circumstance. This arrangement will be constantly kept up. The
recuperation procedure archived in the arrangement ought to be tried yearly. All
staff must respond rapidly and viably amid the recuperation procedure. Calamity
Recovery must be fruitful if there is an underlying reinforcement of static segments
including the framework programming, restrictive bundles, projects, and
information, and a standard reinforcement, in any event day by day, of all
progressions and alteration of these electronic parts, and there is a general testing
of equipment and correspondences reinforcement offices.
This arrangement ought to be overhauled every year and ought to
dependably be promptly accessible to approved work force. Destinations ought to
be looked into and upgraded by administration on a yearly premise. The Disaster
Recovery Plan may require redesigns if issues or changes incorporate a few or
any of the accompanying: Mainframe and Mid-Range Disaster Recovery Test
results, new basic applications or basic clients, expanded application intricacy,
new gear acquisitions, and/or changes to: equipment, programming, system,
applications, and/or information. Things to be inspected for Plan overhaul ought to
23. include: Personnel changes, mission changes, need changes, New Business
Organizations, Mainframe and Mid-range Disaster Recovery Test strategies and
results, reinforcement techniques, recuperation methodology, Relocation/Migration
Plan, programming (working framework, utilities, application programs), equipment
(centralized server, mid-extent and peripherals), and Communications Network
Facilities DRP typical systems. Include creating, recording, executing and testing
the Disaster Recovery Plan. The state government will have the capacity to
reestablish the accessibility of basic applications in an opportune and sorted out
way taking after a fiasco event. With a specific end goal to perform these
destinations, the innovation zone will rely on upon backing from senior
administration, end clients and staff offices.
Testing the arrangement is intended to prepare the faculty who will be in
charge of executing the Disaster Recovery Plan. IT-related crises can strike
whenever, whether they are malware assaults, regular fiascos or framework
crashes. It's crucial to have an arrangement set up to ensure your business can
keep inefficient downtime to a base. Consistently that your frameworks are down
costs you all the more, so make sure to set up your business for most noticeably
awful by arranging ahead!
In case of a pronounced debacle, key work force will make prompt move to
caution the Disaster Recovery Center. Rebuilding of the Critical Coverage will be
given after a Disaster is pronounced and after turnover of the catastrophe
recuperation reinforcement site. It will incorporate, without impediment, the
accompanying: Delivery of the Authorized User Data and Software documented in
24. off-site stockpiling to the Disaster Recovery Center, Connecting Network lines to
the Disaster Recovery Center, Operating the Critical Applications on the
Configuration at the Disaster Recovery Center, Provide Critical Coverage at the
Disaster Recovery Center, and Provide workspace and required gear.
Recuperation exercises will be directed in a staged methodology. The
accentuation will be to recuperate the basic applications adequately and
effectively. Basic applications will be recouped over a timeframe after server farm
enactment.
x. Business Continuity Plan Outline
Purpose – This Business Continuity Plan (BCP) will be updated in response
to changes in the business environment. The state of Georgia will review the plan
at least annually. This document outlines the steps required to operate the state of
Georgia in the event of an unanticipated interruption of normal operations. This
document will articulate the triggers for when alternate business processes need
to be deployed, the steps to deploy alternate business processes, the methods for
verifying that business has been properly restored and ensuring data integrity, and
activities for returning to “normal” business processing.
Scope – This BCP is applicable for the IT Department of this RFP.
Assumptions – The plan will be implemented if systems are unavailable for
48 hours.
Facilities will provide temporary space for critical staff
IT will provide technical assistance for temporary location
Telecommunications will have phone lines available in temporary
25. location
Equipment can be rented or otherwise acquired as needed
IT can restore files from the latest off-site backups
Critical Business Functions:
Accounting
Human Resources
Administration
Information Services
Purchasing
Risks to Operation and Strategies to Address Risk
Natural Risks:
High Winds/Tornados: Have backup sites spread through the state in
order to keep the network up and running.
Lightening: Have backup generators ready to give the building power.
Flooding: Keep essential equipment on 2nd floor and above.
Fire: Install fire suppression systems and fireproof drywall to protect
important assets.
Intentional Acts:
Theft: Install camera systems within the office. Encrypt any machine
that goes off site.
Cyber Attack: Server hardening, patching of all network assets,
firewall hardening.
Malware: keep anti-virus up to date to mitigate this risk.
27. v. Executive Summary
i. Layered Security Solution Executive Summary
To guarantee the security of business-basic data, it is vital to build up a multi-
layered technique to address the dangers. Associations center their cautious
controls at the border in the conviction that this makes it troublesome for
assailants to enter frameworks. Be that as it may, once this edge is ruptured, the
assailants have moderately free rule inside the system. Solidified, border guards
alone likewise neglect to deal with the danger from interior sources. Associations
need to build up a multilayered security procedure that spotlights on the
classification, honesty and accessibility of the data being ensured. A multi-layered
way to deal with security guarantees that on the off chance that one layer falls flat
or is bargained; different layers will remunerate and keep up the security of that
data. Thus, each of these layers ought to have various controls sent to protect the
secrecy, respectability and accessibility of the data. Some of these more basic
controls incorporate framework setup solidifying, record uprightness observing,
and log administration.
You deserve the best in IT support, and that only comes from those who work with the best themselves!
Telecon Security Services Inc has the best strategic partners in the business, so to learn more about what we
can do for your New Orleans business, call us at (504) 848-0571 or email us
at info@teleconsecurity.com today.