1. Totally Not Amazon
Group 2 Disaster Recovery Plan
Information Security
November 18th, 2013
By
Andrew Ford, Ryan Mayer,
Michael Valenti and Elijah Washburn
2. 2
Totally Not Amazon
Table of Contents
1.0 Company Overview ………………………………………………………………………….3
2.0 Disaster Recovery Overview..……………………………………………………………......3
3.0 Purpose………………………………………………………………………………….........3
4.0 Scope...……………………………………………………………………………………….3
4.1 A Who’s Involved…………………………………………………………………….3
4.1 B What’s Involved…………………………………………………………………....4
4.2 Equipment Involved…………………………………………………………………..4
5.0 Policy.……………………………………………………………………………………….4
5.1 Contingency Plan…..………………………………………………………………...4
Computer Emergency Response……………………………………………………..4
Succession Plan………………………………………………………………………5
Data Study……………………………………………………………………………5
Criticality of Service List…………………………………………………………….6
Data Backup and Restoration Plan…………………………………………………...6
Equipment Replacement Plan………….……………………………………………..6
Mass Media Management……………….……………………………………………7
5.2 Plans Must Be Put Into Action………………………………………………………..7
5.3 Plans Must Be Updated………...………………………………………………….….7
6.0 Enforcement………………………………………………………………………………...8
7.0 Definitions…………………………………………………………………………………..8
8.0 Revision History…………………………………………………………………………..10
3. 3
1.0 Company Overview
Totally Not Amazon is an online retailer; we process customer orders and ship
products from various warehouse locations. Our Server Data includes customer information
such as names, addresses and credit card information. We also carry vendor information such
as products and quantity in stock. Our data is very valuable and requires us to keep a constant
backup in an offsite location in case of emergency.
2.0 DisasterRecoveryOverview
A disaster is an event that has a remarkable impact on data or working business
operations. An incident no matter the size can bring the company into debt as well as deface
our company image, which can lead to lost clients and impact the amount of sales we can
gain in the future. Client confidentiality and data protection are held at a high standard. We
want to be sure at any given time we are able to recover data without loss from clients for
any reason.
3.0 Purpose
It is always important for each member of our company to be on the same page in the
event of a disaster. It will help everyone to restore the company to working order in a timely,
organized fashion.
4.0 Scope
4.1 A Who’s Involved?
In the event of a disaster, the personal directly involved in getting the
company back on track would include the CIO and CISO as well as the
4. 4
Network Administrator and Database Administrator based on the specifics of the
disaster. These people will be highly for the recovery of the disaster and to bring
both our Networks and Databases back up to working order.
4.1 B What’s Involved?
Along with those responsible for taking action against a disaster, other
personal are to be informed of the situations occurring within the company.
These people include The CEO, Board of Directors, all network users as well as
all employees and clients. Even though we have specified roles dealing with a
disaster, we want everyone involved with the company who may not be directly
involved in disaster recovery to be aware of the situation and that we are working
towards a solution.
4.2 Equipment Involved
Depending on the severity of the disaster and client / employee involvement,
involved items can include but are not limited to:
Servers and Server Data
Personal Data
Laptops / Desktops
Workstations
Wireless Devices that are attached to the Companies Network
5.0 Policy
5.1 Contingency Plan
1. Computer Emergency Response:In the event that the company’s network
becomes inaccessible or compromised, the Computer Emergency Response goes
5. 5
into effect. The companies CSIRT (Computer Security Incident Response Team)
will be notified of the situation, outside connections will be terminated, and
immediate backup of current data will be created to be analyzed and compared to
backup server data from an offsite location.
2. Succession Plan: First step towards recovery would be to collect the data from
the CSIRT. Immediately followed by equipment and data loss / damage analysis.
After we know how much damage has been done, we will inform employees,
clients and all other important personal of the situation and how we are acting
towards a solution.
3. Data Study: Taking the current data collected after the disaster has occurred, we
will compare it to backup data collected from an offsite location. This will give
our Disaster Recovery Team a better idea of the data that was lost after the
disaster as well as what needs to be done to ensure it doesn’t happen again. In the
case of an outside attacker, this includes patching any vulnerability that might
have been exploited and making mandatory password changes for all network
users. In the event of a natural disaster, our Recovery Team will complete an
assessment of data and equipment damaged. Depending on the severity of the
damage, we will decide what data and equipment need to be replaced during the
Data Back and Restoration Plan as well as the Equipment Replacement Plan.
6. 6
4. Criticality of Service List: The following services are ranked upon criticality and
priority. These issues are to be dealt with in descending order, providing client
restoration above all else:
Client Data Restoration
Critical Business Data Restoration
Server Hardware
Employee Data
Employee Workstations and Equipment Restoration
5. Data Backup and Restoration Plan: After comparing current data from the
disaster location to the backup data from an offsite location, clients will be
informed of the data lost and we will begin restoring data from the backup servers
from our offsite location. All missing files will be replaced with a backup copy.
After clients are taken care of, we will begin the process again with employee
data.
6. Equipment Replacement Plan: After the initial assessment of physical data and
equipment damage during the Data Study, we will begin to replace any lost or
damaged equipment. We will remove the old, damaged equipment and begin
installing new equipment to our original location when the damage has been
repaired or lessened to the point where we can begin moving back in.
7. 7
7. Mass Media Management: After the Emergency Response Team has been
contacted; we will release a statement to the public of our situation. We will be
ahead of any news outlets, being honest to what has happened. Even if the
damage is severe, we will be the ones giving the information of when issues occur
and at which point we are in resolving the problem. This will ultimately benefit
the company’s image. We will continue updating as events unfold and as we
progress throughout response plan in order to make our clients, employees and the
general public feel at ease during the disaster recovery process.
5.2 Plans must be placed in action:
We intend to have our CSIRT and Disaster Recovery teams conduct Disaster
Scenarios quarterly over weekend retreats. This will allow us to discover different
possible exploits in our system as well as practice correct responses to multiple
disaster scenarios. Along with quarterly retreats, we intend to have employees
participate in Bi-Annual drills in order to verify competence in the instance of
compromised data.
5.3 Plans must be updated:
Along with practice of various disaster response scenarios, we intend to use these
retreats in order to research how technology may have updated since our last retreat. Data
of updated technology will also be collected during the time in between Scenario
Retreats that will be able to use to hit the ground running when it is time to practice
disaster scenarios.
8. 8
Along with outside attacks, if a natural disaster is more likely to occur within that
year (Hurricane moving through area, Wildfires spreading nearby) we will update our
plans to focus more on the possibilities of these issues as well as conduct emergency
DRP training sessions to make sure we are prepared for not only any situation, but natural
disasters that have a tendency to occur more than others during that year.
6.0 Enforcement:
It is mandatory for every employee to participate in the Disaster Prevention Plan
that is required of them, whether it be a scenario for CSIRT, Disaster Recovery Team or
employees as well as actual Disaster Response Plans. During scenarios, is a responsible
personal does not fulfill their duties, they will be given one formal warning. If they fail at
their duties a second time, they will be terminated from their position.
During an actual disaster, if a responsible personal does not fulfill their duties they
will be terminated automatically and without warning. If the person being terminated
feels they had probable cause, they have the right to schedule a trial to plead their case to
the Board of Directors. If the Board of Directors found the reason they could not fulfill
their duties acceptable, the employee in question will be granted their title back. If not,
the process of their termination will continue and conclude.
7.0 Definitions To Know
Disaster– an event that if occurs, can have the potential to deal a great amount of damage,
likely halting company production and initiating the company’s Disaster Recovery Plan. (See
Section 2.0 Disaster Recovery Overview)
9. 9
DisasterRecovery Plan – an ordered guide designed by a company providing steps for
dealing with the damage caused by a disaster. (See Section 3.0 Purpose)
Data – essential information the company holds varying depending on what business is
practiced. It is the centerfold of recovery during response plans. (See Section 5.1 Contingency
Plan)
Scope – the extent of the area or subject matter that something deals with or to which it is
relevant. (See Section 4.0 Scope)
CSIRT – Computer Security Incident Response Team; A team that will be notified at the
initial sign of an incident and will provide management of data through the backing up of
files to be used at a later time. (See Section 5.1 Contingency Plan – Computer Emergency
Response)
DisasterRecovery Team – team of specified individuals who will take an initial assessment
of damage and work throughout the guidelines in this plan to come to a solution in the event
of a disaster. (See Section 5.1 Contingency Plan – Data Study)
Scenario – an outline of entrances, exits and actions taken during specified events. (See
Section 5.2 Plans Must Be Put into Action)
Mandatory – required by rule or law (See Section 6.0 Enforcement)
Plausible Cause – having a valid or credible excuse as to why a situation has occurred. (See
section 6.0 Enforcement)
10. 10
8.0 RevisionHistory
11/12/13 – Initial conception of DRP
11/14/13 – Follow-up and Finalizing Sections
11/15/13 – Proofing, Table of Contents