SlideShare a Scribd company logo

During week 6 we develop the theory and application of capital bud.docx

Download as DOCX, PDF
J
jacksnathalie

During week 6 we develop the theory and application of capital budget analysis. The theory was robust, the calculations mathematically and logically defined, and many of the real-world problems, likely to be encountered, were addressed. As capital budgeting essentially re-invents the company through major long-term expenditures it is arguably one of the most critical functions that financial management performs. However, based on my personal experiences, extensive empirical data, and antidotal data - many firms routinely experience significant failures in their selection of capital projects. The assignment for this topic consists if two parts: 1) For your first topic in this conference I would like for you to briefly review either your personal experiences and/or the financial literature to identify and present a description of one actual capital project/product failure and the reasons attributed to the failure. For those of you who do not have personal experiences the following are some illustrated examples of failed projects/products over the last 50 years you may want to look up and consider: -New Coke,- The Iridium Satellite Communication,- the Edsel automobile, Beta (vs. VHS), the Concord SST, and various Dot Coms. Feel free to research others. In your response please provide financial information regarding the project (what is available): initial outlay, projected cash flows, final dollar losses. Remember this is a one to two paragraph exercise - do not go overboard - a few hours research and summation is all that’s required. I am interested only in your short, concise description of the project and the major reasons you believe it failed. 2) Synthesize your one-paragraph position on what 3-5 specific factors you believe most likely to contribute to capital project analysis failure. CDC IT Security Staff BCP Policy [ CSIA 413, Professor Last Name: Policy Document IT Business Continuity Plan Policy Document Control Organization Center for Disease and Control (CDC) Title CDC IT Security Staff BCP Policy Author Owner IT Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved Document Distribution This document will be distributed to: Name Job Title Email Address All CDC Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · CDC and Department of Defense, Health and Homeland Security Table of Contents Policy Statement4 1Purpose4 2Objective4 3Scope5 4Compliance5 5Terms and Definitions7 6Risk Identification and Assessment7 7Policy8 Policy Statement The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the ...

Education
1 of 29
During week 6 we develop the theory and application of capital budget analysis. The theory was robust, the calculations mathematically and logically defined, and many of the real- world problems, likely to be encountered, were addressed. As capital budgeting essentially re-invents the company through major long-term expenditures it is arguably one of the most critical functions that financial management performs. However, based on my personal experiences, extensive empirical data, and antidotal data - many firms routinely experience significant failures in their selection of capital projects. The assignment for this topic consists if two parts: 1) For your first topic in this conference I would like for you to briefly review either your personal experiences and/or the financial literature to identify and present a description of one actual capital project/product failure and the reasons attributed to the failure. For those of you who do not have personal experiences the following are some illustrated examples of failed projects/products over the last 50 years you may want to look up and consider: -New Coke,- The Iridium Satellite Communication,- the Edsel automobile, Beta (vs. VHS), the Concord SST, and various Dot Coms. Feel free to research others. In your response please provide financial information regarding the project (what is available): initial outlay, projected cash flows, final dollar losses. Remember this is a one to two paragraph exercise - do not go overboard - a few hours research and summation is all that’s required. I am interested only in your short, concise description of the project and the major reasons you believe it failed. 2) Synthesize your one-paragraph position on what 3-5 specific factors you believe most likely to contribute to capital project
analysis failure. CDC IT Security Staff BCP Policy [ CSIA 413, Professor Last Name: Policy Document IT Business Continuity Plan Policy Document Control Organization Center for Disease and Control (CDC) Title CDC IT Security Staff BCP Policy Author Owner
IT Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved Document Distribution This document will be distributed to: Name Job Title Email Address All CDC Security Staff Information Security Specialist
Contributors Development of this policy was assisted through information provided by the following organization: · CDC and Department of Defense, Health and Homeland Security Table of Contents Policy Statement4 1Purpose4 2Objective4 3Scope5 4Compliance5 5Terms and Definitions7 6Risk Identification and Assessment7 7Policy8 Policy Statement The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information. It is thus critical to secure the information and control access to
it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise. Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or deliberate external system attack.Objective The following are the objectives of the policy: · To achieve and uphold the highest level of security within the CDC campus in order to guarantee sensitive and essential information that addresses health concerns is not access by authorised person – in person or virtually. · To guarantee minimal disruption of processes and rapid recovery of decisive operations and or systems. · To pinpoint and rank operations, processes and systems to reinstate essential systems and functions that maximise the operational and availability of activities. · To pinpoint the Key CDC personnel whose central task will be
to activate the recovery and restoration process that will make sure communication channels are established and fidelity of all security systems. · To point out the critical third party vendors who can and should be relied upon to actualise the success of the business continuity and recovery plan.Scope The scope refers to all the aspects covered by the business continuity plan policy. These include and not confined to functions, locations, resources and personnel. Functions: This is demarcated by assignments or departments. The functions are not cast on stone and will change from time to time. Location: The CDC main campus and all other satellite locations all over the world. This will ensure breaches do not emanate from within the system in remote sites. Business Units: All Projects and Assignments and Satellite locations globally. Activities: All activities conducted by the projects, assignments and satellite locations globally. Stakeholders: All project, assignment and satellite location staff globally. Resources: All ICT assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) Development of the business continuity IT security policy will be an effort in futility if the policies are not complied with. Ideally compliance will be individual driven. This is designed to reduce the need to oversight each assignment, project or satellite location for adherence. The local staff are empowered to appreciate the important of the policy and how and when to put it into action. They are also empowered to understand, who does what when and how their actions or lack of, affect other people within and without the project, assignment or satellite
station. When this is engrained into all the CDC staff, actions intended to ensure compliance become beneficial to the organizations. The staff no longer see the exercise of confirming conformity as antagonistic, but as contributing to the achievement of each individually task. Audits will be conducted regularly to check on conformity levels and pick up on improvement of impediments flagged. These audits will be supported by compliance reports prepared by the IT security head at the project, assignment or satellite location globally. This will be on occasion be accompanied by exception reporting for cases where the policy was not followed strictly. This is possible since all staff appreciates the role security plays and also understands that the policy is not meant to curtail an individual’s work but to protect it. Thus even when the policy is circumvented, the exception report must be accompanied by a comprehensive report with clear reasoning as to why it was necessary to deviate from the policy. b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. Given the sensitivity of the activities at CDC, compliance with the policy will be of utmost importance. Despite empowerment of all staff to appreciate the role the policy plays, and having empowered them to make adjustments when they evaluate it to be absolutely critical to their work, when their reasoning does not meet the threshold then sanctions must be enforced. The sanctions for non compliance and violations of the policy will be wide and varied. When the action does not cause any discernable harm but is still a violation, the violator must be summoned by their supervisor and reminded on the need to adhere to the policy. If this is the first offence, the matter will be considered addressed. Should this be repeated, the staff must be cited and this citation placed in their human resource file. Where the compliance failure or violation causes the organisation to suffer loss – financial or otherwise, the culprit must be sanctioned severely. This could range from loss of
employment, financial restitution for the loss incurred by the organisation or serve jail time. The choice of sanction to be applied will be influenced by the seriousness of the compliance failure or violation. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) Considering the sanctions that will be enforced will be punitive – in some instances, it is important that the interpretation be guided the relevant department that care for the staff welfare. The HR department will give guidance as to what sanction will not contravene the policies that guide the department. Interpretation of the sanction will be guided by how the organisation has set out to care for its staff. Similarly, the corporate legal counsel department will be consulted and guidance sort where the sanction is with regards to a policy violation of non compliance that has resulted in sever loss to the organization and the HR is recommending legal prosecution. This guidance will be critical in laying bear the consequence of the violation or non compliance to the organisation, as it will the lay the foundation of a criminal prosecution of those responsible.Terms and DefinitionsRisk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. A number of risks could arise if IT security requirements are not included in business continuity planning and subsequent operations. Some of this will include 1. Failure to cover IT security basics: This will more often than not be ignored or assumed. It thus exposes the organisation to exploits and vulnerabilities that can be easily used by hackers to compromise the organisation. Actions like not updating the browser used or adobe flash player are the higher exploited. With the multiplying aggressiveness of exploits emanating from the world wide web, achieving protection will require constant
education on the dangers and taking actions that minimize if not eliminate thus risk, within the confines of available resources. 2. Not understanding the source of IT security risks: This is closely tied in with a poor appreciation of the value of the critical assets coupled with the potential attackers’ profile. It’s critical to appreciate that IT security risk is not generated by technology alone. Psychological and sociological aspects do play significant roles to. Thus the organisation culture need to be aligned which in turn affects the amount of resources allocated to this endeavor. 3. Confusing compliance with IT security: This is evident when there is confusion between compliance and the IT security policy. Compliance to organisation rules does not necessarily mean protection against hacker attacks. Compliance needs to encompasses an IT security management system capable of allowing management to oversee data flow within the system thus protection confidential information from leakage to unwanted sources. 4. Bring your own device policy (BYOD) and the cloud: This is especially critical for the different projects, assignments and satellite locations globally. Globally, it has been found that a sizable number of respondents pointed to mobility as the root cause of a breach. The increased mobility coupled with users flooding the networks with access devices h as the unintended result of providing many paths for exposing data and application risks (Bourne, 2014) b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). 1. Failure to cover IT security basics: This will have the impact of multiplying aggressiveness exploits emanating from the World Wide Web. This failure will result in severe impact on the organisation. This is because; the failure will have resulted from the organisation not setting policies that guide information risk management. 2. Not understanding the source of IT security risks: The effect of this risk will be significant to the organisation. Its severity
will be especially considerable given it will have resulted from a lack of training or new and current employees on security. 3. Confusing compliance with IT security: Confusion will breed increased risk. It is unfortunate with organisation suffers from confusion given the effect of this risk could have been eliminated if not avoided by patching security systems. 4. Bring your own device policy (BYOD) and the cloud: In as much as personal devices allow for flexibility and ease of work, it does expose the organisation to risk since it cannot have control of where the devices are used outside the work environment. The risk is especially severe thus the need for the organization to institute policies for BYOD security.Policy 1. To cover for cyber security basics, all IT hardware and software will be programmed to update themselves at the beginning of the day, before they are used. This policy will be implemented by each individual staff for the IT equipment allocated to them. The IT security manager in-charge of the project, assignment or satellite location will have overall responsibility for the enforcement of the policy. The manager will regularly and constantly educate the staff of the dangers and the resources available to them to protect them from the identified dangers. 2. To address the source of CDC’s IT security risks, the organisation will regularly refresh its staff on the value it attaches to the critical assets and the dynamic profile of potential attackers. This should cover the organisation from malware, viruses and intrusions, outside attack, user error, cloud apps for service usage, phishing among others. By incorporating sociological and psychological aspects in the training, CDC will engrain its culture into its staff. This culture should in turn be supported by the requisite resources to benefit the organisation. 3. To avoid confusion in complying with IT security policies, rules must be adhered to, to the letter. Further the information security management system will allow managers oversee data flows within the system. This should greatly enhance
protection of confidential information from unwanted sources. 4. The Bring Your Own Devices (BYOD) and cloud policy will not seek to impede the staff flexible working environment or conditions. This will instead contribute very significantly to preventing security breaches. For the case of cloud computing the policy will give the due attention given its important and the vulnerabilities it comes with. 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System Bourne, V (2014) Protecting the Organisation Against the Unknown: A New Generation of Threats, accessed February 13, 2016 from http://software.dell.com/documents/protecting-the- organization-against-the-unknown-whitepaper-27396.pdf Zaharia, A (2015) 10 Cyber Security Risks That Might Affect Your Company, accessed February 13, 2016 from https://heimdalsecurity.com/blog/10-critical-corporate-cyber- security-risks-a-data-driven-list/ Schiff, J, L (2015) 6 Biggest Security Risks and How You Can Fight Back, accessed February 13, 2016 from http://www.cio.com/article/2872517/data-breach/6-biggest- business-security-risks-and-how-you-can-fight-back.html Kaspersky Lab (2015) Global IT Security Risks Survey 2015, accessed February 13, 2016 from http://media.kaspersky.com/en/business-security/it-security- risks-survey-2015.pdf NIST (2011) Managing Information Security Risk: Organizations, Mission and Information System View, accessed February 13, 2016 from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39- final.pdf NSCS (2013) Cyber Security and Risk Management: An Executive Level Responsibility, accessed February 13, 2016
from https://www.connectsmart.govt.nz/assets/NCSC-Cyber- security-risk-management-Executive.pdf Copyright © 2015 by University of Maryland University College. All rights reserved. ( White House IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy )
Document Control Organization White House Title White House IT Security Staff BCP Policy Author Owner Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved
Document Distribution This document will be distributed to: Name Job Title Email Address All White House Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · White House and Department of Defense Table of Contents Policy Statement3 1Purpose4 2Objectives4 3Scope4 4Business Impact Analysis (BIA)5 5Business Continuity Planning Personel5 6 Business Continuity Planning Procedures……………………………………………… . … 5 6.1 Events ………………………………………………………………………… ……… 6
6.2 Vendors……………………………………………………………… ………………….. 6 6.3 Task……………………...…………………………………………… ………………... 6 6.3 Timleine 7 7 Testing and Maintenance………………………………………………………… ………... 7 8 References…………………………………………………………… …………………….. 7 Policy Statement The United States of America and its military rely on the confidentiality, integrity, and availability of accurate information stored in information systems to proactively prepare and defend the nations critical infrastructures and protect national security. In the event of natural disasters and/or attacks from malicious hacktivist it is imperative that the White House IT Security Staff has a quick, efficient, and effective business continuity plan to recover and restore data to ensure critical operations are not impacted. The business continuity plan is needed to continue the White House and military operations efforts to strategize and protect it critical infrastructures and citizens. Purpose The purpose of this document is to outline the necessaryprocedures and steps to recover and restore business operations within the White House in the event of a natural disaster, emergency, or system attack from external sources. Objective The following ae the objectives of the policy:
· To maintain the highest amount of national security through the availability of critical and sensitiveinformationconcerning military operations, critical infrastructure, and foreign relations. · To ensure minimal impact to resources and immediate recovery of critical systems and operations. · To identify and prioritize systems, processes, and operations to restore critical functions and systems to maximizeavailability and operational activities. · To identify key White House Securitypersonnelresponsible for the restoration and recovery process to ensure immediate contact is available in case of an emergency event. · To Identify third party vendors needed to help attain successful businesscontinuity and recovery planning. Scope The scope describes all locations, functions, personnel, and resources affected by the business continuity plan policy: Locations: White House IT Department, The White House, The Sun Guard Hot Site, Herndon, VA Business Units: All Business Units Activities: All Actives conducted by business units Stakeholders: Chain of Command, Vendors, and White House Staff Resources: All telecommunication assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Business Impact Analysis The Business Impact Analysis (BIA) will assess the financial, operational impact, and recovery time objectives (RTO) needed to restore critical systems, process, and operations. The BIA will be conducted by assuming the worst case scenario due to he high level of exposure the White House presents. The BIA will be conducted in the event of an immediate shutdown of all functions and resources to analyse the recovery time and resources needed to restore critical systems and operations (ISACA, n.d.). The BIA will estimate the level of impact the
White House will be willing to accept. The impact range is as follows: Very High- Impact could cripple the White House and potentially cause catastrophic loses. High – Impact exceeds the White House’s Executives tolerance and could threaten National Security. Medium – Impact will cause major harm to critical systems and operations and threaten National Security Low – Impact results in the temporary loss of critical systems and operations and could harm critical infrastructure. Very Low – Impact results in minor loss of operations and does not threaten critical infrastructure. The White House’s level of tolerance is: Very Low. Business Continuity Planning Personnel The following are the personnelthat can be immediate contacted in the event the business continuity plan activation: IT Security Manager: smith, IT Security Section, ph # Lead IT Security Specialist: Jerry Mayweather, IT Security Sections, ph # IT Security Specialist: Ethan Snowden, It Security Department, ph # The following personnel are to be immediately contacted secondary to the above mentioned personnel: CISO: John Stamens, IT Department, ph # CIO: Randy Howitzer, IT Department, ph #Business Continuity PlanningProcedures The business continuity planning procedures are to be followed immediately in the event the businesses continuity plan is activated. Events The following the events that may occur in which the BCP should be immediate activated to minimize the loss of availability of critical systems and operations: Equipmentfailure, disruption of power supply or
telecommunication application failure corruption ofdatabase, human error, sabotage, malicioussoftware attacks, hacking, social unrest, terrorist attack, fire, or natural disasters (SANS, 2002). Vendors The below list are approved vendors that are critical to the day to day operations and should be contacted immediately in the event of a BCP activation: 1. Sun Guard – BCP Documentation and Hot Ste resource 2. AppNomic – Backup and fail over solutions 3. Amazon – Cloud Services 6.3 Task The followingshould be taken in the event the BCP is activated: 1- Contact The IT Security Manager and give a situation report. 2- Retrieve BCP documentation 3- IT SecurityManager will determine the type of event and determine which department or function within the White House will activate their BCP. 4- If impact level is designated as Medium or Higher IT personnel will relocate to the designated hot site: a. Hot Site location will b. The Hot Site representative will be immediately contact at: c. Hot Site will provide all hardware and needs, however IT personnel will bring all backup tapes, laptops, and critical servers within the IT data center of the Hot Site. 5- All secondary BCP personnel will be contacted and briefed. 6- A final determination of event will be formally announced and appropriate chain of command will be notified. Timeline The following is the timeline in which all major task will be
competed, the total time for completion i3 3 hours. Each timeframe is a: · Contact IT Manager: 10 Minutes (Total: 10 minutes) · Retrieve BCP Documentation: 5 minutes (Total: 15 minutes) · IT Manager event determination: 30 Minutes (Total: 45 minutes) · Relocation to Hot Site: 1 ½ hours (Total: 2 hours 15 minutes) · All secondary personnel are called and briefed: 15 Minutes (Total: 2 hours 30 minutes) · Chain of Command is notified: 30 Minutes (Total: 3 hours)Testing and Maintenance The following are is the criteria for testing and maintenance to ensure continuous training and BCP compliance: · BCP rehearsal should be conducted annually at least one to provide awareness and accuracy. · Business unit level exercise should be conducted every two years. · Executive management exercises should be conducted every three years. (Drewitt, 2013) 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System ISACA (n.d.). Business Continuity Planning. Retrieved from: http://www.isaca.org/Groups/Professional-English/business- continuity-disaster-recovery- planning/GroupDocuments/Business_Impact_Analysis_blank.do c SANS (2002). Introduction to Business Continuity Planning. Retrieved from: http://www.sans.org/reading- room/whitepapers/recovery/introduction-business-continuity- planning-559 Sun Guard (2015). Availability Services Herndon Workgroup.
Retrieved from: http://www.sungardas.com/company/infrastructure/Pages/herndo n-va.aspx Copyright © 2015 by University of Maryland University College. All rights reserved. Project #4: Prepare a Business ContinuityIT Security PolicyIntroduction In Project 2 (which was order #225, you developed a local IT security policyfor a specific facility– a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2, which was Centers for Disease Control and Prevention (CDC), which was the Order # 210 and 225). You should reuse applicable sections of your earlier projects for this project (e.g. your organization (which was CDC) overview and/or a specific section of your outline).Background Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man- made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable time frame. Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change
over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy – guidance for DR/BCP planning for a particular data center. DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document, which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2. Sometimes, it is necessary to create supplementary policies, which address specific circumstances or needs, which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy – the Business Continuity IT Security Policy. The “Tasks” section of this assignment explains the content requirements for your policy. Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from http://www.ready.gov/business/implementation/continuity ) Phase 1: Business Impact Analysis · Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business · Conduct follow-up interviews to validate responses to survey & obtain additional info Phase 2: Develop Recovery Strategies · Identify resource requirements based on BIAs · Perform gap analysis (recovery requirements vs current capabilities)
· Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites) · Document & Implement recovery strategies (acquire / contract for products & services) Phase 3: Develop Business Continuity Plan · Develop plan framework (follow policy) · Identify personnel forDR/BCP teams · Develop Recovery and/or Relocation Plans · Write DR/BCP Procedures · Obtain approvals for plans & procedures Phase 4: Testing & Readiness Exercises · Develop testing, exercise and maintenance requirements · Conduct training for DR/BCP teams · Conduct orientation exercises for staff · Conduct testing and document test results · Update BCP to incorporate lessons learned from testing and exercises Table 4-2. Outline for a Business Continuity Plan Purpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption. Objective: to identify the processes or steps involved in resuming normal business operations. Scope: work locations or departments addressed. Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc. Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc. Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area” is identified as a possible failure scenario, a potential recovery strategy could be to
relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center. Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on. Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living” document that is updated as personnel/workforce changes are made. Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline. Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful. Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in
place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc. Tasks The Business Continuity Security Policy is being written by you as the data centerfacility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1).Your policy must also addressrequired content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections. Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers from whom your organization purchases or will purchase IT services and products to implement its recovery strategies. Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business
continuity plan. Different RTO’s may be set for different IT systems and services. Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP(used to determine backup frequency for data during normal operating periods and the maximum allowable amount of “lost data” which can be tolerated). Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software, which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan. The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans.Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.Tasks: 1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53.(See Table 4-3). Identify policy statements, which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.Table 4-3. Contingency Planning Control Family (from NIST SP 800-53) 2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed
during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4). 3. Review the outline for a Business Continuity Plan (Table 4- 2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan.(Your policy statements will tell Business Continuity Planners where and how to “build security in.”) 4. Write your Business Continuity Security Policy usingthe outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3.Table 4-4. Outline for an IT Security Policy I. Identification a. Organization: [name] b. Title of Policy: Data Center Business Continuity Policy c. Author: [your name] d. Owner: [role, e.g. Data Center Manager] e. Subject: Business Continuity for [data center name] f. Review Date: [date submitted for grading] g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager] h. Distribution List i. Revision History II. Purpose a. Provide a high level summary statement as to the policy requirements which are set forth in this document. III. Scope a. Summarize the business continuity activities and operations that this policy will apply to. b. Identify who is required to comply with this policy. IV. Compliance
a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) V. Terms and Definitions VI. Risk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). VII. Policy a. Present policies which will ensure that IT security is addressed i. In all phases of DR/BCP planning ii. In all relevant sections of the DR/BCP plan iii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP family iv. By specifying roles and responsibilities for IT security during data center recovery operations v. Using RTO/RPO metrics for restoral of IT security services and functions b. Include an explanatory paragraph for each policy statement. 5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.). 6. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting:
1. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style includinguse of footnotesor end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.)You are expected to write grammatically correct.Criteria and Steps to follow (Below in bold are subheadings) ***Please make sure three reference sites per subheading.*** Policy Outline & Body Provided an excellent IT Security Policy, which clearly, concisely, and accurately presents all required information (see outline in assignment for sections, fields, and content requirements). Presentation of information is organized in a logical fashion and uses 3 or more tables to group related information for presentation. All required fields under each section are listed and filled in (e.g. Owner Name in ID Section has a name filled in.) Policy Section: DR/BCP Planning Phases Presented an excellent policy statement or statements, which will ensure that IT Security is addressed during all four phases of the DR/BCP planning process.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: IT Security in DR/BCP Plan Presented an excellent policy statement or statements which will ensure that IT Security is addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address requirements for IT Security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: IT Security Roles & Responsibilities in DR/BCP Plan Presented an excellent policy statement or statements which
will ensure that roles and responsibilities for IT Security are addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address who is responsible for ensuring IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: Security Controls during DR/BCP Planning, Implementation, & Execution (NIST CP Family) Presented an excellent policy statement or statements which will ensure that NIST recommended security controls for Contingency Planning (CP family) are addressed as part of DR/BCP planning, implementation, and execution.Identified and discussed five or more controls from the CP family which should be implemented (using NIST SP 800-53 guidance) to ensure adequate IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Crediting Sources Work credits all sources used in a professional manner using APA format citations/references, footnotes with publication information, or endnotes with publication information. Provides a Bibliography or "Works Cited" if not using APA format. Publication information is sufficient to retrieve all listed resources.

Recommended

(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx (CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docxjoyjonna282
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Ecm
EcmEcm
EcmSBH10Slide
 
Technology Implementation Paper
Technology Implementation PaperTechnology Implementation Paper
Technology Implementation PaperDeb Birch
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxjuliennehar
 
© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docx
© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docx© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docx
© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docxgerardkortney
 
Section 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organizSection 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organizSHIVA101531
 
Business continuity in general
Business continuity in generalBusiness continuity in general
Business continuity in generalJohn Johari
 

Recommended

(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docx (CDC IT Security Staff BCP Policy) ([CSIA 413,).docx
(CDC IT Security Staff BCP Policy) ([CSIA 413,).docxjoyjonna282
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Ecm
EcmEcm
EcmSBH10Slide
 
Technology Implementation Paper
Technology Implementation PaperTechnology Implementation Paper
Technology Implementation PaperDeb Birch
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxjuliennehar
 
© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docx
© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docx© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docx
© 2017 Journal of the Practice of Cardiovascular Sciences Pu.docxgerardkortney
 
Section 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organizSection 1 describe the process (steps) you would use in any organiz
Section 1 describe the process (steps) you would use in any organizSHIVA101531
 
Business continuity in general
Business continuity in generalBusiness continuity in general
Business continuity in generalJohn Johari
 
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docxThe Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docxtodd241
 
3.activity 2 differentiating between applied research and basic research
3.activity 2 differentiating between applied research and basic research3.activity 2 differentiating between applied research and basic research
3.activity 2 differentiating between applied research and basic researchNazrin Nazdri
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
 
Running head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxRunning head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxtodd521
 
2014-01-27_Weitz_Outsourcing
2014-01-27_Weitz_Outsourcing2014-01-27_Weitz_Outsourcing
2014-01-27_Weitz_OutsourcingCytel
 
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making SenseCytel
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recoveryGeorge Coutsoumbidis
 
Nine keys to successful delegation in Project Management
Nine keys to successful delegation in Project ManagementNine keys to successful delegation in Project Management
Nine keys to successful delegation in Project Managementmrinalsingh385
 
US5620 A3 2012002052 FS
US5620 A3 2012002052 FSUS5620 A3 2012002052 FS
US5620 A3 2012002052 FSPhillip Jonker
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk managementEndeavor Management
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
The tasks You are assumed to be one of the software consultants .docx
The tasks You are assumed to be one of the software consultants .docxThe tasks You are assumed to be one of the software consultants .docx
The tasks You are assumed to be one of the software consultants .docxsarah98765
 
SPE Paper ARMS Ltd
SPE Paper ARMS LtdSPE Paper ARMS Ltd
SPE Paper ARMS LtdJohn Tucker
 
White paper holistic_approach_to_government_continuity_of_operations_apr2014
White paper holistic_approach_to_government_continuity_of_operations_apr2014White paper holistic_approach_to_government_continuity_of_operations_apr2014
White paper holistic_approach_to_government_continuity_of_operations_apr2014EMC
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdfDaviesParker
 
OverviewThe US is currently undergoing an energy boom largel.docx
OverviewThe US is currently undergoing an energy boom largel.docxOverviewThe US is currently undergoing an energy boom largel.docx
OverviewThe US is currently undergoing an energy boom largel.docxjacksnathalie
 
OverviewThe United Nations (UN) has hired you as a consultan.docx
OverviewThe United Nations (UN) has hired you as a consultan.docxOverviewThe United Nations (UN) has hired you as a consultan.docx
OverviewThe United Nations (UN) has hired you as a consultan.docxjacksnathalie
 

More Related Content

Similar to During week 6 we develop the theory and application of capital bud.docx

The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docxThe Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docxtodd241
 
3.activity 2 differentiating between applied research and basic research
3.activity 2 differentiating between applied research and basic research3.activity 2 differentiating between applied research and basic research
3.activity 2 differentiating between applied research and basic researchNazrin Nazdri
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
 
Running head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxRunning head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxtodd521
 
2014-01-27_Weitz_Outsourcing
2014-01-27_Weitz_Outsourcing2014-01-27_Weitz_Outsourcing
2014-01-27_Weitz_OutsourcingCytel
 
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making SenseCytel
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recoveryGeorge Coutsoumbidis
 
Nine keys to successful delegation in Project Management
Nine keys to successful delegation in Project ManagementNine keys to successful delegation in Project Management
Nine keys to successful delegation in Project Managementmrinalsingh385
 
US5620 A3 2012002052 FS
US5620 A3 2012002052 FSUS5620 A3 2012002052 FS
US5620 A3 2012002052 FSPhillip Jonker
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
The tasks You are assumed to be one of the software consultants .docx
The tasks You are assumed to be one of the software consultants .docxThe tasks You are assumed to be one of the software consultants .docx
The tasks You are assumed to be one of the software consultants .docxsarah98765
 
SPE Paper ARMS Ltd
SPE Paper ARMS LtdSPE Paper ARMS Ltd
SPE Paper ARMS LtdJohn Tucker
 
White paper holistic_approach_to_government_continuity_of_operations_apr2014
White paper holistic_approach_to_government_continuity_of_operations_apr2014White paper holistic_approach_to_government_continuity_of_operations_apr2014
White paper holistic_approach_to_government_continuity_of_operations_apr2014EMC
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdfDaviesParker
 

Similar to During week 6 we develop the theory and application of capital bud.docx (20)

The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docxThe Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
The Disaster Recovery Plan Sumanth Lagadapati[email protecte.docx
 
3.activity 2 differentiating between applied research and basic research
3.activity 2 differentiating between applied research and basic research3.activity 2 differentiating between applied research and basic research
3.activity 2 differentiating between applied research and basic research
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
 
Running head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docxRunning head Residency DRP Research Paper OutlineResidency DR.docx
Running head Residency DRP Research Paper OutlineResidency DR.docx
 
2014-01-27_Weitz_Outsourcing
2014-01-27_Weitz_Outsourcing2014-01-27_Weitz_Outsourcing
2014-01-27_Weitz_Outsourcing
 
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
2014Q1-0127_USAW_CONF_Weitz_When Outsourcing Stops Making Sense
 
Business continuity & disaster recovery
Business continuity & disaster recoveryBusiness continuity & disaster recovery
Business continuity & disaster recovery
 
Nine keys to successful delegation in Project Management
Nine keys to successful delegation in Project ManagementNine keys to successful delegation in Project Management
Nine keys to successful delegation in Project Management
 
US5620 A3 2012002052 FS
US5620 A3 2012002052 FSUS5620 A3 2012002052 FS
US5620 A3 2012002052 FS
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management Planning
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docx
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
 
The tasks You are assumed to be one of the software consultants .docx
The tasks You are assumed to be one of the software consultants .docxThe tasks You are assumed to be one of the software consultants .docx
The tasks You are assumed to be one of the software consultants .docx
 
SPE Paper ARMS Ltd
SPE Paper ARMS LtdSPE Paper ARMS Ltd
SPE Paper ARMS Ltd
 
White paper holistic_approach_to_government_continuity_of_operations_apr2014
White paper holistic_approach_to_government_continuity_of_operations_apr2014White paper holistic_approach_to_government_continuity_of_operations_apr2014
White paper holistic_approach_to_government_continuity_of_operations_apr2014
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdf
 

More from jacksnathalie

OverviewThe US is currently undergoing an energy boom largel.docx
OverviewThe US is currently undergoing an energy boom largel.docxOverviewThe US is currently undergoing an energy boom largel.docx
OverviewThe US is currently undergoing an energy boom largel.docxjacksnathalie
 
OverviewThe United Nations (UN) has hired you as a consultan.docx
OverviewThe United Nations (UN) has hired you as a consultan.docxOverviewThe United Nations (UN) has hired you as a consultan.docx
OverviewThe United Nations (UN) has hired you as a consultan.docxjacksnathalie
 
OverviewThis project will allow you to write a program to get mo.docx
OverviewThis project will allow you to write a program to get mo.docxOverviewThis project will allow you to write a program to get mo.docx
OverviewThis project will allow you to write a program to get mo.docxjacksnathalie
 
OverviewThis week, we begin our examination of contemporary resp.docx
OverviewThis week, we begin our examination of contemporary resp.docxOverviewThis week, we begin our examination of contemporary resp.docx
OverviewThis week, we begin our examination of contemporary resp.docxjacksnathalie
 
OverviewProgress monitoring is a type of formative assessment in.docx
OverviewProgress monitoring is a type of formative assessment in.docxOverviewProgress monitoring is a type of formative assessment in.docx
OverviewProgress monitoring is a type of formative assessment in.docxjacksnathalie
 
OverviewThe work you do throughout the modules culminates into a.docx
OverviewThe work you do throughout the modules culminates into a.docxOverviewThe work you do throughout the modules culminates into a.docx
OverviewThe work you do throughout the modules culminates into a.docxjacksnathalie
 
OverviewThis discussion is about organizational design and.docx
OverviewThis discussion is about organizational design and.docxOverviewThis discussion is about organizational design and.docx
OverviewThis discussion is about organizational design and.docxjacksnathalie
 
OverviewScholarly dissemination is essential for any doctora.docx
OverviewScholarly dissemination is essential for any doctora.docxOverviewScholarly dissemination is essential for any doctora.docx
OverviewScholarly dissemination is essential for any doctora.docxjacksnathalie
 
OverviewRegardless of whether you own a business or are a s.docx
OverviewRegardless of whether you own a business or are a s.docxOverviewRegardless of whether you own a business or are a s.docx
OverviewRegardless of whether you own a business or are a s.docxjacksnathalie
 
OverviewImagine you have been hired as a consultant for th.docx
OverviewImagine you have been hired as a consultant for th.docxOverviewImagine you have been hired as a consultant for th.docx
OverviewImagine you have been hired as a consultant for th.docxjacksnathalie
 
OverviewDevelop a 4–6-page position about a specific health care.docx
OverviewDevelop a 4–6-page position about a specific health care.docxOverviewDevelop a 4–6-page position about a specific health care.docx
OverviewDevelop a 4–6-page position about a specific health care.docxjacksnathalie
 
Overview This purpose of the week 6 discussion board is to exam.docx
Overview This purpose of the week 6 discussion board is to exam.docxOverview This purpose of the week 6 discussion board is to exam.docx
Overview This purpose of the week 6 discussion board is to exam.docxjacksnathalie
 
Overall Scenario Always Fresh Foods Inc. is a food distributor w.docx
Overall Scenario Always Fresh Foods Inc. is a food distributor w.docxOverall Scenario Always Fresh Foods Inc. is a food distributor w.docx
Overall Scenario Always Fresh Foods Inc. is a food distributor w.docxjacksnathalie
 
OverviewCreate a 15-minute oral presentation (3–4 pages) that .docx
OverviewCreate a 15-minute oral presentation (3–4 pages) that .docxOverviewCreate a 15-minute oral presentation (3–4 pages) that .docx
OverviewCreate a 15-minute oral presentation (3–4 pages) that .docxjacksnathalie
 
Overall CommentsHi Khanh,Overall you made a nice start with y.docx
Overall CommentsHi Khanh,Overall you made a nice start with y.docxOverall CommentsHi Khanh,Overall you made a nice start with y.docx
Overall CommentsHi Khanh,Overall you made a nice start with y.docxjacksnathalie
 
Overall CommentsHi Khanh,Overall you made a nice start with.docx
Overall CommentsHi Khanh,Overall you made a nice start with.docxOverall CommentsHi Khanh,Overall you made a nice start with.docx
Overall CommentsHi Khanh,Overall you made a nice start with.docxjacksnathalie
 
Overall feedbackYou addressed most all of the assignment req.docx
Overall feedbackYou addressed most all of the assignment req.docxOverall feedbackYou addressed most all of the assignment req.docx
Overall feedbackYou addressed most all of the assignment req.docxjacksnathalie
 
Overall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docxOverall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docxjacksnathalie
 
Overview This purpose of the week 12 discussion board is to e.docx
Overview This purpose of the week 12 discussion board is to e.docxOverview This purpose of the week 12 discussion board is to e.docx
Overview This purpose of the week 12 discussion board is to e.docxjacksnathalie
 
Over the years, the style and practice of leadership within law .docx
Over the years, the style and practice of leadership within law .docxOver the years, the style and practice of leadership within law .docx
Over the years, the style and practice of leadership within law .docxjacksnathalie
 

More from jacksnathalie (20)

OverviewThe US is currently undergoing an energy boom largel.docx
OverviewThe US is currently undergoing an energy boom largel.docxOverviewThe US is currently undergoing an energy boom largel.docx
OverviewThe US is currently undergoing an energy boom largel.docx
 
OverviewThe United Nations (UN) has hired you as a consultan.docx
OverviewThe United Nations (UN) has hired you as a consultan.docxOverviewThe United Nations (UN) has hired you as a consultan.docx
OverviewThe United Nations (UN) has hired you as a consultan.docx
 
OverviewThis project will allow you to write a program to get mo.docx
OverviewThis project will allow you to write a program to get mo.docxOverviewThis project will allow you to write a program to get mo.docx
OverviewThis project will allow you to write a program to get mo.docx
 
OverviewThis week, we begin our examination of contemporary resp.docx
OverviewThis week, we begin our examination of contemporary resp.docxOverviewThis week, we begin our examination of contemporary resp.docx
OverviewThis week, we begin our examination of contemporary resp.docx
 
OverviewProgress monitoring is a type of formative assessment in.docx
OverviewProgress monitoring is a type of formative assessment in.docxOverviewProgress monitoring is a type of formative assessment in.docx
OverviewProgress monitoring is a type of formative assessment in.docx
 
OverviewThe work you do throughout the modules culminates into a.docx
OverviewThe work you do throughout the modules culminates into a.docxOverviewThe work you do throughout the modules culminates into a.docx
OverviewThe work you do throughout the modules culminates into a.docx
 
OverviewThis discussion is about organizational design and.docx
OverviewThis discussion is about organizational design and.docxOverviewThis discussion is about organizational design and.docx
OverviewThis discussion is about organizational design and.docx
 
OverviewScholarly dissemination is essential for any doctora.docx
OverviewScholarly dissemination is essential for any doctora.docxOverviewScholarly dissemination is essential for any doctora.docx
OverviewScholarly dissemination is essential for any doctora.docx
 
OverviewRegardless of whether you own a business or are a s.docx
OverviewRegardless of whether you own a business or are a s.docxOverviewRegardless of whether you own a business or are a s.docx
OverviewRegardless of whether you own a business or are a s.docx
 
OverviewImagine you have been hired as a consultant for th.docx
OverviewImagine you have been hired as a consultant for th.docxOverviewImagine you have been hired as a consultant for th.docx
OverviewImagine you have been hired as a consultant for th.docx
 
OverviewDevelop a 4–6-page position about a specific health care.docx
OverviewDevelop a 4–6-page position about a specific health care.docxOverviewDevelop a 4–6-page position about a specific health care.docx
OverviewDevelop a 4–6-page position about a specific health care.docx
 
Overview This purpose of the week 6 discussion board is to exam.docx
Overview This purpose of the week 6 discussion board is to exam.docxOverview This purpose of the week 6 discussion board is to exam.docx
Overview This purpose of the week 6 discussion board is to exam.docx
 
Overall Scenario Always Fresh Foods Inc. is a food distributor w.docx
Overall Scenario Always Fresh Foods Inc. is a food distributor w.docxOverall Scenario Always Fresh Foods Inc. is a food distributor w.docx
Overall Scenario Always Fresh Foods Inc. is a food distributor w.docx
 
OverviewCreate a 15-minute oral presentation (3–4 pages) that .docx
OverviewCreate a 15-minute oral presentation (3–4 pages) that .docxOverviewCreate a 15-minute oral presentation (3–4 pages) that .docx
OverviewCreate a 15-minute oral presentation (3–4 pages) that .docx
 
Overall CommentsHi Khanh,Overall you made a nice start with y.docx
Overall CommentsHi Khanh,Overall you made a nice start with y.docxOverall CommentsHi Khanh,Overall you made a nice start with y.docx
Overall CommentsHi Khanh,Overall you made a nice start with y.docx
 
Overall CommentsHi Khanh,Overall you made a nice start with.docx
Overall CommentsHi Khanh,Overall you made a nice start with.docxOverall CommentsHi Khanh,Overall you made a nice start with.docx
Overall CommentsHi Khanh,Overall you made a nice start with.docx
 
Overall feedbackYou addressed most all of the assignment req.docx
Overall feedbackYou addressed most all of the assignment req.docxOverall feedbackYou addressed most all of the assignment req.docx
Overall feedbackYou addressed most all of the assignment req.docx
 
Overall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docxOverall Comments Overall you made a nice start with your U02a1 .docx
Overall Comments Overall you made a nice start with your U02a1 .docx
 
Overview This purpose of the week 12 discussion board is to e.docx
Overview This purpose of the week 12 discussion board is to e.docxOverview This purpose of the week 12 discussion board is to e.docx
Overview This purpose of the week 12 discussion board is to e.docx
 
Over the years, the style and practice of leadership within law .docx
Over the years, the style and practice of leadership within law .docxOver the years, the style and practice of leadership within law .docx
Over the years, the style and practice of leadership within law .docx
 

Recently uploaded

Science lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonScience lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonJericReyAuditor
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxAnaBeatriceAblay2
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 

Recently uploaded (20)

Science lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonScience lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lesson
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 

During week 6 we develop the theory and application of capital bud.docx

  • 1. During week 6 we develop the theory and application of capital budget analysis. The theory was robust, the calculations mathematically and logically defined, and many of the real- world problems, likely to be encountered, were addressed. As capital budgeting essentially re-invents the company through major long-term expenditures it is arguably one of the most critical functions that financial management performs. However, based on my personal experiences, extensive empirical data, and antidotal data - many firms routinely experience significant failures in their selection of capital projects. The assignment for this topic consists if two parts: 1) For your first topic in this conference I would like for you to briefly review either your personal experiences and/or the financial literature to identify and present a description of one actual capital project/product failure and the reasons attributed to the failure. For those of you who do not have personal experiences the following are some illustrated examples of failed projects/products over the last 50 years you may want to look up and consider: -New Coke,- The Iridium Satellite Communication,- the Edsel automobile, Beta (vs. VHS), the Concord SST, and various Dot Coms. Feel free to research others. In your response please provide financial information regarding the project (what is available): initial outlay, projected cash flows, final dollar losses. Remember this is a one to two paragraph exercise - do not go overboard - a few hours research and summation is all that’s required. I am interested only in your short, concise description of the project and the major reasons you believe it failed. 2) Synthesize your one-paragraph position on what 3-5 specific factors you believe most likely to contribute to capital project
  • 2. analysis failure. CDC IT Security Staff BCP Policy [ CSIA 413, Professor Last Name: Policy Document IT Business Continuity Plan Policy Document Control Organization Center for Disease and Control (CDC) Title CDC IT Security Staff BCP Policy Author Owner
  • 3. IT Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved Document Distribution This document will be distributed to: Name Job Title Email Address All CDC Security Staff Information Security Specialist
  • 4. Contributors Development of this policy was assisted through information provided by the following organization: · CDC and Department of Defense, Health and Homeland Security Table of Contents Policy Statement4 1Purpose4 2Objective4 3Scope5 4Compliance5 5Terms and Definitions7 6Risk Identification and Assessment7 7Policy8 Policy Statement The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information. It is thus critical to secure the information and control access to
  • 5. it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise. Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or deliberate external system attack.Objective The following are the objectives of the policy: · To achieve and uphold the highest level of security within the CDC campus in order to guarantee sensitive and essential information that addresses health concerns is not access by authorised person – in person or virtually. · To guarantee minimal disruption of processes and rapid recovery of decisive operations and or systems. · To pinpoint and rank operations, processes and systems to reinstate essential systems and functions that maximise the operational and availability of activities. · To pinpoint the Key CDC personnel whose central task will be
  • 6. to activate the recovery and restoration process that will make sure communication channels are established and fidelity of all security systems. · To point out the critical third party vendors who can and should be relied upon to actualise the success of the business continuity and recovery plan.Scope The scope refers to all the aspects covered by the business continuity plan policy. These include and not confined to functions, locations, resources and personnel. Functions: This is demarcated by assignments or departments. The functions are not cast on stone and will change from time to time. Location: The CDC main campus and all other satellite locations all over the world. This will ensure breaches do not emanate from within the system in remote sites. Business Units: All Projects and Assignments and Satellite locations globally. Activities: All activities conducted by the projects, assignments and satellite locations globally. Stakeholders: All project, assignment and satellite location staff globally. Resources: All ICT assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) Development of the business continuity IT security policy will be an effort in futility if the policies are not complied with. Ideally compliance will be individual driven. This is designed to reduce the need to oversight each assignment, project or satellite location for adherence. The local staff are empowered to appreciate the important of the policy and how and when to put it into action. They are also empowered to understand, who does what when and how their actions or lack of, affect other people within and without the project, assignment or satellite
  • 7. station. When this is engrained into all the CDC staff, actions intended to ensure compliance become beneficial to the organizations. The staff no longer see the exercise of confirming conformity as antagonistic, but as contributing to the achievement of each individually task. Audits will be conducted regularly to check on conformity levels and pick up on improvement of impediments flagged. These audits will be supported by compliance reports prepared by the IT security head at the project, assignment or satellite location globally. This will be on occasion be accompanied by exception reporting for cases where the policy was not followed strictly. This is possible since all staff appreciates the role security plays and also understands that the policy is not meant to curtail an individual’s work but to protect it. Thus even when the policy is circumvented, the exception report must be accompanied by a comprehensive report with clear reasoning as to why it was necessary to deviate from the policy. b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. Given the sensitivity of the activities at CDC, compliance with the policy will be of utmost importance. Despite empowerment of all staff to appreciate the role the policy plays, and having empowered them to make adjustments when they evaluate it to be absolutely critical to their work, when their reasoning does not meet the threshold then sanctions must be enforced. The sanctions for non compliance and violations of the policy will be wide and varied. When the action does not cause any discernable harm but is still a violation, the violator must be summoned by their supervisor and reminded on the need to adhere to the policy. If this is the first offence, the matter will be considered addressed. Should this be repeated, the staff must be cited and this citation placed in their human resource file. Where the compliance failure or violation causes the organisation to suffer loss – financial or otherwise, the culprit must be sanctioned severely. This could range from loss of
  • 8. employment, financial restitution for the loss incurred by the organisation or serve jail time. The choice of sanction to be applied will be influenced by the seriousness of the compliance failure or violation. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) Considering the sanctions that will be enforced will be punitive – in some instances, it is important that the interpretation be guided the relevant department that care for the staff welfare. The HR department will give guidance as to what sanction will not contravene the policies that guide the department. Interpretation of the sanction will be guided by how the organisation has set out to care for its staff. Similarly, the corporate legal counsel department will be consulted and guidance sort where the sanction is with regards to a policy violation of non compliance that has resulted in sever loss to the organization and the HR is recommending legal prosecution. This guidance will be critical in laying bear the consequence of the violation or non compliance to the organisation, as it will the lay the foundation of a criminal prosecution of those responsible.Terms and DefinitionsRisk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. A number of risks could arise if IT security requirements are not included in business continuity planning and subsequent operations. Some of this will include 1. Failure to cover IT security basics: This will more often than not be ignored or assumed. It thus exposes the organisation to exploits and vulnerabilities that can be easily used by hackers to compromise the organisation. Actions like not updating the browser used or adobe flash player are the higher exploited. With the multiplying aggressiveness of exploits emanating from the world wide web, achieving protection will require constant
  • 9. education on the dangers and taking actions that minimize if not eliminate thus risk, within the confines of available resources. 2. Not understanding the source of IT security risks: This is closely tied in with a poor appreciation of the value of the critical assets coupled with the potential attackers’ profile. It’s critical to appreciate that IT security risk is not generated by technology alone. Psychological and sociological aspects do play significant roles to. Thus the organisation culture need to be aligned which in turn affects the amount of resources allocated to this endeavor. 3. Confusing compliance with IT security: This is evident when there is confusion between compliance and the IT security policy. Compliance to organisation rules does not necessarily mean protection against hacker attacks. Compliance needs to encompasses an IT security management system capable of allowing management to oversee data flow within the system thus protection confidential information from leakage to unwanted sources. 4. Bring your own device policy (BYOD) and the cloud: This is especially critical for the different projects, assignments and satellite locations globally. Globally, it has been found that a sizable number of respondents pointed to mobility as the root cause of a breach. The increased mobility coupled with users flooding the networks with access devices h as the unintended result of providing many paths for exposing data and application risks (Bourne, 2014) b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). 1. Failure to cover IT security basics: This will have the impact of multiplying aggressiveness exploits emanating from the World Wide Web. This failure will result in severe impact on the organisation. This is because; the failure will have resulted from the organisation not setting policies that guide information risk management. 2. Not understanding the source of IT security risks: The effect of this risk will be significant to the organisation. Its severity
  • 10. will be especially considerable given it will have resulted from a lack of training or new and current employees on security. 3. Confusing compliance with IT security: Confusion will breed increased risk. It is unfortunate with organisation suffers from confusion given the effect of this risk could have been eliminated if not avoided by patching security systems. 4. Bring your own device policy (BYOD) and the cloud: In as much as personal devices allow for flexibility and ease of work, it does expose the organisation to risk since it cannot have control of where the devices are used outside the work environment. The risk is especially severe thus the need for the organization to institute policies for BYOD security.Policy 1. To cover for cyber security basics, all IT hardware and software will be programmed to update themselves at the beginning of the day, before they are used. This policy will be implemented by each individual staff for the IT equipment allocated to them. The IT security manager in-charge of the project, assignment or satellite location will have overall responsibility for the enforcement of the policy. The manager will regularly and constantly educate the staff of the dangers and the resources available to them to protect them from the identified dangers. 2. To address the source of CDC’s IT security risks, the organisation will regularly refresh its staff on the value it attaches to the critical assets and the dynamic profile of potential attackers. This should cover the organisation from malware, viruses and intrusions, outside attack, user error, cloud apps for service usage, phishing among others. By incorporating sociological and psychological aspects in the training, CDC will engrain its culture into its staff. This culture should in turn be supported by the requisite resources to benefit the organisation. 3. To avoid confusion in complying with IT security policies, rules must be adhered to, to the letter. Further the information security management system will allow managers oversee data flows within the system. This should greatly enhance
  • 11. protection of confidential information from unwanted sources. 4. The Bring Your Own Devices (BYOD) and cloud policy will not seek to impede the staff flexible working environment or conditions. This will instead contribute very significantly to preventing security breaches. For the case of cloud computing the policy will give the due attention given its important and the vulnerabilities it comes with. 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System Bourne, V (2014) Protecting the Organisation Against the Unknown: A New Generation of Threats, accessed February 13, 2016 from http://software.dell.com/documents/protecting-the- organization-against-the-unknown-whitepaper-27396.pdf Zaharia, A (2015) 10 Cyber Security Risks That Might Affect Your Company, accessed February 13, 2016 from https://heimdalsecurity.com/blog/10-critical-corporate-cyber- security-risks-a-data-driven-list/ Schiff, J, L (2015) 6 Biggest Security Risks and How You Can Fight Back, accessed February 13, 2016 from http://www.cio.com/article/2872517/data-breach/6-biggest- business-security-risks-and-how-you-can-fight-back.html Kaspersky Lab (2015) Global IT Security Risks Survey 2015, accessed February 13, 2016 from http://media.kaspersky.com/en/business-security/it-security- risks-survey-2015.pdf NIST (2011) Managing Information Security Risk: Organizations, Mission and Information System View, accessed February 13, 2016 from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39- final.pdf NSCS (2013) Cyber Security and Risk Management: An Executive Level Responsibility, accessed February 13, 2016
  • 12. from https://www.connectsmart.govt.nz/assets/NCSC-Cyber- security-risk-management-Executive.pdf Copyright © 2015 by University of Maryland University College. All rights reserved. ( White House IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy )
  • 13. Document Control Organization White House Title White House IT Security Staff BCP Policy Author Owner Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved
  • 14. Document Distribution This document will be distributed to: Name Job Title Email Address All White House Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · White House and Department of Defense Table of Contents Policy Statement3 1Purpose4 2Objectives4 3Scope4 4Business Impact Analysis (BIA)5 5Business Continuity Planning Personel5 6 Business Continuity Planning Procedures……………………………………………… . … 5 6.1 Events ………………………………………………………………………… ……… 6
  • 15. 6.2 Vendors……………………………………………………………… ………………….. 6 6.3 Task……………………...…………………………………………… ………………... 6 6.3 Timleine 7 7 Testing and Maintenance………………………………………………………… ………... 7 8 References…………………………………………………………… …………………….. 7 Policy Statement The United States of America and its military rely on the confidentiality, integrity, and availability of accurate information stored in information systems to proactively prepare and defend the nations critical infrastructures and protect national security. In the event of natural disasters and/or attacks from malicious hacktivist it is imperative that the White House IT Security Staff has a quick, efficient, and effective business continuity plan to recover and restore data to ensure critical operations are not impacted. The business continuity plan is needed to continue the White House and military operations efforts to strategize and protect it critical infrastructures and citizens. Purpose The purpose of this document is to outline the necessaryprocedures and steps to recover and restore business operations within the White House in the event of a natural disaster, emergency, or system attack from external sources. Objective The following ae the objectives of the policy:
  • 16. · To maintain the highest amount of national security through the availability of critical and sensitiveinformationconcerning military operations, critical infrastructure, and foreign relations. · To ensure minimal impact to resources and immediate recovery of critical systems and operations. · To identify and prioritize systems, processes, and operations to restore critical functions and systems to maximizeavailability and operational activities. · To identify key White House Securitypersonnelresponsible for the restoration and recovery process to ensure immediate contact is available in case of an emergency event. · To Identify third party vendors needed to help attain successful businesscontinuity and recovery planning. Scope The scope describes all locations, functions, personnel, and resources affected by the business continuity plan policy: Locations: White House IT Department, The White House, The Sun Guard Hot Site, Herndon, VA Business Units: All Business Units Activities: All Actives conducted by business units Stakeholders: Chain of Command, Vendors, and White House Staff Resources: All telecommunication assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Business Impact Analysis The Business Impact Analysis (BIA) will assess the financial, operational impact, and recovery time objectives (RTO) needed to restore critical systems, process, and operations. The BIA will be conducted by assuming the worst case scenario due to he high level of exposure the White House presents. The BIA will be conducted in the event of an immediate shutdown of all functions and resources to analyse the recovery time and resources needed to restore critical systems and operations (ISACA, n.d.). The BIA will estimate the level of impact the
  • 17. White House will be willing to accept. The impact range is as follows: Very High- Impact could cripple the White House and potentially cause catastrophic loses. High – Impact exceeds the White House’s Executives tolerance and could threaten National Security. Medium – Impact will cause major harm to critical systems and operations and threaten National Security Low – Impact results in the temporary loss of critical systems and operations and could harm critical infrastructure. Very Low – Impact results in minor loss of operations and does not threaten critical infrastructure. The White House’s level of tolerance is: Very Low. Business Continuity Planning Personnel The following are the personnelthat can be immediate contacted in the event the business continuity plan activation: IT Security Manager: smith, IT Security Section, ph # Lead IT Security Specialist: Jerry Mayweather, IT Security Sections, ph # IT Security Specialist: Ethan Snowden, It Security Department, ph # The following personnel are to be immediately contacted secondary to the above mentioned personnel: CISO: John Stamens, IT Department, ph # CIO: Randy Howitzer, IT Department, ph #Business Continuity PlanningProcedures The business continuity planning procedures are to be followed immediately in the event the businesses continuity plan is activated. Events The following the events that may occur in which the BCP should be immediate activated to minimize the loss of availability of critical systems and operations: Equipmentfailure, disruption of power supply or
  • 18. telecommunication application failure corruption ofdatabase, human error, sabotage, malicioussoftware attacks, hacking, social unrest, terrorist attack, fire, or natural disasters (SANS, 2002). Vendors The below list are approved vendors that are critical to the day to day operations and should be contacted immediately in the event of a BCP activation: 1. Sun Guard – BCP Documentation and Hot Ste resource 2. AppNomic – Backup and fail over solutions 3. Amazon – Cloud Services 6.3 Task The followingshould be taken in the event the BCP is activated: 1- Contact The IT Security Manager and give a situation report. 2- Retrieve BCP documentation 3- IT SecurityManager will determine the type of event and determine which department or function within the White House will activate their BCP. 4- If impact level is designated as Medium or Higher IT personnel will relocate to the designated hot site: a. Hot Site location will b. The Hot Site representative will be immediately contact at: c. Hot Site will provide all hardware and needs, however IT personnel will bring all backup tapes, laptops, and critical servers within the IT data center of the Hot Site. 5- All secondary BCP personnel will be contacted and briefed. 6- A final determination of event will be formally announced and appropriate chain of command will be notified. Timeline The following is the timeline in which all major task will be
  • 19. competed, the total time for completion i3 3 hours. Each timeframe is a: · Contact IT Manager: 10 Minutes (Total: 10 minutes) · Retrieve BCP Documentation: 5 minutes (Total: 15 minutes) · IT Manager event determination: 30 Minutes (Total: 45 minutes) · Relocation to Hot Site: 1 ½ hours (Total: 2 hours 15 minutes) · All secondary personnel are called and briefed: 15 Minutes (Total: 2 hours 30 minutes) · Chain of Command is notified: 30 Minutes (Total: 3 hours)Testing and Maintenance The following are is the criteria for testing and maintenance to ensure continuous training and BCP compliance: · BCP rehearsal should be conducted annually at least one to provide awareness and accuracy. · Business unit level exercise should be conducted every two years. · Executive management exercises should be conducted every three years. (Drewitt, 2013) 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System ISACA (n.d.). Business Continuity Planning. Retrieved from: http://www.isaca.org/Groups/Professional-English/business- continuity-disaster-recovery- planning/GroupDocuments/Business_Impact_Analysis_blank.do c SANS (2002). Introduction to Business Continuity Planning. Retrieved from: http://www.sans.org/reading- room/whitepapers/recovery/introduction-business-continuity- planning-559 Sun Guard (2015). Availability Services Herndon Workgroup.
  • 20. Retrieved from: http://www.sungardas.com/company/infrastructure/Pages/herndo n-va.aspx Copyright © 2015 by University of Maryland University College. All rights reserved. Project #4: Prepare a Business ContinuityIT Security PolicyIntroduction In Project 2 (which was order #225, you developed a local IT security policyfor a specific facility– a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2, which was Centers for Disease Control and Prevention (CDC), which was the Order # 210 and 225). You should reuse applicable sections of your earlier projects for this project (e.g. your organization (which was CDC) overview and/or a specific section of your outline).Background Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man- made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable time frame. Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change
  • 21. over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy – guidance for DR/BCP planning for a particular data center. DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document, which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2. Sometimes, it is necessary to create supplementary policies, which address specific circumstances or needs, which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy – the Business Continuity IT Security Policy. The “Tasks” section of this assignment explains the content requirements for your policy. Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from http://www.ready.gov/business/implementation/continuity ) Phase 1: Business Impact Analysis · Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business · Conduct follow-up interviews to validate responses to survey & obtain additional info Phase 2: Develop Recovery Strategies · Identify resource requirements based on BIAs · Perform gap analysis (recovery requirements vs current capabilities)
  • 22. · Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites) · Document & Implement recovery strategies (acquire / contract for products & services) Phase 3: Develop Business Continuity Plan · Develop plan framework (follow policy) · Identify personnel forDR/BCP teams · Develop Recovery and/or Relocation Plans · Write DR/BCP Procedures · Obtain approvals for plans & procedures Phase 4: Testing & Readiness Exercises · Develop testing, exercise and maintenance requirements · Conduct training for DR/BCP teams · Conduct orientation exercises for staff · Conduct testing and document test results · Update BCP to incorporate lessons learned from testing and exercises Table 4-2. Outline for a Business Continuity Plan Purpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption. Objective: to identify the processes or steps involved in resuming normal business operations. Scope: work locations or departments addressed. Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc. Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc. Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area” is identified as a possible failure scenario, a potential recovery strategy could be to
  • 23. relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center. Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on. Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living” document that is updated as personnel/workforce changes are made. Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline. Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful. Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in
  • 24. place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc. Tasks The Business Continuity Security Policy is being written by you as the data centerfacility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1).Your policy must also addressrequired content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections. Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers from whom your organization purchases or will purchase IT services and products to implement its recovery strategies. Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business
  • 25. continuity plan. Different RTO’s may be set for different IT systems and services. Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP(used to determine backup frequency for data during normal operating periods and the maximum allowable amount of “lost data” which can be tolerated). Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software, which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan. The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans.Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.Tasks: 1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53.(See Table 4-3). Identify policy statements, which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.Table 4-3. Contingency Planning Control Family (from NIST SP 800-53) 2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed
  • 26. during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4). 3. Review the outline for a Business Continuity Plan (Table 4- 2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan.(Your policy statements will tell Business Continuity Planners where and how to “build security in.”) 4. Write your Business Continuity Security Policy usingthe outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3.Table 4-4. Outline for an IT Security Policy I. Identification a. Organization: [name] b. Title of Policy: Data Center Business Continuity Policy c. Author: [your name] d. Owner: [role, e.g. Data Center Manager] e. Subject: Business Continuity for [data center name] f. Review Date: [date submitted for grading] g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager] h. Distribution List i. Revision History II. Purpose a. Provide a high level summary statement as to the policy requirements which are set forth in this document. III. Scope a. Summarize the business continuity activities and operations that this policy will apply to. b. Identify who is required to comply with this policy. IV. Compliance
  • 27. a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) V. Terms and Definitions VI. Risk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). VII. Policy a. Present policies which will ensure that IT security is addressed i. In all phases of DR/BCP planning ii. In all relevant sections of the DR/BCP plan iii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP family iv. By specifying roles and responsibilities for IT security during data center recovery operations v. Using RTO/RPO metrics for restoral of IT security services and functions b. Include an explanatory paragraph for each policy statement. 5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.). 6. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting:
  • 28. 1. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style includinguse of footnotesor end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.)You are expected to write grammatically correct.Criteria and Steps to follow (Below in bold are subheadings) ***Please make sure three reference sites per subheading.*** Policy Outline & Body Provided an excellent IT Security Policy, which clearly, concisely, and accurately presents all required information (see outline in assignment for sections, fields, and content requirements). Presentation of information is organized in a logical fashion and uses 3 or more tables to group related information for presentation. All required fields under each section are listed and filled in (e.g. Owner Name in ID Section has a name filled in.) Policy Section: DR/BCP Planning Phases Presented an excellent policy statement or statements, which will ensure that IT Security is addressed during all four phases of the DR/BCP planning process.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: IT Security in DR/BCP Plan Presented an excellent policy statement or statements which will ensure that IT Security is addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address requirements for IT Security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: IT Security Roles & Responsibilities in DR/BCP Plan Presented an excellent policy statement or statements which
  • 29. will ensure that roles and responsibilities for IT Security are addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address who is responsible for ensuring IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: Security Controls during DR/BCP Planning, Implementation, & Execution (NIST CP Family) Presented an excellent policy statement or statements which will ensure that NIST recommended security controls for Contingency Planning (CP family) are addressed as part of DR/BCP planning, implementation, and execution.Identified and discussed five or more controls from the CP family which should be implemented (using NIST SP 800-53 guidance) to ensure adequate IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Crediting Sources Work credits all sources used in a professional manner using APA format citations/references, footnotes with publication information, or endnotes with publication information. Provides a Bibliography or "Works Cited" if not using APA format. Publication information is sufficient to retrieve all listed resources.