(
CDC
IT Security Staff BCP Policy
) (
[
CSIA 413,
) (
Professor Last Name:
) (
Policy Document
)
(
IT
Business Continuity Plan Policy
)
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· CDC and Department of Defense, Health and Homeland Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information.
It is thus critical to secure the information and control access to it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise.
Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose
Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or delibera ...
1. (
CDC
IT Security Staff BCP Policy
) (
[
CSIA 413,
) (
Professor Last Name:
) (
Policy Document
)
(
IT
Business Continuity Plan Policy
)
Document Control
Organization
Center for Disease and Control (CDC)
Title
CDC IT Security Staff BCP Policy
2. Author
Owner
IT Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
3. Job Title
Email Address
All CDC Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information
provided by the following organization:
· CDC and Department of Defense, Health and Homeland
Security
Table of Contents
Policy Statement4
1Purpose4
2Objective4
3Scope5
4Compliance5
5Terms and Definitions7
6Risk Identification and Assessment7
7Policy8
Policy Statement
The Center for Disease and Control mission is to protect
America from health, safety and security threats, both foreign
and in the U.S whether the diseases starts at home or abroad,
are chronic or acute, curable or preventable, human error or
deliberate attack, it fights disease and supports communities and
4. citizens to do the same. It is this sensitive mandate that makes
CDC infrastructure critical. CDC is both a source and
repository of information.
It is thus critical to secure the information and control access to
it, not to mention what information departs the organisation.
CDC has to contend with IT regulations and laws that control
how sensitive information is used. Given the sources of some
of this information, CDC has to contend with the threat of this
information being compromised since not all its operations are
in one place. Thus CDC conducts critical science and provides
health information that protects the nation against expensive
and dangerous health threats and responds when these arise.
Unfortunately in life, things do not always follow the ideal and
predictable path. Actions may conspire to affect the smooth
running of CDC and at the worst case, the relocation to a new
site and the continuation of the work that was being done. With
the increased security threat, CDC finds itself not able to avoid
having to plan for instances where its operations may be
disrupted. The plan in intended to achieve efficient and
effective operational continuity in order to have all data
recovered and restored thus firewalling critical operations. This
plan is referred to as the business continuity plan.Purpose
Given the identified risks referred to above, the document is
developed for the sole purpose of offering a roadmap to be
followed by CDC to recover and restore its operations. The
business continuity plan is to be activated should the center be
hit by a natural disaster, emergency or deliberate external
system attack.Objective
The following are the objectives of the policy:
· To achieve and uphold the highest level of security within the
CDC campus in order to guarantee sensitive and essential
information that addresses health concerns is not access by
authorised person – in person or virtually.
· To guarantee minimal disruption of processes and rapid
recovery of decisive operations and or systems.
5. · To pinpoint and rank operations, processes and systems to
reinstate essential systems and functions that maximise the
operational and availability of activities.
· To pinpoint the Key CDC personnel whose central task will be
to activate the recovery and restoration process that will make
sure communication channels are established and fidelity of all
security systems.
· To point out the critical third party vendors who can and
should be relied upon to actualise the success of the business
continuity and recovery plan.Scope
The scope refers to all the aspects covered by the business
continuity plan policy. These include and not confined to
functions, locations, resources and personnel.
Functions: This is demarcated by assignments or departments.
The functions are not cast on stone and will change from time to
time.
Location: The CDC main campus and all other satellite
locations all over the world. This will ensure breaches do not
emanate from within the system in remote sites.
Business Units: All Projects and Assignments and Satellite
locations globally.
Activities: All activities conducted by the projects,
assignments and satellite locations globally.
Stakeholders: All project, assignment and satellite location
staff globally.
Resources: All ICT assets, information systems, office
buildings, equipment, and people. (Drewitt, 2013)Compliance
a. Identify the measures which will be taken to ensure
compliance with this policy (e.g. audits, compliance reporting,
exception reporting, etc.)
Development of the business continuity IT security policy will
be an effort in futility if the policies are not complied with.
Ideally compliance will be individual driven. This is designed
to reduce the need to oversight each assignment, project or
satellite location for adherence. The local staff are empowered
6. to appreciate the important of the policy and how and when to
put it into action. They are also empowered to understand, who
does what when and how their actions or lack of, affect other
people within and without the project, assignment or satellite
station.
When this is engrained into all the CDC staff, actions intended
to ensure compliance become beneficial to the organizations.
The staff no longer see the exercise of confirming conformity as
antagonistic, but as contributing to the achievement of each
individually task. Audits will be conducted regularly to check
on conformity levels and pick up on improvement of
impediments flagged. These audits will be supported by
compliance reports prepared by the IT security head at the
project, assignment or satellite location globally. This will be
on occasion be accompanied by exception reporting for cases
where the policy was not followed strictly. This is possible
since all staff appreciates the role security plays and also
understands that the policy is not meant to curtail an
individual’s work but to protect it. Thus even when the policy
is circumvented, the exception report must be accompanied by a
comprehensive report with clear reasoning as to why it was
necessary to deviate from the policy.
b. Identify the sanctions which will be implemented for
compliance failures or other violations of this policy.
Given the sensitivity of the activities at CDC, compliance with
the policy will be of utmost importance. Despite empowerment
of all staff to appreciate the role the policy plays, and having
empowered them to make adjustments when they evaluate it to
be absolutely critical to their work, when their reasoning does
not meet the threshold then sanctions must be enforced. The
sanctions for non compliance and violations of the policy will
be wide and varied. When the action does not cause any
discernable harm but is still a violation, the violator must be
summoned by their supervisor and reminded on the need to
adhere to the policy. If this is the first offence, the matter will
be considered addressed. Should this be repeated, the staff must
7. be cited and this citation placed in their human resource file.
Where the compliance failure or violation causes the
organisation to suffer loss – financial or otherwise, the culprit
must be sanctioned severely. This could range from loss of
employment, financial restitution for the loss incurred by the
organisation or serve jail time. The choice of sanction to be
applied will be influenced by the seriousness of the compliance
failure or violation.
c. Include information about how to obtain guidance in
understanding or interpreting this policy (e.g. HR, corporate
legal counsel, etc.)
Considering the sanctions that will be enforced will be punitive
– in some instances, it is important that the interpretation be
guided the relevant department that care for the staff welfare.
The HR department will give guidance as to what sanction will
not contravene the policies that guide the department.
Interpretation of the sanction will be guided by how the
organisation has set out to care for its staff. Similarly, the
corporate legal counsel department will be consulted and
guidance sort where the sanction is with regards to a policy
violation of non compliance that has resulted in sever loss to
the organization and the HR is recommending legal prosecution.
This guidance will be critical in laying bear the consequence of
the violation or non compliance to the organisation, as it will
the lay the foundation of a criminal prosecution of those
responsible.Terms and DefinitionsRisk Identification and
Assessment
a. Identify the risks which could arise if IT security
requirements are not included in business continuity planning
and subsequent operations.
A number of risks could arise if IT security requirements are
not included in business continuity planning and subsequent
operations. Some of this will include
1. Failure to cover IT security basics: This will more often than
not be ignored or assumed. It thus exposes the organisation to
exploits and vulnerabilities that can be easily used by hackers to
8. compromise the organisation. Actions like not updating the
browser used or adobe flash player are the higher exploited.
With the multiplying aggressiveness of exploits emanating from
the world wide web, achieving protection will require constant
education on the dangers and taking actions that minimize if not
eliminate thus risk, within the confines of available resources.
2. Not understanding the source of IT security risks: This is
closely tied in with a poor appreciation of the value of the
critical assets coupled with the potential attackers’ profile. It’s
critical to appreciate that IT security risk is not generated by
technology alone. Psychological and sociological aspects do
play significant roles to. Thus the organisation culture need to
be aligned which in turn affects the amount of resources
allocated to this endeavor.
3. Confusing compliance with IT security: This is evident when
there is confusion between compliance and the IT security
policy. Compliance to organisation rules does not necessarily
mean protection against hacker attacks. Compliance needs to
encompasses an IT security management system capable of
allowing management to oversee data flow within the system
thus protection confidential information from leakage to
unwanted sources.
4. Bring your own device policy (BYOD) and the cloud: This is
especially critical for the different projects, assignments and
satellite locations globally. Globally, it has been found that a
sizable number of respondents pointed to mobility as the root
cause of a breach. The increased mobility coupled with users
flooding the networks with access devices h as the unintended
result of providing many paths for exposing data and
application risks (Bourne, 2014)
b. Identify and describe the impacts of such risks (include an
assessment of the possible severity for each impact).
1. Failure to cover IT security basics: This will have the impact
of multiplying aggressiveness exploits emanating from the
World Wide Web. This failure will result in severe impact on
the organisation. This is because; the failure will have resulted
9. from the organisation not setting policies that guide information
risk management.
2. Not understanding the source of IT security risks: The effect
of this risk will be significant to the organisation. Its severity
will be especially considerable given it will have resulted from
a lack of training or new and current employees on security.
3. Confusing compliance with IT security: Confusion will breed
increased risk. It is unfortunate with organisation suffers from
confusion given the effect of this risk could have been
eliminated if not avoided by patching security systems.
4. Bring your own device policy (BYOD) and the cloud: In as
much as personal devices allow for flexibility and ease of work,
it does expose the organisation to risk since it cannot have
control of where the devices are used outside the work
environment. The risk is especially severe thus the need for the
organization to institute policies for BYOD security.Policy
1. To cover for cyber security basics, all IT hardware and
software will be programmed to update themselves at the
beginning of the day, before they are used. This policy will be
implemented by each individual staff for the IT equipment
allocated to them. The IT security manager in-charge of the
project, assignment or satellite location will have overall
responsibility for the enforcement of the policy. The manager
will regularly and constantly educate the staff of the dangers
and the resources available to them to protect them from the
identified dangers.
2. To address the source of CDC’s IT security risks, the
organisation will regularly refresh its staff on the value it
attaches to the critical assets and the dynamic profile of
potential attackers. This should cover the organisation from
malware, viruses and intrusions, outside attack, user error,
cloud apps for service usage, phishing among others. By
incorporating sociological and psychological aspects in the
training, CDC will engrain its culture into its staff. This culture
should in turn be supported by the requisite resources to benefit
the organisation.
10. 3. To avoid confusion in complying with IT security policies,
rules must be adhered to, to the letter. Further the information
security management system will allow managers oversee data
flows within the system. This should greatly enhance
protection of confidential information from unwanted sources.
4. The Bring Your Own Devices (BYOD) and cloud policy will
not seek to impede the staff flexible working environment or
conditions. This will instead contribute very significantly to
preventing security breaches. For the case of cloud computing
the policy will give the due attention given its important and the
vulnerabilities it comes with.
8 References
Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical
Guide to Developing and
Implementing a Business Continuity Management System
Bourne, V (2014) Protecting the Organisation Against the
Unknown: A New Generation of Threats, accessed February 13,
2016 from http://software.dell.com/documents/protecting-the-
organization-against-the-unknown-whitepaper-27396.pdf
Zaharia, A (2015) 10 Cyber Security Risks That Might Affect
Your Company, accessed February 13, 2016 from
https://heimdalsecurity.com/blog/10-critical-corporate-cyber-
security-risks-a-data-driven-list/
Schiff, J, L (2015) 6 Biggest Security Risks and How You Can
Fight Back, accessed February 13, 2016 from
http://www.cio.com/article/2872517/data-breach/6-biggest-
business-security-risks-and-how-you-can-fight-back.html
Kaspersky Lab (2015) Global IT Security Risks Survey 2015,
accessed February 13, 2016 from
http://media.kaspersky.com/en/business-security/it-security-
risks-survey-2015.pdf
NIST (2011) Managing Information Security Risk:
Organizations, Mission and Information System View, accessed
February 13, 2016 from
12. Document Control
Organization
White House
Title
White House IT Security Staff BCP Policy
Author
Owner
Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
13. Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All White House Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information
provided by the following organization:
· White House and Department of Defense
Table of Contents
Policy Statement3
1Purpose4
2Objectives4
3Scope4
4Business Impact Analysis (BIA)5
5Business Continuity Planning Personel5
6 Business Continuity Planning
14. Procedures……………………………………………… . … 5
6.1 Events
…………………………………………………………………………
……… 6
6.2
Vendors………………………………………………………………
………………….. 6
6.3
Task……………………...……………………………………………
………………... 6
6.3 Timleine 7
7 Testing and
Maintenance…………………………………………………………
………... 7
8
References……………………………………………………………
…………………….. 7
Policy Statement
The United States of America and its military rely on the
confidentiality, integrity, and availability of accurate
information stored in information systems to proactively
prepare and defend the nations critical infrastructures and
protect national security.
In the event of natural disasters and/or attacks from malicious
hacktivist it is imperative that the White House IT Security
Staff has a quick, efficient, and effective business continuity
plan to recover and restore data to ensure critical operations are
not impacted. The business continuity plan is needed to
continue the White House and military operations efforts to
strategize and protect it critical infrastructures and citizens.
Purpose
The purpose of this document is to outline the
necessaryprocedures and steps to recover and restore business
15. operations within the White House in the event of a natural
disaster, emergency, or system attack from external sources.
Objective
The following ae the objectives of the policy:
· To maintain the highest amount of national security through
the availability of critical and sensitiveinformationconcerning
military operations, critical infrastructure, and foreign relations.
· To ensure minimal impact to resources and immediate
recovery of critical systems and operations.
· To identify and prioritize systems, processes, and operations
to restore critical functions and systems to maximizeavailability
and operational activities.
· To identify key White House Securitypersonnelresponsible for
the restoration and recovery process to ensure immediate
contact is available in case of an emergency event.
· To Identify third party vendors needed to help attain
successful businesscontinuity and recovery planning.
Scope
The scope describes all locations, functions, personnel, and
resources affected by the business continuity plan policy:
Locations: White House IT Department, The White House, The
Sun Guard Hot Site, Herndon, VA
Business Units: All Business Units
Activities: All Actives conducted by business units
Stakeholders: Chain of Command, Vendors, and White House
Staff
Resources: All telecommunication assets, information systems,
office buildings, equipment, and people. (Drewitt,
2013)Business Impact Analysis
The Business Impact Analysis (BIA) will assess the financial,
operational impact, and recovery time objectives (RTO) needed
to restore critical systems, process, and operations. The BIA
will be conducted by assuming the worst case scenario due to he
high level of exposure the White House presents. The BIA will
16. be conducted in the event of an immediate shutdown of all
functions and resources to analyse the recovery time and
resources needed to restore critical systems and operations
(ISACA, n.d.). The BIA will estimate the level of impact the
White House will be willing to accept. The impact range is as
follows:
Very High- Impact could cripple the White House and
potentially cause catastrophic loses.
High – Impact exceeds the White House’s Executives tolerance
and could threaten National Security.
Medium – Impact will cause major harm to critical systems and
operations and threaten National Security
Low – Impact results in the temporary loss of critical systems
and operations and could harm critical infrastructure.
Very Low – Impact results in minor loss of operations and does
not threaten critical infrastructure.
The White House’s level of tolerance is: Very Low.
Business Continuity Planning Personnel
The following are the personnelthat can be immediate contacted
in the event the business continuity plan activation:
IT Security Manager: smith, IT Security Section, ph #
Lead IT Security Specialist: Jerry Mayweather, IT Security
Sections, ph #
IT Security Specialist: Ethan Snowden, It Security Department,
ph #
The following personnel are to be immediately contacted
secondary to the above mentioned personnel:
CISO: John Stamens, IT Department, ph #
CIO: Randy Howitzer, IT Department, ph #Business Continuity
PlanningProcedures
The business continuity planning procedures are to be followed
immediately in the event the businesses continuity plan is
activated.
Events
17. The following the events that may occur in which the BCP
should be immediate activated to minimize the loss of
availability of critical systems and operations:
Equipmentfailure, disruption of power supply or
telecommunication application failure corruption ofdatabase,
human error, sabotage, malicioussoftware attacks, hacking,
social unrest, terrorist attack, fire, or natural disasters (SANS,
2002).
Vendors
The below list are approved vendors that are critical to the day
to day operations and should be contacted immediately in the
event of a BCP activation:
1. Sun Guard – BCP Documentation and Hot Ste resource
2. AppNomic – Backup and fail over solutions
3. Amazon – Cloud Services
6.3 Task
The followingshould be taken in the event the BCP is activated:
1- Contact The IT Security Manager and give a situation report.
2- Retrieve BCP documentation
3- IT SecurityManager will determine the type of event and
determine which department or function within the White House
will activate their BCP.
4- If impact level is designated as Medium or Higher IT
personnel will relocate to the designated hot site:
a. Hot Site location will
b. The Hot Site representative will be immediately contact at:
c. Hot Site will provide all hardware and needs, however IT
personnel will bring all backup tapes, laptops, and critical
servers within the IT data center of the Hot Site.
5- All secondary BCP personnel will be contacted and briefed.
6- A final determination of event will be formally announced
and appropriate chain of command will be notified.
18. Timeline
The following is the timeline in which all major task will be
competed, the total time for completion i3 3 hours. Each
timeframe is a:
· Contact IT Manager: 10 Minutes (Total: 10 minutes)
· Retrieve BCP Documentation: 5 minutes (Total: 15 minutes)
· IT Manager event determination: 30 Minutes (Total: 45
minutes)
· Relocation to Hot Site: 1 ½ hours (Total: 2 hours 15 minutes)
· All secondary personnel are called and briefed: 15 Minutes
(Total: 2 hours 30 minutes)
· Chain of Command is notified: 30 Minutes (Total: 3
hours)Testing and Maintenance
The following are is the criteria for testing and maintenance to
ensure continuous training and BCP compliance:
· BCP rehearsal should be conducted annually at least one to
provide awareness and accuracy.
· Business unit level exercise should be conducted every two
years.
· Executive management exercises should be conducted every
three years. (Drewitt, 2013)
8 References
Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical
Guide to Developing and
Implementing a Business Continuity Management System
ISACA (n.d.). Business Continuity Planning. Retrieved from:
http://www.isaca.org/Groups/Professional-English/business-
continuity-disaster-recovery-
planning/GroupDocuments/Business_Impact_Analysis_blank.do
c
SANS (2002). Introduction to Business Continuity Planning.
Retrieved from:
20. time frame.
Organizations use policies, plans, and procedures to implement
an effective DR/BCP program and ensure that DR/BCP plans are
current and reflect the actual recovery needs (which may change
over time). The larger the organization, the more important it is
that policies exist which will guide DR/BCP planners through
the planning and implementation processes. For this assignment,
you will be writing one such policy – guidance for DR/BCP
planning for a particular data center.
DR/BCP policies for the enterprise (the entire organization)
establish what must be done by the organization in order to
develop its DR/BCP strategies, plans, and procedures. Table 4-1
provides a simplified list of phases and required activities for
the planning process. Depending upon the level of detail
covered by the policy, this information could be in the policy
itself or covered in another document, which the policy refers
to. The required content for the DR/BCP plan may also be
presented in the policy or, more likely, it will be provided in an
appendix or separate document. A typical outline for the plan is
presented in Table 4-2.
Sometimes, it is necessary to create supplementary policies,
which address specific circumstances or needs, which must be
accounted for in the DR/BCP planning process and throughout
the management of the DR/BCP program. For this assignment,
you will be developing one such policy – the Business
Continuity IT Security Policy. The “Tasks” section of this
assignment explains the content requirements for your policy.
Table 4-1. Disaster Recovery / Business Continuity Planning
Phases (adapted from
http://www.ready.gov/business/implementation/continuity )
Phase 1: Business Impact Analysis
· Survey business units to determine which business processes,
resources, and capital assets (facilities, IT systems) are critical
to survival of business
· Conduct follow-up interviews to validate responses to survey
& obtain additional info
21. Phase 2: Develop Recovery Strategies
· Identify resource requirements based on BIAs
· Perform gap analysis (recovery requirements vs current
capabilities)
· Investigate recovery strategies (e.g. IaaS, PaaS, Alternate
Sites)
· Document & Implement recovery strategies (acquire / contract
for products & services)
Phase 3: Develop Business Continuity Plan
· Develop plan framework (follow policy)
· Identify personnel forDR/BCP teams
· Develop Recovery and/or Relocation Plans
· Write DR/BCP Procedures
· Obtain approvals for plans & procedures
Phase 4: Testing & Readiness Exercises
· Develop testing, exercise and maintenance requirements
· Conduct training for DR/BCP teams
· Conduct orientation exercises for staff
· Conduct testing and document test results
· Update BCP to incorporate lessons learned from testing and
exercises
Table 4-2. Outline for a Business Continuity Plan
Purpose: to allow company personnel to quickly and effectively
restore critical business operations after a disruption.
Objective: to identify the processes or steps involved in
resuming normal business operations.
Scope: work locations or departments addressed.
Scenarios: (a) loss of a primary work area, (b) loss of IT
services for a prolonged period of time, (c) temporary or
extended loss of workforce, etc.
Issues, Assumptions, and Constraints: (a) restore in place vs.
transfer operations to alternate site, (b) availability of key
personnel, (c) vendor or utility service availability, (d)
communications, (e) safety of life issues, etc.
Recovery Strategy Summary: In this section, a plan will
22. typically outline the broad strategies to be followed in each of
the scenarios identified in the plan Introduction section. As an
example, if “loss of work area” is identified as a possible
failure scenario, a potential recovery strategy could be to
relocate to a previously agreed-upon or contracted alternate
work location, such as a SunGard work area recovery center.
Recovery Tasks: This section of the plan will usually provide a
list of the specific recovery activities and sub-activities that
will be required to support each of the strategies outlined in the
previous section. For example, if the strategy is to relocate to
an alternate work location, the tasks necessary to support that
relocation effort could include identifying any equipment needs,
providing replacement equipment, re-issuing VPN tokens,
declaration of disaster, and so on.
Recovery Personnel: Typically, a BC/DR plan will also identify
the specific people involved in the business continuity efforts,
for example, naming a team lead and an alternate team lead, as
well as the team members associated with any recovery efforts.
This section of the plan will also include their contact
information, including work phone, cellphone, and email
addresses. Obviously, because of any potential changes in
personnel, the plan will need to be a “living” document that is
updated as personnel/workforce changes are made.
Plan Timeline: Many plans also include a section in the main
body that lays out the steps for activating a plan (usually in the
form of a flow chart). For example, a typical plan timeline
might start from the incident detection, then flow into the
activation of the response team, the establishment of an incident
command center, and notification of the recovery team,
followed by a decision point around whether or not to declare a
disaster. A plan timeline may also assign the recovery durations
or recovery time objectives required by the business for each
activity in the timeline.
Critical Vendors and their RTOs: In this section, a plan may
also list the vendors critical to day-to-day operations and
recovery strategies, as well as any required recovery time
23. objectives that the vendors must meet in order for the plan to be
successful.
Critical Equipment/Resource Requirements: A plan may also
detail the quantity requirements for resources that must be in
place within specified timeframes after plan activation.
Examples of resources listed might include workstations,
laptops (both with and without VPN access), phones, conference
rooms, etc.
Tasks
The Business Continuity Security Policy is being written by you
as the data centerfacility manager. This supplementary DR/BCP
policy will be used to ensure that needed security controls are
restored and functioning as designed in the event that the
business continuity plan is activated. These controls must
ensure that information, information systems, and information
infrastructure (e.g. networks, communications technologies,
etc.) are protected to the same level as required during normal
business operations. Your policy must ensure that security
requirements are adequately addressed during all four phases of
the Business Continuity Planning process (see Table 4-1).Your
policy must also addressrequired content (sections) for the
DR/BCP plan (see Table 4-2) even if that means requiring
modifications to standard sections of the document or even
adding sections.
Your policy must also address the roles and responsibilities for
data center recovery operations. During recovery operations, the
data center manager and recovery team personnel (including
system administrators and network engineers) must ensure that
IT systems and services, including required IT security controls,
are operational within the required Recovery Time Objectives
and Recovery Point Objectives. These metrics are established
using the results of the BIA and are included in the DR/BCP
plans. These metrics are used to determine the restoral order for
systems and services and guide the selection and
implementation of recovery strategies. The metrics also provide
performance criteria for outside vendors and service providers
24. from whom your organization purchases or will purchase IT
services and products to implement its recovery strategies.
Recovery Time Objective: the maximum time allowed to restore
critical operations and services after activation of the business
continuity plan. Different RTO’s may be set for different IT
systems and services.
Recovery Point Objective: the point in time to which you must
restore data during startup operations for DR/BCP(used to
determine backup frequency for data during normal operating
periods and the maximum allowable amount of “lost data”
which can be tolerated).
Your Business Continuity Security Policy must address the
requirement to set appropriate RTO and RPO metrics for
hardware and software, which provide IT security controls. For
example, if the data center relies upon an Active Directory
server to implement role based access controls, that server
should have both an RTO and an RPO and be listed in the
business continuity plan.
The primary audience for your policy will be the CIO and CISO
staff members who are responsible for developing IT business
continuity plans.Your policy will be communicated to other
personnel and to the senior managers who are ultimately
responsible for the security of the organization and its IT assets.
These managers include: CEO, CIO/CISO, and CSO. The policy
must be approved and signed by the CEO and CIO of the
organization.Tasks:
1. Review the Contingency Planning control family and
individual controls as listed in NIST SP 800-53.(See Table 4-3).
Identify policy statements, which can be used to ensure that the
required controls are in place before, during, and after business
continuity operations. (For example, for CP-6 your policy
statement should require that IT security requirements be
included in plans / contracts involving alternate storage sites for
critical business data.) You must address at least 5 controls
within the CP control family.Table 4-3. Contingency Planning
Control Family (from NIST SP 800-53)
25. 2. Review the phases in the Business Continuity Planning
Process (see Table 4-1). Identify policy statements which can be
used to ensure that IT security requirements are addressed
during each phase. These statements should include ensuring
that RTO/RPO objectives for security services will be addressed
during the planning process. (You may wish to include these as
part of your policies for implementing CP-1, CP-2, CP-3, and
CP4).
3. Review the outline for a Business Continuity Plan (Table 4-
2). Analyze the outline to determine specific policy statements
required to ensure that the required CP controls and any
additional or alternative IT security measures (e.g. controls
required to implement CP-13) are set forth in a business
continuity plan.(Your policy statements will tell Business
Continuity Planners where and how to “build security in.”)
4. Write your Business Continuity Security Policy usingthe
outline in Table 4-4. You must tailor your policy to the subject
of IT Security Requirements for the Business Continuity
program and address the required controls and actions identified
during steps 1-3.Table 4-4. Outline for an IT Security Policy
I. Identification
a. Organization: [name]
b. Title of Policy: Data Center Business Continuity Policy
c. Author: [your name]
d. Owner: [role, e.g. Data Center Manager]
e. Subject: Business Continuity for [data center name]
f. Review Date: [date submitted for grading]
g. Signatures Page: [authorized signers for the policy: CEO,
CISO, Data Center Manager]
h. Distribution List
i. Revision History
II. Purpose
a. Provide a high level summary statement as to the policy
requirements which are set forth in this document.
III. Scope
26. a. Summarize the business continuity activities and operations
that this policy will apply to.
b. Identify who is required to comply with this policy.
IV. Compliance
a. Identify the measures which will be taken to ensure
compliance with this policy (e.g. audits, compliance reporting,
exception reporting, etc.)
b. Identify the sanctions which will be implemented for
compliance failures or other violations of this policy.
c. Include information about how to obtain guidance in
understanding or interpreting this policy (e.g. HR, corporate
legal counsel, etc.)
V. Terms and Definitions
VI. Risk Identification and Assessment
a. Identify the risks which could arise if IT security
requirements are not included in business continuity planning
and subsequent operations.
b. Identify and describe the impacts of such risks (include an
assessment of the possible severity for each impact).
VII. Policy
a. Present policies which will ensure that IT security is
addressed
i. In all phases of DR/BCP planning
ii. In all relevant sections of the DR/BCP plan
iii. By requiring implementation of relevant NIST guidance, e.g.
controls from the CP family
iv. By specifying roles and responsibilities for IT security
during data center recovery operations
v. Using RTO/RPO metrics for restoral of IT security services
and functions
b. Include an explanatory paragraph for each policy statement.
5. Prepare a Table of Contents and Cover Page for your policy.
Your cover page should include your name, the name of the
assignment, and the date. Your Table of Contents must include
at least the first level headings from the outline (I, II, III, etc.).
6. Prepare a Reference list (if you are using APA format
27. citations & references) or a Bibliography and place that at the
end of your file. (See Item #3 under Formatting.) Double check
your document to make sure that you have cited sources
appropriately. Formatting:
1. Cite sources using a consistent and professional style. You
may use APA formatting for citations and references. Or, you
may use another citation style includinguse of footnotesor end
notes. (Citation requirements for policy documents are less
stringent than those applied to research papers. But, you should
still acknowledge your sources and be careful not to plagiarize
by copying text verbatim.)You are expected to write
grammatically correct.Criteria and Steps to follow (Below in
bold are subheadings)
***Please make sure three reference sites per subheading.***
Policy Outline & Body
Provided an excellent IT Security Policy, which clearly,
concisely, and accurately presents all required information (see
outline in assignment for sections, fields, and content
requirements). Presentation of information is organized in a
logical fashion and uses 3 or more tables to group related
information for presentation. All required fields under each
section are listed and filled in (e.g. Owner Name in ID Section
has a name filled in.)
Policy Section: DR/BCP Planning Phases
Presented an excellent policy statement or statements, which
will ensure that IT Security is addressed during all four phases
of the DR/BCP planning process.Policy statement(s) and
supporting explanations are clear, concise, and accurate. Use
and cited at least two authoritative sources.
Policy Section: IT Security in DR/BCP Plan
Presented an excellent policy statement or statements which
will ensure that IT Security is addressed within DR/BCP plans.
Identified and discussed five or more sections of the plan (using
outline from assignment) which must address requirements for
IT Security during recovery operations.Policy statement(s) and
supporting explanations are clear, concise, and accurate. Use
28. and cited at least two authoritative sources.
Policy Section: IT Security Roles & Responsibilities in DR/BCP
Plan
Presented an excellent policy statement or statements which
will ensure that roles and responsibilities for IT Security are
addressed within DR/BCP plans. Identified and discussed five
or more sections of the plan (using outline from assignment)
which must address who is responsible for ensuring IT security
during recovery operations.Policy statement(s) and supporting
explanations are clear, concise, and accurate. Use and cited at
least two authoritative sources.
Policy Section: Security Controls during DR/BCP Planning,
Implementation, & Execution (NIST CP Family)
Presented an excellent policy statement or statements which
will ensure that NIST recommended security controls for
Contingency Planning (CP family) are addressed as part of
DR/BCP planning, implementation, and execution.Identified and
discussed five or more controls from the CP family which
should be implemented (using NIST SP 800-53 guidance) to
ensure adequate IT security during recovery operations.Policy
statement(s) and supporting explanations are clear, concise, and
accurate. Use and cited at least two authoritative sources.
Crediting Sources
Work credits all sources used in a professional manner using
APA format citations/references, footnotes with publication
information, or endnotes with publication information. Provides
a Bibliography or "Works Cited" if not using APA format.
Publication information is sufficient to retrieve all listed
resources.