SlideShare a Scribd company logo

CDC IT Security Staff BCP Policy Guide

Download as DOCX, PDF
J
joyjonna282

( CDC IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy ) Document Control Organization Center for Disease and Control (CDC) Title CDC IT Security Staff BCP Policy Author Owner IT Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved Document Distribution This document will be distributed to: Name Job Title Email Address All CDC Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · CDC and Department of Defense, Health and Homeland Security Table of Contents Policy Statement4 1Purpose4 2Objective4 3Scope5 4Compliance5 5Terms and Definitions7 6Risk Identification and Assessment7 7Policy8 Policy Statement The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information. It is thus critical to secure the information and control access to it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise. Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or delibera ...

Education
1 of 28
( CDC IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy ) Document Control Organization Center for Disease and Control (CDC) Title CDC IT Security Staff BCP Policy
Author Owner IT Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved Document Distribution This document will be distributed to: Name
Job Title Email Address All CDC Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · CDC and Department of Defense, Health and Homeland Security Table of Contents Policy Statement4 1Purpose4 2Objective4 3Scope5 4Compliance5 5Terms and Definitions7 6Risk Identification and Assessment7 7Policy8 Policy Statement The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and
citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information. It is thus critical to secure the information and control access to it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise. Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or deliberate external system attack.Objective The following are the objectives of the policy: · To achieve and uphold the highest level of security within the CDC campus in order to guarantee sensitive and essential information that addresses health concerns is not access by authorised person – in person or virtually. · To guarantee minimal disruption of processes and rapid recovery of decisive operations and or systems.
· To pinpoint and rank operations, processes and systems to reinstate essential systems and functions that maximise the operational and availability of activities. · To pinpoint the Key CDC personnel whose central task will be to activate the recovery and restoration process that will make sure communication channels are established and fidelity of all security systems. · To point out the critical third party vendors who can and should be relied upon to actualise the success of the business continuity and recovery plan.Scope The scope refers to all the aspects covered by the business continuity plan policy. These include and not confined to functions, locations, resources and personnel. Functions: This is demarcated by assignments or departments. The functions are not cast on stone and will change from time to time. Location: The CDC main campus and all other satellite locations all over the world. This will ensure breaches do not emanate from within the system in remote sites. Business Units: All Projects and Assignments and Satellite locations globally. Activities: All activities conducted by the projects, assignments and satellite locations globally. Stakeholders: All project, assignment and satellite location staff globally. Resources: All ICT assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) Development of the business continuity IT security policy will be an effort in futility if the policies are not complied with. Ideally compliance will be individual driven. This is designed to reduce the need to oversight each assignment, project or satellite location for adherence. The local staff are empowered
to appreciate the important of the policy and how and when to put it into action. They are also empowered to understand, who does what when and how their actions or lack of, affect other people within and without the project, assignment or satellite station. When this is engrained into all the CDC staff, actions intended to ensure compliance become beneficial to the organizations. The staff no longer see the exercise of confirming conformity as antagonistic, but as contributing to the achievement of each individually task. Audits will be conducted regularly to check on conformity levels and pick up on improvement of impediments flagged. These audits will be supported by compliance reports prepared by the IT security head at the project, assignment or satellite location globally. This will be on occasion be accompanied by exception reporting for cases where the policy was not followed strictly. This is possible since all staff appreciates the role security plays and also understands that the policy is not meant to curtail an individual’s work but to protect it. Thus even when the policy is circumvented, the exception report must be accompanied by a comprehensive report with clear reasoning as to why it was necessary to deviate from the policy. b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. Given the sensitivity of the activities at CDC, compliance with the policy will be of utmost importance. Despite empowerment of all staff to appreciate the role the policy plays, and having empowered them to make adjustments when they evaluate it to be absolutely critical to their work, when their reasoning does not meet the threshold then sanctions must be enforced. The sanctions for non compliance and violations of the policy will be wide and varied. When the action does not cause any discernable harm but is still a violation, the violator must be summoned by their supervisor and reminded on the need to adhere to the policy. If this is the first offence, the matter will be considered addressed. Should this be repeated, the staff must
be cited and this citation placed in their human resource file. Where the compliance failure or violation causes the organisation to suffer loss – financial or otherwise, the culprit must be sanctioned severely. This could range from loss of employment, financial restitution for the loss incurred by the organisation or serve jail time. The choice of sanction to be applied will be influenced by the seriousness of the compliance failure or violation. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) Considering the sanctions that will be enforced will be punitive – in some instances, it is important that the interpretation be guided the relevant department that care for the staff welfare. The HR department will give guidance as to what sanction will not contravene the policies that guide the department. Interpretation of the sanction will be guided by how the organisation has set out to care for its staff. Similarly, the corporate legal counsel department will be consulted and guidance sort where the sanction is with regards to a policy violation of non compliance that has resulted in sever loss to the organization and the HR is recommending legal prosecution. This guidance will be critical in laying bear the consequence of the violation or non compliance to the organisation, as it will the lay the foundation of a criminal prosecution of those responsible.Terms and DefinitionsRisk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. A number of risks could arise if IT security requirements are not included in business continuity planning and subsequent operations. Some of this will include 1. Failure to cover IT security basics: This will more often than not be ignored or assumed. It thus exposes the organisation to exploits and vulnerabilities that can be easily used by hackers to
compromise the organisation. Actions like not updating the browser used or adobe flash player are the higher exploited. With the multiplying aggressiveness of exploits emanating from the world wide web, achieving protection will require constant education on the dangers and taking actions that minimize if not eliminate thus risk, within the confines of available resources. 2. Not understanding the source of IT security risks: This is closely tied in with a poor appreciation of the value of the critical assets coupled with the potential attackers’ profile. It’s critical to appreciate that IT security risk is not generated by technology alone. Psychological and sociological aspects do play significant roles to. Thus the organisation culture need to be aligned which in turn affects the amount of resources allocated to this endeavor. 3. Confusing compliance with IT security: This is evident when there is confusion between compliance and the IT security policy. Compliance to organisation rules does not necessarily mean protection against hacker attacks. Compliance needs to encompasses an IT security management system capable of allowing management to oversee data flow within the system thus protection confidential information from leakage to unwanted sources. 4. Bring your own device policy (BYOD) and the cloud: This is especially critical for the different projects, assignments and satellite locations globally. Globally, it has been found that a sizable number of respondents pointed to mobility as the root cause of a breach. The increased mobility coupled with users flooding the networks with access devices h as the unintended result of providing many paths for exposing data and application risks (Bourne, 2014) b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). 1. Failure to cover IT security basics: This will have the impact of multiplying aggressiveness exploits emanating from the World Wide Web. This failure will result in severe impact on the organisation. This is because; the failure will have resulted
from the organisation not setting policies that guide information risk management. 2. Not understanding the source of IT security risks: The effect of this risk will be significant to the organisation. Its severity will be especially considerable given it will have resulted from a lack of training or new and current employees on security. 3. Confusing compliance with IT security: Confusion will breed increased risk. It is unfortunate with organisation suffers from confusion given the effect of this risk could have been eliminated if not avoided by patching security systems. 4. Bring your own device policy (BYOD) and the cloud: In as much as personal devices allow for flexibility and ease of work, it does expose the organisation to risk since it cannot have control of where the devices are used outside the work environment. The risk is especially severe thus the need for the organization to institute policies for BYOD security.Policy 1. To cover for cyber security basics, all IT hardware and software will be programmed to update themselves at the beginning of the day, before they are used. This policy will be implemented by each individual staff for the IT equipment allocated to them. The IT security manager in-charge of the project, assignment or satellite location will have overall responsibility for the enforcement of the policy. The manager will regularly and constantly educate the staff of the dangers and the resources available to them to protect them from the identified dangers. 2. To address the source of CDC’s IT security risks, the organisation will regularly refresh its staff on the value it attaches to the critical assets and the dynamic profile of potential attackers. This should cover the organisation from malware, viruses and intrusions, outside attack, user error, cloud apps for service usage, phishing among others. By incorporating sociological and psychological aspects in the training, CDC will engrain its culture into its staff. This culture should in turn be supported by the requisite resources to benefit the organisation.
3. To avoid confusion in complying with IT security policies, rules must be adhered to, to the letter. Further the information security management system will allow managers oversee data flows within the system. This should greatly enhance protection of confidential information from unwanted sources. 4. The Bring Your Own Devices (BYOD) and cloud policy will not seek to impede the staff flexible working environment or conditions. This will instead contribute very significantly to preventing security breaches. For the case of cloud computing the policy will give the due attention given its important and the vulnerabilities it comes with. 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System Bourne, V (2014) Protecting the Organisation Against the Unknown: A New Generation of Threats, accessed February 13, 2016 from http://software.dell.com/documents/protecting-the- organization-against-the-unknown-whitepaper-27396.pdf Zaharia, A (2015) 10 Cyber Security Risks That Might Affect Your Company, accessed February 13, 2016 from https://heimdalsecurity.com/blog/10-critical-corporate-cyber- security-risks-a-data-driven-list/ Schiff, J, L (2015) 6 Biggest Security Risks and How You Can Fight Back, accessed February 13, 2016 from http://www.cio.com/article/2872517/data-breach/6-biggest- business-security-risks-and-how-you-can-fight-back.html Kaspersky Lab (2015) Global IT Security Risks Survey 2015, accessed February 13, 2016 from http://media.kaspersky.com/en/business-security/it-security- risks-survey-2015.pdf NIST (2011) Managing Information Security Risk: Organizations, Mission and Information System View, accessed February 13, 2016 from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39- final.pdf NSCS (2013) Cyber Security and Risk Management: An Executive Level Responsibility, accessed February 13, 2016 from https://www.connectsmart.govt.nz/assets/NCSC-Cyber- security-risk-management-Executive.pdf Copyright © 2015 by University of Maryland University College. All rights reserved. ( White House IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy )
Document Control Organization White House Title White House IT Security Staff BCP Policy Author Owner Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval
Name Date Approved Document Distribution This document will be distributed to: Name Job Title Email Address All White House Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · White House and Department of Defense Table of Contents Policy Statement3 1Purpose4 2Objectives4 3Scope4 4Business Impact Analysis (BIA)5 5Business Continuity Planning Personel5 6 Business Continuity Planning
Procedures……………………………………………… . … 5 6.1 Events ………………………………………………………………………… ……… 6 6.2 Vendors……………………………………………………………… ………………….. 6 6.3 Task……………………...…………………………………………… ………………... 6 6.3 Timleine 7 7 Testing and Maintenance………………………………………………………… ………... 7 8 References…………………………………………………………… …………………….. 7 Policy Statement The United States of America and its military rely on the confidentiality, integrity, and availability of accurate information stored in information systems to proactively prepare and defend the nations critical infrastructures and protect national security. In the event of natural disasters and/or attacks from malicious hacktivist it is imperative that the White House IT Security Staff has a quick, efficient, and effective business continuity plan to recover and restore data to ensure critical operations are not impacted. The business continuity plan is needed to continue the White House and military operations efforts to strategize and protect it critical infrastructures and citizens. Purpose The purpose of this document is to outline the necessaryprocedures and steps to recover and restore business
operations within the White House in the event of a natural disaster, emergency, or system attack from external sources. Objective The following ae the objectives of the policy: · To maintain the highest amount of national security through the availability of critical and sensitiveinformationconcerning military operations, critical infrastructure, and foreign relations. · To ensure minimal impact to resources and immediate recovery of critical systems and operations. · To identify and prioritize systems, processes, and operations to restore critical functions and systems to maximizeavailability and operational activities. · To identify key White House Securitypersonnelresponsible for the restoration and recovery process to ensure immediate contact is available in case of an emergency event. · To Identify third party vendors needed to help attain successful businesscontinuity and recovery planning. Scope The scope describes all locations, functions, personnel, and resources affected by the business continuity plan policy: Locations: White House IT Department, The White House, The Sun Guard Hot Site, Herndon, VA Business Units: All Business Units Activities: All Actives conducted by business units Stakeholders: Chain of Command, Vendors, and White House Staff Resources: All telecommunication assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Business Impact Analysis The Business Impact Analysis (BIA) will assess the financial, operational impact, and recovery time objectives (RTO) needed to restore critical systems, process, and operations. The BIA will be conducted by assuming the worst case scenario due to he high level of exposure the White House presents. The BIA will
be conducted in the event of an immediate shutdown of all functions and resources to analyse the recovery time and resources needed to restore critical systems and operations (ISACA, n.d.). The BIA will estimate the level of impact the White House will be willing to accept. The impact range is as follows: Very High- Impact could cripple the White House and potentially cause catastrophic loses. High – Impact exceeds the White House’s Executives tolerance and could threaten National Security. Medium – Impact will cause major harm to critical systems and operations and threaten National Security Low – Impact results in the temporary loss of critical systems and operations and could harm critical infrastructure. Very Low – Impact results in minor loss of operations and does not threaten critical infrastructure. The White House’s level of tolerance is: Very Low. Business Continuity Planning Personnel The following are the personnelthat can be immediate contacted in the event the business continuity plan activation: IT Security Manager: smith, IT Security Section, ph # Lead IT Security Specialist: Jerry Mayweather, IT Security Sections, ph # IT Security Specialist: Ethan Snowden, It Security Department, ph # The following personnel are to be immediately contacted secondary to the above mentioned personnel: CISO: John Stamens, IT Department, ph # CIO: Randy Howitzer, IT Department, ph #Business Continuity PlanningProcedures The business continuity planning procedures are to be followed immediately in the event the businesses continuity plan is activated. Events
The following the events that may occur in which the BCP should be immediate activated to minimize the loss of availability of critical systems and operations: Equipmentfailure, disruption of power supply or telecommunication application failure corruption ofdatabase, human error, sabotage, malicioussoftware attacks, hacking, social unrest, terrorist attack, fire, or natural disasters (SANS, 2002). Vendors The below list are approved vendors that are critical to the day to day operations and should be contacted immediately in the event of a BCP activation: 1. Sun Guard – BCP Documentation and Hot Ste resource 2. AppNomic – Backup and fail over solutions 3. Amazon – Cloud Services 6.3 Task The followingshould be taken in the event the BCP is activated: 1- Contact The IT Security Manager and give a situation report. 2- Retrieve BCP documentation 3- IT SecurityManager will determine the type of event and determine which department or function within the White House will activate their BCP. 4- If impact level is designated as Medium or Higher IT personnel will relocate to the designated hot site: a. Hot Site location will b. The Hot Site representative will be immediately contact at: c. Hot Site will provide all hardware and needs, however IT personnel will bring all backup tapes, laptops, and critical servers within the IT data center of the Hot Site. 5- All secondary BCP personnel will be contacted and briefed. 6- A final determination of event will be formally announced and appropriate chain of command will be notified.
Timeline The following is the timeline in which all major task will be competed, the total time for completion i3 3 hours. Each timeframe is a: · Contact IT Manager: 10 Minutes (Total: 10 minutes) · Retrieve BCP Documentation: 5 minutes (Total: 15 minutes) · IT Manager event determination: 30 Minutes (Total: 45 minutes) · Relocation to Hot Site: 1 ½ hours (Total: 2 hours 15 minutes) · All secondary personnel are called and briefed: 15 Minutes (Total: 2 hours 30 minutes) · Chain of Command is notified: 30 Minutes (Total: 3 hours)Testing and Maintenance The following are is the criteria for testing and maintenance to ensure continuous training and BCP compliance: · BCP rehearsal should be conducted annually at least one to provide awareness and accuracy. · Business unit level exercise should be conducted every two years. · Executive management exercises should be conducted every three years. (Drewitt, 2013) 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System ISACA (n.d.). Business Continuity Planning. Retrieved from: http://www.isaca.org/Groups/Professional-English/business- continuity-disaster-recovery- planning/GroupDocuments/Business_Impact_Analysis_blank.do c SANS (2002). Introduction to Business Continuity Planning. Retrieved from:
http://www.sans.org/reading- room/whitepapers/recovery/introduction-business-continuity- planning-559 Sun Guard (2015). Availability Services Herndon Workgroup. Retrieved from: http://www.sungardas.com/company/infrastructure/Pages/herndo n-va.aspx Copyright © 2015 by University of Maryland University College. All rights reserved. Project #4: Prepare a Business ContinuityIT Security PolicyIntroduction In Project 2 (which was order #225, you developed a local IT security policyfor a specific facility– a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2, which was Centers for Disease Control and Prevention (CDC), which was the Order # 210 and 225). You should reuse applicable sections of your earlier projects for this project (e.g. your organization (which was CDC) overview and/or a specific section of your outline).Background Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man- made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable
time frame. Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy – guidance for DR/BCP planning for a particular data center. DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document, which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2. Sometimes, it is necessary to create supplementary policies, which address specific circumstances or needs, which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy – the Business Continuity IT Security Policy. The “Tasks” section of this assignment explains the content requirements for your policy. Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from http://www.ready.gov/business/implementation/continuity ) Phase 1: Business Impact Analysis · Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business · Conduct follow-up interviews to validate responses to survey & obtain additional info
Phase 2: Develop Recovery Strategies · Identify resource requirements based on BIAs · Perform gap analysis (recovery requirements vs current capabilities) · Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites) · Document & Implement recovery strategies (acquire / contract for products & services) Phase 3: Develop Business Continuity Plan · Develop plan framework (follow policy) · Identify personnel forDR/BCP teams · Develop Recovery and/or Relocation Plans · Write DR/BCP Procedures · Obtain approvals for plans & procedures Phase 4: Testing & Readiness Exercises · Develop testing, exercise and maintenance requirements · Conduct training for DR/BCP teams · Conduct orientation exercises for staff · Conduct testing and document test results · Update BCP to incorporate lessons learned from testing and exercises Table 4-2. Outline for a Business Continuity Plan Purpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption. Objective: to identify the processes or steps involved in resuming normal business operations. Scope: work locations or departments addressed. Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc. Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc. Recovery Strategy Summary: In this section, a plan will
typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area” is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center. Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on. Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living” document that is updated as personnel/workforce changes are made. Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline. Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time
objectives that the vendors must meet in order for the plan to be successful. Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc. Tasks The Business Continuity Security Policy is being written by you as the data centerfacility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1).Your policy must also addressrequired content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections. Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers
from whom your organization purchases or will purchase IT services and products to implement its recovery strategies. Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business continuity plan. Different RTO’s may be set for different IT systems and services. Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP(used to determine backup frequency for data during normal operating periods and the maximum allowable amount of “lost data” which can be tolerated). Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software, which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan. The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans.Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.Tasks: 1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53.(See Table 4-3). Identify policy statements, which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.Table 4-3. Contingency Planning Control Family (from NIST SP 800-53)
2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4). 3. Review the outline for a Business Continuity Plan (Table 4- 2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan.(Your policy statements will tell Business Continuity Planners where and how to “build security in.”) 4. Write your Business Continuity Security Policy usingthe outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3.Table 4-4. Outline for an IT Security Policy I. Identification a. Organization: [name] b. Title of Policy: Data Center Business Continuity Policy c. Author: [your name] d. Owner: [role, e.g. Data Center Manager] e. Subject: Business Continuity for [data center name] f. Review Date: [date submitted for grading] g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager] h. Distribution List i. Revision History II. Purpose a. Provide a high level summary statement as to the policy requirements which are set forth in this document. III. Scope
a. Summarize the business continuity activities and operations that this policy will apply to. b. Identify who is required to comply with this policy. IV. Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) V. Terms and Definitions VI. Risk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). VII. Policy a. Present policies which will ensure that IT security is addressed i. In all phases of DR/BCP planning ii. In all relevant sections of the DR/BCP plan iii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP family iv. By specifying roles and responsibilities for IT security during data center recovery operations v. Using RTO/RPO metrics for restoral of IT security services and functions b. Include an explanatory paragraph for each policy statement. 5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.). 6. Prepare a Reference list (if you are using APA format
citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting: 1. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style includinguse of footnotesor end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.)You are expected to write grammatically correct.Criteria and Steps to follow (Below in bold are subheadings) ***Please make sure three reference sites per subheading.*** Policy Outline & Body Provided an excellent IT Security Policy, which clearly, concisely, and accurately presents all required information (see outline in assignment for sections, fields, and content requirements). Presentation of information is organized in a logical fashion and uses 3 or more tables to group related information for presentation. All required fields under each section are listed and filled in (e.g. Owner Name in ID Section has a name filled in.) Policy Section: DR/BCP Planning Phases Presented an excellent policy statement or statements, which will ensure that IT Security is addressed during all four phases of the DR/BCP planning process.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: IT Security in DR/BCP Plan Presented an excellent policy statement or statements which will ensure that IT Security is addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address requirements for IT Security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use
and cited at least two authoritative sources. Policy Section: IT Security Roles & Responsibilities in DR/BCP Plan Presented an excellent policy statement or statements which will ensure that roles and responsibilities for IT Security are addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address who is responsible for ensuring IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: Security Controls during DR/BCP Planning, Implementation, & Execution (NIST CP Family) Presented an excellent policy statement or statements which will ensure that NIST recommended security controls for Contingency Planning (CP family) are addressed as part of DR/BCP planning, implementation, and execution.Identified and discussed five or more controls from the CP family which should be implemented (using NIST SP 800-53 guidance) to ensure adequate IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Crediting Sources Work credits all sources used in a professional manner using APA format citations/references, footnotes with publication information, or endnotes with publication information. Provides a Bibliography or "Works Cited" if not using APA format. Publication information is sufficient to retrieve all listed resources.

Recommended

During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxjacksnathalie
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdfDaviesParker
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxSALU18
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCiente
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 

Recommended

During week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxDuring week 6 we develop the theory and application of capital bud.docx
During week 6 we develop the theory and application of capital bud.docxjacksnathalie
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdfDaviesParker
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxSALU18
 
Cybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCybersecurity Incident Response Planning.pdf
Cybersecurity Incident Response Planning.pdfCiente
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
Coordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCoordinating Security Response and Crisis Management Planning
Coordinating Security Response and Crisis Management PlanningCognizant
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Ecm
EcmEcm
EcmSBH10Slide
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxjuliennehar
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsPeter Henley
 
85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docx 85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docxShiraPrater50
 
Case Study
Case StudyCase Study
Case Studylneut03
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Table of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxTable of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxmattinsonjanel
 
Project Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxProject Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxstilliegeorgiana
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centreNaushad Rajani. - CISA, CISSP, CCSP, PMP, DCPP (Privacy)
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxadampcarr67227
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 
In a 250-300 word response, critically examine your personal level o.docx
In a 250-300 word response, critically examine your personal level o.docxIn a 250-300 word response, critically examine your personal level o.docx
In a 250-300 word response, critically examine your personal level o.docxjoyjonna282
 
In a 10 –12 page paper, identify and analyze the benefits and challe.docx
In a 10 –12 page paper, identify and analyze the benefits and challe.docxIn a 10 –12 page paper, identify and analyze the benefits and challe.docx
In a 10 –12 page paper, identify and analyze the benefits and challe.docxjoyjonna282
 

More Related Content

Similar to CDC IT Security Staff BCP Policy Guide

Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxjuliennehar
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsPeter Henley
 
85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docx 85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docxShiraPrater50
 
Case Study
Case StudyCase Study
Case Studylneut03
 
Table of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxTable of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxmattinsonjanel
 
Project Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxProject Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxstilliegeorgiana
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxadampcarr67227
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 

Similar to CDC IT Security Staff BCP Policy Guide (20)

Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Ecm
EcmEcm
Ecm
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
Topic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docxTopic Describe each of the elements of a Business Continuity Plan .docx
Topic Describe each of the elements of a Business Continuity Plan .docx
 
Experion Data Breach Response Excerpts
Experion Data Breach Response ExcerptsExperion Data Breach Response Excerpts
Experion Data Breach Response Excerpts
 
85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docx 85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docx
 
Case Study
Case StudyCase Study
Case Study
 
Cissp notes
Cissp notesCissp notes
Cissp notes
 
Table of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docxTable of ContentsIntroduction3P.docx
Table of ContentsIntroduction3P.docx
 
Project Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docxProject Access Control ProposalPurposeThis course project i.docx
Project Access Control ProposalPurposeThis course project i.docx
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docx
 

More from joyjonna282

In a 250-300 word response, critically examine your personal level o.docx
In a 250-300 word response, critically examine your personal level o.docxIn a 250-300 word response, critically examine your personal level o.docx
In a 250-300 word response, critically examine your personal level o.docxjoyjonna282
 
In a 10 –12 page paper, identify and analyze the benefits and challe.docx
In a 10 –12 page paper, identify and analyze the benefits and challe.docxIn a 10 –12 page paper, identify and analyze the benefits and challe.docx
In a 10 –12 page paper, identify and analyze the benefits and challe.docxjoyjonna282
 
In a 1-2 page Microsoft Word document, discuss the following case st.docx
In a 1-2 page Microsoft Word document, discuss the following case st.docxIn a 1-2 page Microsoft Word document, discuss the following case st.docx
In a 1-2 page Microsoft Word document, discuss the following case st.docxjoyjonna282
 
In a 16–20 slide PowerPoint presentation (excluding title and refere.docx
In a 16–20 slide PowerPoint presentation (excluding title and refere.docxIn a 16–20 slide PowerPoint presentation (excluding title and refere.docx
In a 16–20 slide PowerPoint presentation (excluding title and refere.docxjoyjonna282
 
In a 1-2 page Microsoft Word document, using APA, discuss the follow.docx
In a 1-2 page Microsoft Word document, using APA, discuss the follow.docxIn a 1-2 page Microsoft Word document, using APA, discuss the follow.docx
In a 1-2 page Microsoft Word document, using APA, discuss the follow.docxjoyjonna282
 
In a 1-2 page paper, discuss how the government, the media, and the .docx
In a 1-2 page paper, discuss how the government, the media, and the .docxIn a 1-2 page paper, discuss how the government, the media, and the .docx
In a 1-2 page paper, discuss how the government, the media, and the .docxjoyjonna282
 
In 2010, plans were announced for the construction of an Islamic cul.docx
In 2010, plans were announced for the construction of an Islamic cul.docxIn 2010, plans were announced for the construction of an Islamic cul.docx
In 2010, plans were announced for the construction of an Islamic cul.docxjoyjonna282
 
In 2011, John Jones, a middle school social science teacher began .docx
In 2011, John Jones, a middle school social science teacher began .docxIn 2011, John Jones, a middle school social science teacher began .docx
In 2011, John Jones, a middle school social science teacher began .docxjoyjonna282
 
In 5-7 pages (double-spaced,) provide a narrative explaining the org.docx
In 5-7 pages (double-spaced,) provide a narrative explaining the org.docxIn 5-7 pages (double-spaced,) provide a narrative explaining the org.docx
In 5-7 pages (double-spaced,) provide a narrative explaining the org.docxjoyjonna282
 
In 2004 the Bush Administration enacted changes to the FLSA and the .docx
In 2004 the Bush Administration enacted changes to the FLSA and the .docxIn 2004 the Bush Administration enacted changes to the FLSA and the .docx
In 2004 the Bush Administration enacted changes to the FLSA and the .docxjoyjonna282
 
In 200-250 wordsGiven the rate of technological chang.docx
In 200-250 wordsGiven the rate of technological chang.docxIn 200-250 wordsGiven the rate of technological chang.docx
In 200-250 wordsGiven the rate of technological chang.docxjoyjonna282
 
in 200 words or more..1  do you use twitter if so , how often do.docx
in 200 words or more..1  do you use twitter if so , how often do.docxin 200 words or more..1  do you use twitter if so , how often do.docx
in 200 words or more..1  do you use twitter if so , how often do.docxjoyjonna282
 
In 200 words or more, answer the following questionsAfter reading .docx
In 200 words or more, answer the following questionsAfter reading .docxIn 200 words or more, answer the following questionsAfter reading .docx
In 200 words or more, answer the following questionsAfter reading .docxjoyjonna282
 
In 2005, serial killer Dennis Rader, also known as BTK, was arrested.docx
In 2005, serial killer Dennis Rader, also known as BTK, was arrested.docxIn 2005, serial killer Dennis Rader, also known as BTK, was arrested.docx
In 2005, serial killer Dennis Rader, also known as BTK, was arrested.docxjoyjonna282
 
In 2003, China sent a person into space. China became just the third.docx
In 2003, China sent a person into space. China became just the third.docxIn 2003, China sent a person into space. China became just the third.docx
In 2003, China sent a person into space. China became just the third.docxjoyjonna282
 
In 250 words briefly describe the adverse effects caused by exposure.docx
In 250 words briefly describe the adverse effects caused by exposure.docxIn 250 words briefly describe the adverse effects caused by exposure.docx
In 250 words briefly describe the adverse effects caused by exposure.docxjoyjonna282
 
In 2.5 pages, compare and contrast health care reform in two differe.docx
In 2.5 pages, compare and contrast health care reform in two differe.docxIn 2.5 pages, compare and contrast health care reform in two differe.docx
In 2.5 pages, compare and contrast health care reform in two differe.docxjoyjonna282
 
In 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docx
In 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docxIn 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docx
In 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docxjoyjonna282
 
In 200-300 words  - How is predation different from parasitism What.docx
In 200-300 words  - How is predation different from parasitism What.docxIn 200-300 words  - How is predation different from parasitism What.docx
In 200-300 words  - How is predation different from parasitism What.docxjoyjonna282
 
In 3 and half pages, including a title page and a reference page, di.docx
In 3 and half pages, including a title page and a reference page, di.docxIn 3 and half pages, including a title page and a reference page, di.docx
In 3 and half pages, including a title page and a reference page, di.docxjoyjonna282
 

More from joyjonna282 (20)

In a 250-300 word response, critically examine your personal level o.docx
In a 250-300 word response, critically examine your personal level o.docxIn a 250-300 word response, critically examine your personal level o.docx
In a 250-300 word response, critically examine your personal level o.docx
 
In a 10 –12 page paper, identify and analyze the benefits and challe.docx
In a 10 –12 page paper, identify and analyze the benefits and challe.docxIn a 10 –12 page paper, identify and analyze the benefits and challe.docx
In a 10 –12 page paper, identify and analyze the benefits and challe.docx
 
In a 1-2 page Microsoft Word document, discuss the following case st.docx
In a 1-2 page Microsoft Word document, discuss the following case st.docxIn a 1-2 page Microsoft Word document, discuss the following case st.docx
In a 1-2 page Microsoft Word document, discuss the following case st.docx
 
In a 16–20 slide PowerPoint presentation (excluding title and refere.docx
In a 16–20 slide PowerPoint presentation (excluding title and refere.docxIn a 16–20 slide PowerPoint presentation (excluding title and refere.docx
In a 16–20 slide PowerPoint presentation (excluding title and refere.docx
 
In a 1-2 page Microsoft Word document, using APA, discuss the follow.docx
In a 1-2 page Microsoft Word document, using APA, discuss the follow.docxIn a 1-2 page Microsoft Word document, using APA, discuss the follow.docx
In a 1-2 page Microsoft Word document, using APA, discuss the follow.docx
 
In a 1-2 page paper, discuss how the government, the media, and the .docx
In a 1-2 page paper, discuss how the government, the media, and the .docxIn a 1-2 page paper, discuss how the government, the media, and the .docx
In a 1-2 page paper, discuss how the government, the media, and the .docx
 
In 2010, plans were announced for the construction of an Islamic cul.docx
In 2010, plans were announced for the construction of an Islamic cul.docxIn 2010, plans were announced for the construction of an Islamic cul.docx
In 2010, plans were announced for the construction of an Islamic cul.docx
 
In 2011, John Jones, a middle school social science teacher began .docx
In 2011, John Jones, a middle school social science teacher began .docxIn 2011, John Jones, a middle school social science teacher began .docx
In 2011, John Jones, a middle school social science teacher began .docx
 
In 5-7 pages (double-spaced,) provide a narrative explaining the org.docx
In 5-7 pages (double-spaced,) provide a narrative explaining the org.docxIn 5-7 pages (double-spaced,) provide a narrative explaining the org.docx
In 5-7 pages (double-spaced,) provide a narrative explaining the org.docx
 
In 2004 the Bush Administration enacted changes to the FLSA and the .docx
In 2004 the Bush Administration enacted changes to the FLSA and the .docxIn 2004 the Bush Administration enacted changes to the FLSA and the .docx
In 2004 the Bush Administration enacted changes to the FLSA and the .docx
 
In 200-250 wordsGiven the rate of technological chang.docx
In 200-250 wordsGiven the rate of technological chang.docxIn 200-250 wordsGiven the rate of technological chang.docx
In 200-250 wordsGiven the rate of technological chang.docx
 
in 200 words or more..1  do you use twitter if so , how often do.docx
in 200 words or more..1  do you use twitter if so , how often do.docxin 200 words or more..1  do you use twitter if so , how often do.docx
in 200 words or more..1  do you use twitter if so , how often do.docx
 
In 200 words or more, answer the following questionsAfter reading .docx
In 200 words or more, answer the following questionsAfter reading .docxIn 200 words or more, answer the following questionsAfter reading .docx
In 200 words or more, answer the following questionsAfter reading .docx
 
In 2005, serial killer Dennis Rader, also known as BTK, was arrested.docx
In 2005, serial killer Dennis Rader, also known as BTK, was arrested.docxIn 2005, serial killer Dennis Rader, also known as BTK, was arrested.docx
In 2005, serial killer Dennis Rader, also known as BTK, was arrested.docx
 
In 2003, China sent a person into space. China became just the third.docx
In 2003, China sent a person into space. China became just the third.docxIn 2003, China sent a person into space. China became just the third.docx
In 2003, China sent a person into space. China became just the third.docx
 
In 250 words briefly describe the adverse effects caused by exposure.docx
In 250 words briefly describe the adverse effects caused by exposure.docxIn 250 words briefly describe the adverse effects caused by exposure.docx
In 250 words briefly describe the adverse effects caused by exposure.docx
 
In 2.5 pages, compare and contrast health care reform in two differe.docx
In 2.5 pages, compare and contrast health care reform in two differe.docxIn 2.5 pages, compare and contrast health care reform in two differe.docx
In 2.5 pages, compare and contrast health care reform in two differe.docx
 
In 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docx
In 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docxIn 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docx
In 2014 Virginia scientist Eric Betzig won a Nobel Prize for his res.docx
 
In 200-300 words  - How is predation different from parasitism What.docx
In 200-300 words  - How is predation different from parasitism What.docxIn 200-300 words  - How is predation different from parasitism What.docx
In 200-300 words  - How is predation different from parasitism What.docx
 
In 3 and half pages, including a title page and a reference page, di.docx
In 3 and half pages, including a title page and a reference page, di.docxIn 3 and half pages, including a title page and a reference page, di.docx
In 3 and half pages, including a title page and a reference page, di.docx
 

Recently uploaded

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 

Recently uploaded (20)

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 

CDC IT Security Staff BCP Policy Guide

  • 1. ( CDC IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy ) Document Control Organization Center for Disease and Control (CDC) Title CDC IT Security Staff BCP Policy
  • 2. Author Owner IT Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved Document Distribution This document will be distributed to: Name
  • 3. Job Title Email Address All CDC Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · CDC and Department of Defense, Health and Homeland Security Table of Contents Policy Statement4 1Purpose4 2Objective4 3Scope5 4Compliance5 5Terms and Definitions7 6Risk Identification and Assessment7 7Policy8 Policy Statement The Center for Disease and Control mission is to protect America from health, safety and security threats, both foreign and in the U.S whether the diseases starts at home or abroad, are chronic or acute, curable or preventable, human error or deliberate attack, it fights disease and supports communities and
  • 4. citizens to do the same. It is this sensitive mandate that makes CDC infrastructure critical. CDC is both a source and repository of information. It is thus critical to secure the information and control access to it, not to mention what information departs the organisation. CDC has to contend with IT regulations and laws that control how sensitive information is used. Given the sources of some of this information, CDC has to contend with the threat of this information being compromised since not all its operations are in one place. Thus CDC conducts critical science and provides health information that protects the nation against expensive and dangerous health threats and responds when these arise. Unfortunately in life, things do not always follow the ideal and predictable path. Actions may conspire to affect the smooth running of CDC and at the worst case, the relocation to a new site and the continuation of the work that was being done. With the increased security threat, CDC finds itself not able to avoid having to plan for instances where its operations may be disrupted. The plan in intended to achieve efficient and effective operational continuity in order to have all data recovered and restored thus firewalling critical operations. This plan is referred to as the business continuity plan.Purpose Given the identified risks referred to above, the document is developed for the sole purpose of offering a roadmap to be followed by CDC to recover and restore its operations. The business continuity plan is to be activated should the center be hit by a natural disaster, emergency or deliberate external system attack.Objective The following are the objectives of the policy: · To achieve and uphold the highest level of security within the CDC campus in order to guarantee sensitive and essential information that addresses health concerns is not access by authorised person – in person or virtually. · To guarantee minimal disruption of processes and rapid recovery of decisive operations and or systems.
  • 5. · To pinpoint and rank operations, processes and systems to reinstate essential systems and functions that maximise the operational and availability of activities. · To pinpoint the Key CDC personnel whose central task will be to activate the recovery and restoration process that will make sure communication channels are established and fidelity of all security systems. · To point out the critical third party vendors who can and should be relied upon to actualise the success of the business continuity and recovery plan.Scope The scope refers to all the aspects covered by the business continuity plan policy. These include and not confined to functions, locations, resources and personnel. Functions: This is demarcated by assignments or departments. The functions are not cast on stone and will change from time to time. Location: The CDC main campus and all other satellite locations all over the world. This will ensure breaches do not emanate from within the system in remote sites. Business Units: All Projects and Assignments and Satellite locations globally. Activities: All activities conducted by the projects, assignments and satellite locations globally. Stakeholders: All project, assignment and satellite location staff globally. Resources: All ICT assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) Development of the business continuity IT security policy will be an effort in futility if the policies are not complied with. Ideally compliance will be individual driven. This is designed to reduce the need to oversight each assignment, project or satellite location for adherence. The local staff are empowered
  • 6. to appreciate the important of the policy and how and when to put it into action. They are also empowered to understand, who does what when and how their actions or lack of, affect other people within and without the project, assignment or satellite station. When this is engrained into all the CDC staff, actions intended to ensure compliance become beneficial to the organizations. The staff no longer see the exercise of confirming conformity as antagonistic, but as contributing to the achievement of each individually task. Audits will be conducted regularly to check on conformity levels and pick up on improvement of impediments flagged. These audits will be supported by compliance reports prepared by the IT security head at the project, assignment or satellite location globally. This will be on occasion be accompanied by exception reporting for cases where the policy was not followed strictly. This is possible since all staff appreciates the role security plays and also understands that the policy is not meant to curtail an individual’s work but to protect it. Thus even when the policy is circumvented, the exception report must be accompanied by a comprehensive report with clear reasoning as to why it was necessary to deviate from the policy. b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. Given the sensitivity of the activities at CDC, compliance with the policy will be of utmost importance. Despite empowerment of all staff to appreciate the role the policy plays, and having empowered them to make adjustments when they evaluate it to be absolutely critical to their work, when their reasoning does not meet the threshold then sanctions must be enforced. The sanctions for non compliance and violations of the policy will be wide and varied. When the action does not cause any discernable harm but is still a violation, the violator must be summoned by their supervisor and reminded on the need to adhere to the policy. If this is the first offence, the matter will be considered addressed. Should this be repeated, the staff must
  • 7. be cited and this citation placed in their human resource file. Where the compliance failure or violation causes the organisation to suffer loss – financial or otherwise, the culprit must be sanctioned severely. This could range from loss of employment, financial restitution for the loss incurred by the organisation or serve jail time. The choice of sanction to be applied will be influenced by the seriousness of the compliance failure or violation. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) Considering the sanctions that will be enforced will be punitive – in some instances, it is important that the interpretation be guided the relevant department that care for the staff welfare. The HR department will give guidance as to what sanction will not contravene the policies that guide the department. Interpretation of the sanction will be guided by how the organisation has set out to care for its staff. Similarly, the corporate legal counsel department will be consulted and guidance sort where the sanction is with regards to a policy violation of non compliance that has resulted in sever loss to the organization and the HR is recommending legal prosecution. This guidance will be critical in laying bear the consequence of the violation or non compliance to the organisation, as it will the lay the foundation of a criminal prosecution of those responsible.Terms and DefinitionsRisk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. A number of risks could arise if IT security requirements are not included in business continuity planning and subsequent operations. Some of this will include 1. Failure to cover IT security basics: This will more often than not be ignored or assumed. It thus exposes the organisation to exploits and vulnerabilities that can be easily used by hackers to
  • 8. compromise the organisation. Actions like not updating the browser used or adobe flash player are the higher exploited. With the multiplying aggressiveness of exploits emanating from the world wide web, achieving protection will require constant education on the dangers and taking actions that minimize if not eliminate thus risk, within the confines of available resources. 2. Not understanding the source of IT security risks: This is closely tied in with a poor appreciation of the value of the critical assets coupled with the potential attackers’ profile. It’s critical to appreciate that IT security risk is not generated by technology alone. Psychological and sociological aspects do play significant roles to. Thus the organisation culture need to be aligned which in turn affects the amount of resources allocated to this endeavor. 3. Confusing compliance with IT security: This is evident when there is confusion between compliance and the IT security policy. Compliance to organisation rules does not necessarily mean protection against hacker attacks. Compliance needs to encompasses an IT security management system capable of allowing management to oversee data flow within the system thus protection confidential information from leakage to unwanted sources. 4. Bring your own device policy (BYOD) and the cloud: This is especially critical for the different projects, assignments and satellite locations globally. Globally, it has been found that a sizable number of respondents pointed to mobility as the root cause of a breach. The increased mobility coupled with users flooding the networks with access devices h as the unintended result of providing many paths for exposing data and application risks (Bourne, 2014) b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). 1. Failure to cover IT security basics: This will have the impact of multiplying aggressiveness exploits emanating from the World Wide Web. This failure will result in severe impact on the organisation. This is because; the failure will have resulted
  • 9. from the organisation not setting policies that guide information risk management. 2. Not understanding the source of IT security risks: The effect of this risk will be significant to the organisation. Its severity will be especially considerable given it will have resulted from a lack of training or new and current employees on security. 3. Confusing compliance with IT security: Confusion will breed increased risk. It is unfortunate with organisation suffers from confusion given the effect of this risk could have been eliminated if not avoided by patching security systems. 4. Bring your own device policy (BYOD) and the cloud: In as much as personal devices allow for flexibility and ease of work, it does expose the organisation to risk since it cannot have control of where the devices are used outside the work environment. The risk is especially severe thus the need for the organization to institute policies for BYOD security.Policy 1. To cover for cyber security basics, all IT hardware and software will be programmed to update themselves at the beginning of the day, before they are used. This policy will be implemented by each individual staff for the IT equipment allocated to them. The IT security manager in-charge of the project, assignment or satellite location will have overall responsibility for the enforcement of the policy. The manager will regularly and constantly educate the staff of the dangers and the resources available to them to protect them from the identified dangers. 2. To address the source of CDC’s IT security risks, the organisation will regularly refresh its staff on the value it attaches to the critical assets and the dynamic profile of potential attackers. This should cover the organisation from malware, viruses and intrusions, outside attack, user error, cloud apps for service usage, phishing among others. By incorporating sociological and psychological aspects in the training, CDC will engrain its culture into its staff. This culture should in turn be supported by the requisite resources to benefit the organisation.
  • 10. 3. To avoid confusion in complying with IT security policies, rules must be adhered to, to the letter. Further the information security management system will allow managers oversee data flows within the system. This should greatly enhance protection of confidential information from unwanted sources. 4. The Bring Your Own Devices (BYOD) and cloud policy will not seek to impede the staff flexible working environment or conditions. This will instead contribute very significantly to preventing security breaches. For the case of cloud computing the policy will give the due attention given its important and the vulnerabilities it comes with. 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System Bourne, V (2014) Protecting the Organisation Against the Unknown: A New Generation of Threats, accessed February 13, 2016 from http://software.dell.com/documents/protecting-the- organization-against-the-unknown-whitepaper-27396.pdf Zaharia, A (2015) 10 Cyber Security Risks That Might Affect Your Company, accessed February 13, 2016 from https://heimdalsecurity.com/blog/10-critical-corporate-cyber- security-risks-a-data-driven-list/ Schiff, J, L (2015) 6 Biggest Security Risks and How You Can Fight Back, accessed February 13, 2016 from http://www.cio.com/article/2872517/data-breach/6-biggest- business-security-risks-and-how-you-can-fight-back.html Kaspersky Lab (2015) Global IT Security Risks Survey 2015, accessed February 13, 2016 from http://media.kaspersky.com/en/business-security/it-security- risks-survey-2015.pdf NIST (2011) Managing Information Security Risk: Organizations, Mission and Information System View, accessed February 13, 2016 from
  • 11. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39- final.pdf NSCS (2013) Cyber Security and Risk Management: An Executive Level Responsibility, accessed February 13, 2016 from https://www.connectsmart.govt.nz/assets/NCSC-Cyber- security-risk-management-Executive.pdf Copyright © 2015 by University of Maryland University College. All rights reserved. ( White House IT Security Staff BCP Policy ) ( [ CSIA 413, ) ( Professor Last Name: ) ( Policy Document ) ( IT Business Continuity Plan Policy )
  • 12. Document Control Organization White House Title White House IT Security Staff BCP Policy Author Owner Security Staff Manager Subject Business Continuity Plan Policy Review date Revision History Revision Date Reviser Previous Version Description of Revision No Revisions Document Approvals This document requires the following approvals: Sponsor Approval
  • 13. Name Date Approved Document Distribution This document will be distributed to: Name Job Title Email Address All White House Security Staff Information Security Specialist Contributors Development of this policy was assisted through information provided by the following organization: · White House and Department of Defense Table of Contents Policy Statement3 1Purpose4 2Objectives4 3Scope4 4Business Impact Analysis (BIA)5 5Business Continuity Planning Personel5 6 Business Continuity Planning
  • 14. Procedures……………………………………………… . … 5 6.1 Events ………………………………………………………………………… ……… 6 6.2 Vendors……………………………………………………………… ………………….. 6 6.3 Task……………………...…………………………………………… ………………... 6 6.3 Timleine 7 7 Testing and Maintenance………………………………………………………… ………... 7 8 References…………………………………………………………… …………………….. 7 Policy Statement The United States of America and its military rely on the confidentiality, integrity, and availability of accurate information stored in information systems to proactively prepare and defend the nations critical infrastructures and protect national security. In the event of natural disasters and/or attacks from malicious hacktivist it is imperative that the White House IT Security Staff has a quick, efficient, and effective business continuity plan to recover and restore data to ensure critical operations are not impacted. The business continuity plan is needed to continue the White House and military operations efforts to strategize and protect it critical infrastructures and citizens. Purpose The purpose of this document is to outline the necessaryprocedures and steps to recover and restore business
  • 15. operations within the White House in the event of a natural disaster, emergency, or system attack from external sources. Objective The following ae the objectives of the policy: · To maintain the highest amount of national security through the availability of critical and sensitiveinformationconcerning military operations, critical infrastructure, and foreign relations. · To ensure minimal impact to resources and immediate recovery of critical systems and operations. · To identify and prioritize systems, processes, and operations to restore critical functions and systems to maximizeavailability and operational activities. · To identify key White House Securitypersonnelresponsible for the restoration and recovery process to ensure immediate contact is available in case of an emergency event. · To Identify third party vendors needed to help attain successful businesscontinuity and recovery planning. Scope The scope describes all locations, functions, personnel, and resources affected by the business continuity plan policy: Locations: White House IT Department, The White House, The Sun Guard Hot Site, Herndon, VA Business Units: All Business Units Activities: All Actives conducted by business units Stakeholders: Chain of Command, Vendors, and White House Staff Resources: All telecommunication assets, information systems, office buildings, equipment, and people. (Drewitt, 2013)Business Impact Analysis The Business Impact Analysis (BIA) will assess the financial, operational impact, and recovery time objectives (RTO) needed to restore critical systems, process, and operations. The BIA will be conducted by assuming the worst case scenario due to he high level of exposure the White House presents. The BIA will
  • 16. be conducted in the event of an immediate shutdown of all functions and resources to analyse the recovery time and resources needed to restore critical systems and operations (ISACA, n.d.). The BIA will estimate the level of impact the White House will be willing to accept. The impact range is as follows: Very High- Impact could cripple the White House and potentially cause catastrophic loses. High – Impact exceeds the White House’s Executives tolerance and could threaten National Security. Medium – Impact will cause major harm to critical systems and operations and threaten National Security Low – Impact results in the temporary loss of critical systems and operations and could harm critical infrastructure. Very Low – Impact results in minor loss of operations and does not threaten critical infrastructure. The White House’s level of tolerance is: Very Low. Business Continuity Planning Personnel The following are the personnelthat can be immediate contacted in the event the business continuity plan activation: IT Security Manager: smith, IT Security Section, ph # Lead IT Security Specialist: Jerry Mayweather, IT Security Sections, ph # IT Security Specialist: Ethan Snowden, It Security Department, ph # The following personnel are to be immediately contacted secondary to the above mentioned personnel: CISO: John Stamens, IT Department, ph # CIO: Randy Howitzer, IT Department, ph #Business Continuity PlanningProcedures The business continuity planning procedures are to be followed immediately in the event the businesses continuity plan is activated. Events
  • 17. The following the events that may occur in which the BCP should be immediate activated to minimize the loss of availability of critical systems and operations: Equipmentfailure, disruption of power supply or telecommunication application failure corruption ofdatabase, human error, sabotage, malicioussoftware attacks, hacking, social unrest, terrorist attack, fire, or natural disasters (SANS, 2002). Vendors The below list are approved vendors that are critical to the day to day operations and should be contacted immediately in the event of a BCP activation: 1. Sun Guard – BCP Documentation and Hot Ste resource 2. AppNomic – Backup and fail over solutions 3. Amazon – Cloud Services 6.3 Task The followingshould be taken in the event the BCP is activated: 1- Contact The IT Security Manager and give a situation report. 2- Retrieve BCP documentation 3- IT SecurityManager will determine the type of event and determine which department or function within the White House will activate their BCP. 4- If impact level is designated as Medium or Higher IT personnel will relocate to the designated hot site: a. Hot Site location will b. The Hot Site representative will be immediately contact at: c. Hot Site will provide all hardware and needs, however IT personnel will bring all backup tapes, laptops, and critical servers within the IT data center of the Hot Site. 5- All secondary BCP personnel will be contacted and briefed. 6- A final determination of event will be formally announced and appropriate chain of command will be notified.
  • 18. Timeline The following is the timeline in which all major task will be competed, the total time for completion i3 3 hours. Each timeframe is a: · Contact IT Manager: 10 Minutes (Total: 10 minutes) · Retrieve BCP Documentation: 5 minutes (Total: 15 minutes) · IT Manager event determination: 30 Minutes (Total: 45 minutes) · Relocation to Hot Site: 1 ½ hours (Total: 2 hours 15 minutes) · All secondary personnel are called and briefed: 15 Minutes (Total: 2 hours 30 minutes) · Chain of Command is notified: 30 Minutes (Total: 3 hours)Testing and Maintenance The following are is the criteria for testing and maintenance to ensure continuous training and BCP compliance: · BCP rehearsal should be conducted annually at least one to provide awareness and accuracy. · Business unit level exercise should be conducted every two years. · Executive management exercises should be conducted every three years. (Drewitt, 2013) 8 References Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical Guide to Developing and Implementing a Business Continuity Management System ISACA (n.d.). Business Continuity Planning. Retrieved from: http://www.isaca.org/Groups/Professional-English/business- continuity-disaster-recovery- planning/GroupDocuments/Business_Impact_Analysis_blank.do c SANS (2002). Introduction to Business Continuity Planning. Retrieved from:
  • 19. http://www.sans.org/reading- room/whitepapers/recovery/introduction-business-continuity- planning-559 Sun Guard (2015). Availability Services Herndon Workgroup. Retrieved from: http://www.sungardas.com/company/infrastructure/Pages/herndo n-va.aspx Copyright © 2015 by University of Maryland University College. All rights reserved. Project #4: Prepare a Business ContinuityIT Security PolicyIntroduction In Project 2 (which was order #225, you developed a local IT security policyfor a specific facility– a data center. In this project, you will develop a business continuity security policy for that facility. Your policy must be written for a specific organization (the same one you used for Projects #1 and #2, which was Centers for Disease Control and Prevention (CDC), which was the Order # 210 and 225). You should reuse applicable sections of your earlier projects for this project (e.g. your organization (which was CDC) overview and/or a specific section of your outline).Background Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can continue operations in the event of a disaster (whether natural or man- made). Sometimes, these events are so severe that it is impossible for the business to continue operating from its normal locations. This requires a business continuity plan which, when activated, will enable the business to restore critical operations at other locations and within an acceptable
  • 20. time frame. Organizations use policies, plans, and procedures to implement an effective DR/BCP program and ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change over time). The larger the organization, the more important it is that policies exist which will guide DR/BCP planners through the planning and implementation processes. For this assignment, you will be writing one such policy – guidance for DR/BCP planning for a particular data center. DR/BCP policies for the enterprise (the entire organization) establish what must be done by the organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a simplified list of phases and required activities for the planning process. Depending upon the level of detail covered by the policy, this information could be in the policy itself or covered in another document, which the policy refers to. The required content for the DR/BCP plan may also be presented in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline for the plan is presented in Table 4-2. Sometimes, it is necessary to create supplementary policies, which address specific circumstances or needs, which must be accounted for in the DR/BCP planning process and throughout the management of the DR/BCP program. For this assignment, you will be developing one such policy – the Business Continuity IT Security Policy. The “Tasks” section of this assignment explains the content requirements for your policy. Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from http://www.ready.gov/business/implementation/continuity ) Phase 1: Business Impact Analysis · Survey business units to determine which business processes, resources, and capital assets (facilities, IT systems) are critical to survival of business · Conduct follow-up interviews to validate responses to survey & obtain additional info
  • 21. Phase 2: Develop Recovery Strategies · Identify resource requirements based on BIAs · Perform gap analysis (recovery requirements vs current capabilities) · Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites) · Document & Implement recovery strategies (acquire / contract for products & services) Phase 3: Develop Business Continuity Plan · Develop plan framework (follow policy) · Identify personnel forDR/BCP teams · Develop Recovery and/or Relocation Plans · Write DR/BCP Procedures · Obtain approvals for plans & procedures Phase 4: Testing & Readiness Exercises · Develop testing, exercise and maintenance requirements · Conduct training for DR/BCP teams · Conduct orientation exercises for staff · Conduct testing and document test results · Update BCP to incorporate lessons learned from testing and exercises Table 4-2. Outline for a Business Continuity Plan Purpose: to allow company personnel to quickly and effectively restore critical business operations after a disruption. Objective: to identify the processes or steps involved in resuming normal business operations. Scope: work locations or departments addressed. Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of time, (c) temporary or extended loss of workforce, etc. Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d) communications, (e) safety of life issues, etc. Recovery Strategy Summary: In this section, a plan will
  • 22. typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area” is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center. Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on. Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living” document that is updated as personnel/workforce changes are made. Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, and notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline. Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time
  • 23. objectives that the vendors must meet in order for the plan to be successful. Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc. Tasks The Business Continuity Security Policy is being written by you as the data centerfacility manager. This supplementary DR/BCP policy will be used to ensure that needed security controls are restored and functioning as designed in the event that the business continuity plan is activated. These controls must ensure that information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) are protected to the same level as required during normal business operations. Your policy must ensure that security requirements are adequately addressed during all four phases of the Business Continuity Planning process (see Table 4-1).Your policy must also addressrequired content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring modifications to standard sections of the document or even adding sections. Your policy must also address the roles and responsibilities for data center recovery operations. During recovery operations, the data center manager and recovery team personnel (including system administrators and network engineers) must ensure that IT systems and services, including required IT security controls, are operational within the required Recovery Time Objectives and Recovery Point Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP plans. These metrics are used to determine the restoral order for systems and services and guide the selection and implementation of recovery strategies. The metrics also provide performance criteria for outside vendors and service providers
  • 24. from whom your organization purchases or will purchase IT services and products to implement its recovery strategies. Recovery Time Objective: the maximum time allowed to restore critical operations and services after activation of the business continuity plan. Different RTO’s may be set for different IT systems and services. Recovery Point Objective: the point in time to which you must restore data during startup operations for DR/BCP(used to determine backup frequency for data during normal operating periods and the maximum allowable amount of “lost data” which can be tolerated). Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO metrics for hardware and software, which provide IT security controls. For example, if the data center relies upon an Active Directory server to implement role based access controls, that server should have both an RTO and an RPO and be listed in the business continuity plan. The primary audience for your policy will be the CIO and CISO staff members who are responsible for developing IT business continuity plans.Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO and CIO of the organization.Tasks: 1. Review the Contingency Planning control family and individual controls as listed in NIST SP 800-53.(See Table 4-3). Identify policy statements, which can be used to ensure that the required controls are in place before, during, and after business continuity operations. (For example, for CP-6 your policy statement should require that IT security requirements be included in plans / contracts involving alternate storage sites for critical business data.) You must address at least 5 controls within the CP control family.Table 4-3. Contingency Planning Control Family (from NIST SP 800-53)
  • 25. 2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy statements which can be used to ensure that IT security requirements are addressed during each phase. These statements should include ensuring that RTO/RPO objectives for security services will be addressed during the planning process. (You may wish to include these as part of your policies for implementing CP-1, CP-2, CP-3, and CP4). 3. Review the outline for a Business Continuity Plan (Table 4- 2). Analyze the outline to determine specific policy statements required to ensure that the required CP controls and any additional or alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a business continuity plan.(Your policy statements will tell Business Continuity Planners where and how to “build security in.”) 4. Write your Business Continuity Security Policy usingthe outline in Table 4-4. You must tailor your policy to the subject of IT Security Requirements for the Business Continuity program and address the required controls and actions identified during steps 1-3.Table 4-4. Outline for an IT Security Policy I. Identification a. Organization: [name] b. Title of Policy: Data Center Business Continuity Policy c. Author: [your name] d. Owner: [role, e.g. Data Center Manager] e. Subject: Business Continuity for [data center name] f. Review Date: [date submitted for grading] g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager] h. Distribution List i. Revision History II. Purpose a. Provide a high level summary statement as to the policy requirements which are set forth in this document. III. Scope
  • 26. a. Summarize the business continuity activities and operations that this policy will apply to. b. Identify who is required to comply with this policy. IV. Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) V. Terms and Definitions VI. Risk Identification and Assessment a. Identify the risks which could arise if IT security requirements are not included in business continuity planning and subsequent operations. b. Identify and describe the impacts of such risks (include an assessment of the possible severity for each impact). VII. Policy a. Present policies which will ensure that IT security is addressed i. In all phases of DR/BCP planning ii. In all relevant sections of the DR/BCP plan iii. By requiring implementation of relevant NIST guidance, e.g. controls from the CP family iv. By specifying roles and responsibilities for IT security during data center recovery operations v. Using RTO/RPO metrics for restoral of IT security services and functions b. Include an explanatory paragraph for each policy statement. 5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.). 6. Prepare a Reference list (if you are using APA format
  • 27. citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting: 1. Cite sources using a consistent and professional style. You may use APA formatting for citations and references. Or, you may use another citation style includinguse of footnotesor end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.)You are expected to write grammatically correct.Criteria and Steps to follow (Below in bold are subheadings) ***Please make sure three reference sites per subheading.*** Policy Outline & Body Provided an excellent IT Security Policy, which clearly, concisely, and accurately presents all required information (see outline in assignment for sections, fields, and content requirements). Presentation of information is organized in a logical fashion and uses 3 or more tables to group related information for presentation. All required fields under each section are listed and filled in (e.g. Owner Name in ID Section has a name filled in.) Policy Section: DR/BCP Planning Phases Presented an excellent policy statement or statements, which will ensure that IT Security is addressed during all four phases of the DR/BCP planning process.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: IT Security in DR/BCP Plan Presented an excellent policy statement or statements which will ensure that IT Security is addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address requirements for IT Security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use
  • 28. and cited at least two authoritative sources. Policy Section: IT Security Roles & Responsibilities in DR/BCP Plan Presented an excellent policy statement or statements which will ensure that roles and responsibilities for IT Security are addressed within DR/BCP plans. Identified and discussed five or more sections of the plan (using outline from assignment) which must address who is responsible for ensuring IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Policy Section: Security Controls during DR/BCP Planning, Implementation, & Execution (NIST CP Family) Presented an excellent policy statement or statements which will ensure that NIST recommended security controls for Contingency Planning (CP family) are addressed as part of DR/BCP planning, implementation, and execution.Identified and discussed five or more controls from the CP family which should be implemented (using NIST SP 800-53 guidance) to ensure adequate IT security during recovery operations.Policy statement(s) and supporting explanations are clear, concise, and accurate. Use and cited at least two authoritative sources. Crediting Sources Work credits all sources used in a professional manner using APA format citations/references, footnotes with publication information, or endnotes with publication information. Provides a Bibliography or "Works Cited" if not using APA format. Publication information is sufficient to retrieve all listed resources.