(
White House IT Security Staff BCP Policy
) (
[
CSIA 413,
) (
Professor Last Name:
) (
Policy Document
)
(
IT
Business Continuity Plan Policy
)
Document Control
Organization
White House
Title
White House IT Security Staff BCP Policy
Author
Owner
Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All White House Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information provided by the following organization:
· White House and Department of Defense
Table of Contents
Policy Statement3
1Purpose4
2Objectives4
3Scope4
4Business Impact Analysis (BIA)5
5Business Continuity Planning Personel5
6 Business Continuity Planning Procedures……………………………………………… . … 5
6.1 Events ………………………………………………………………………………… 6
6.2 Vendors………………………………………………………………………………….. 6
6.3 Task……………………...……………………………………………………………... 6
6.3 Timleine 7
7 Testing and Maintenance…………………………………………………………………... 7
8 References………………………………………………………………………………….. 7
Policy Statement
The United States of America and its military rely on the confidentiality, integrity, and availability of accurate information stored in information systems to proactively prepare and defend the nations critical infrastructures and protect national security.
In the event of natural disasters and/or attacks from malicious hacktivist it is imperative that the White House IT Security Staff has a quick, efficient, and effective business continuity plan to recover and restore data to ensure critical operations are not impacted. The business continuity plan is needed to continue the White House and military operations efforts to strategize and protect it critical infrastructures and citizens.
Purpose
The purpose of this document is to outline the necessaryprocedures and steps to recover and restore business operations within the White House in the event of a natural disaster, emergency, or system attack from external sources.
Objective
The following ae the objectives of the policy:
· To maintain the highest amount of national security through the availability of critical and sensitiveinformationconcerning military operations, critical infrastructure, and foreign relations.
· To ensure minimal impact to resources and immediate recovery of critical systems and operations.
· To identify and prioritize systems, processes, and operations to restore critical functions and systems to maximizeavailability and operational activities.
· To identify key White House Securitypersonnelresponsible for the restoration and recovery process to ensure immediate contact is available in case of an emergency event.
· To Ident ...
(White House IT Security Staff BCP Policy) ([CSIA 4.docx
1. (
White House IT Security Staff BCP Policy
) (
[
CSIA 413,
) (
Professor Last Name:
) (
Policy Document
)
(
IT
Business Continuity Plan Policy
)
Document Control
Organization
White House
Title
White House IT Security Staff BCP Policy
2. Author
Owner
Security Staff Manager
Subject
Business Continuity Plan Policy
Review date
Revision History
Revision Date
Reviser
Previous Version
Description of Revision
No Revisions
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
Document Distribution
This document will be distributed to:
Name
Job Title
3. Email Address
All White House Security Staff
Information Security Specialist
Contributors
Development of this policy was assisted through information
provided by the following organization:
· White House and Department of Defense
Table of Contents
Policy Statement3
1Purpose4
2Objectives4
3Scope4
4Business Impact Analysis (BIA)5
5Business Continuity Planning Personel5
6 Business Continuity Planning
Procedures……………………………………………… . … 5
6.1 Events
…………………………………………………………………………
……… 6
6.2
Vendors………………………………………………………………
………………….. 6
6.3
Task……………………...……………………………………………
………………... 6
4. 6.3 Timleine 7
7 Testing and
Maintenance…………………………………………………………
………... 7
8
References……………………………………………………………
…………………….. 7
Policy Statement
The United States of America and its military rely on the
confidentiality, integrity, and availability of accurate
information stored in information systems to proactively
prepare and defend the nations critical infrastructures and
protect national security.
In the event of natural disasters and/or attacks from malicious
hacktivist it is imperative that the White House IT Security
Staff has a quick, efficient, and effective business continuity
plan to recover and restore data to ensure critical operations are
not impacted. The business continuity plan is needed to
continue the White House and military operations efforts to
strategize and protect it critical infrastructures and citizens.
Purpose
The purpose of this document is to outline the
necessaryprocedures and steps to recover and restore business
operations within the White House in the event of a natural
disaster, emergency, or system attack from external sources.
Objective
The following ae the objectives of the policy:
· To maintain the highest amount of national security through
the availability of critical and sensitiveinformationconcerning
military operations, critical infrastructure, and foreign relations.
· To ensure minimal impact to resources and immediate
recovery of critical systems and operations.
· To identify and prioritize systems, processes, and operations
5. to restore critical functions and systems to maximizeavailability
and operational activities.
· To identify key White House Securitypersonnelresponsible for
the restoration and recovery process to ensure immediate
contact is available in case of an emergency event.
· To Identify third party vendors needed to help attain
successful businesscontinuity and recovery planning.
Scope
The scope describes all locations, functions, personnel, and
resources affected by the business continuity plan policy:
Locations: White House IT Department, The White House, The
Sun Guard Hot Site, Herndon, VA
Business Units: All Business Units
Activities: All Actives conducted by business units
Stakeholders: Chain of Command, Vendors, and White House
Staff
Resources: All telecommunication assets, information systems,
office buildings, equipment, and people. (Drewitt,
2013)Business Impact Analysis
The Business Impact Analysis (BIA) will assess the financial,
operational impact, and recovery time objectives (RTO) needed
to restore critical systems, process, and operations. The BIA
will be conducted by assuming the worst case scenario due to he
high level of exposure the White House presents. The BIA will
be conducted in the event of an immediate shutdown of all
functions and resources to analyse the recovery time and
resources needed to restore critical systems and operations
(ISACA, n.d.). The BIA will estimate the level of impact the
White House will be willing to accept. The impact range is as
follows:
Very High- Impact could cripple the White House and
potentially cause catastrophic loses.
High – Impact exceeds the White House’s Executives tolerance
and could threaten National Security.
6. Medium – Impact will cause major harm to critical systems and
operations and threaten National Security
Low – Impact results in the temporary loss of critical systems
and operations and could harm critical infrastructure.
Very Low – Impact results in minor loss of operations and does
not threaten critical infrastructure.
The White House’s level of tolerance is: Very Low.
Business Continuity Planning Personnel
The following are the personnelthat can be immediate contacted
in the event the business continuity plan activation:
IT Security Manager: smith, IT Security Section, ph #
Lead IT Security Specialist: Jerry Mayweather, IT Security
Sections, ph #
IT Security Specialist: Ethan Snowden, It Security Department,
ph #
The following personnel are to be immediately contacted
secondary to the above mentioned personnel:
CISO: John Stamens, IT Department, ph #
CIO: Randy Howitzer, IT Department, ph #Business Continuity
PlanningProcedures
The business continuity planning procedures are to be followed
immediately in the event the businesses continuity plan is
activated.
Events
The following the events that may occur in which the BCP
should be immediate activated to minimize the loss of
availability of critical systems and operations:
Equipmentfailure, disruption of power supply or
telecommunication application failure corruption ofdatabase,
human error, sabotage, malicioussoftware attacks, hacking,
social unrest, terrorist attack, fire, or natural disasters (SANS,
2002).
Vendors
7. The below list are approved vendors that are critical to the day
to day operations and should be contacted immediately in the
event of a BCP activation:
1. Sun Guard – BCP Documentation and Hot Ste resource
2. AppNomic – Backup and fail over solutions
3. Amazon – Cloud Services
6.3 Task
The followingshould be taken in the event the BCP is activated:
1- Contact The IT Security Manager and give a situation report.
2- Retrieve BCP documentation
3- IT SecurityManager will determine the type of event and
determine which department or function within the White House
will activate their BCP.
4- If impact level is designated as Medium or Higher IT
personnel will relocate to the designated hot site:
a. Hot Site location will
b. The Hot Site representative will be immediately contact at:
c. Hot Site will provide all hardware and needs, however IT
personnel will bring all backup tapes, laptops, and critical
servers within the IT data center of the Hot Site.
5- All secondary BCP personnel will be contacted and briefed.
6- A final determination of event will be formally announced
and appropriate chain of command will be notified.
Timeline
The following is the timeline in which all major task will be
competed, the total time for completion i3 3 hours. Each
timeframe is a:
· Contact IT Manager: 10 Minutes (Total: 10 minutes)
· Retrieve BCP Documentation: 5 minutes (Total: 15 minutes)
· IT Manager event determination: 30 Minutes (Total: 45
minutes)
8. · Relocation to Hot Site: 1 ½ hours (Total: 2 hours 15 minutes)
· All secondary personnel are called and briefed: 15 Minutes
(Total: 2 hours 30 minutes)
· Chain of Command is notified: 30 Minutes (Total: 3
hours)Testing and Maintenance
The following are is the criteria for testing and maintenance to
ensure continuous training and BCP compliance:
· BCP rehearsal should be conducted annually at least one to
provide awareness and accuracy.
· Business unit level exercise should be conducted every two
years.
· Executive management exercises should be conducted every
three years. (Drewitt, 2013)
8 References
Dewitt, T. (2013). A Manager's Guide to ISO22301: A Practical
Guide to Developing and
Implementing a Business Continuity Management System
ISACA (n.d.). Business Continuity Planning. Retrieved from:
http://www.isaca.org/Groups/Professional-English/business-
continuity-disaster-recovery-
planning/GroupDocuments/Business_Impact_Analysis_blank.do
c
SANS (2002). Introduction to Business Continuity Planning.
Retrieved from:
http://www.sans.org/reading-
room/whitepapers/recovery/introduction-business-continuity-
planning-559
Sun Guard (2015). Availability Services Herndon Workgroup.
Retrieved from:
http://www.sungardas.com/company/infrastructure/Pages/herndo
n-va.aspx
10. establish what must be done by the organization in order to
develop its DR/BCP strategies, plans, and procedures. Table 4-1
provides a simplified list of phases and required activities for
the planning process. Depending upon the level of detail
covered by the policy, this information could be in the policy
itself or covered in another document, which the policy refers
to. The required content for the DR/BCP plan may also be
presented in the policy or, more likely, it will be provided in an
appendix or separate document. A typical outline for the plan is
presented in Table 4-2.
Sometimes, it is necessary to create supplementary policies,
which address specific circumstances or needs, which must be
accounted for in the DR/BCP planning process and throughout
the management of the DR/BCP program. For this assignment,
you will be developing one such policy – the Business
Continuity IT Security Policy. The “Tasks” section of this
assignment explains the content requirements for your policy.
Table 4-1. Disaster Recovery / Business Continuity Planning
Phases (adapted from
http://www.ready.gov/business/implementation/continuity )
Phase 1: Business Impact Analysis
· Survey business units to determine which business processes,
resources, and capital assets (facilities, IT systems) are critical
to survival of business
· Conduct follow-up interviews to validate responses to survey
& obtain additional info
Phase 2: Develop Recovery Strategies
· Identify resource requirements based on BIAs
· Perform gap analysis (recovery requirements vs current
capabilities)
· Investigate recovery strategies (e.g. IaaS, PaaS, Alternate
Sites)
· Document & Implement recovery strategies (acquire / contract
for products & services)
Phase 3: Develop Business Continuity Plan
· Develop plan framework (follow policy)
11. · Identify personnel forDR/BCP teams
· Develop Recovery and/or Relocation Plans
· Write DR/BCP Procedures
· Obtain approvals for plans & procedures
Phase 4: Testing & Readiness Exercises
· Develop testing, exercise and maintenance requirements
· Conduct training for DR/BCP teams
· Conduct orientation exercises for staff
· Conduct testing and document test results
· Update BCP to incorporate lessons learned from testing and
exercises
Table 4-2. Outline for a Business Continuity Plan
Purpose: to allow company personnel to quickly and effectively
restore critical business operations after a disruption.
Objective: to identify the processes or steps involved in
resuming normal business operations.
Scope: work locations or departments addressed.
Scenarios: (a) loss of a primary work area, (b) loss of IT
services for a prolonged period of time, (c) temporary or
extended loss of workforce, etc.
Issues, Assumptions, and Constraints: (a) restore in place vs.
transfer operations to alternate site, (b) availability of key
personnel, (c) vendor or utility service availability, (d)
communications, (e) safety of life issues, etc.
Recovery Strategy Summary: In this section, a plan will
typically outline the broad strategies to be followed in each of
the scenarios identified in the plan Introduction section. As an
example, if “loss of work area” is identified as a possible
failure scenario, a potential recovery strategy could be to
relocate to a previously agreed-upon or contracted alternate
work location, such as a SunGard work area recovery center.
Recovery Tasks: This section of the plan will usually provide a
list of the specific recovery activities and sub-activities that
will be required to support each of the strategies outlined in the
previous section. For example, if the strategy is to relocate to
12. an alternate work location, the tasks necessary to support that
relocation effort could include identifying any equipment needs,
providing replacement equipment, re-issuing VPN tokens,
declaration of disaster, and so on.
Recovery Personnel: Typically, a BC/DR plan will also identify
the specific people involved in the business continuity efforts,
for example, naming a team lead and an alternate team lead, as
well as the team members associated with any recovery efforts.
This section of the plan will also include their contact
information, including work phone, cellphone, and email
addresses. Obviously, because of any potential changes in
personnel, the plan will need to be a “living” document that is
updated as personnel/workforce changes are made.
Plan Timeline: Many plans also include a section in the main
body that lays out the steps for activating a plan (usually in the
form of a flow chart). For example, a typical plan timeline
might start from the incident detection, then flow into the
activation of the response team, the establishment of an incident
command center, and notification of the recovery team,
followed by a decision point around whether or not to declare a
disaster. A plan timeline may also assign the recovery durations
or recovery time objectives required by the business for each
activity in the timeline.
Critical Vendors and their RTOs: In this section, a plan may
also list the vendors critical to day-to-day operations and
recovery strategies, as well as any required recovery time
objectives that the vendors must meet in order for the plan to be
successful.
Critical Equipment/Resource Requirements: A plan may also
detail the quantity requirements for resources that must be in
place within specified timeframes after plan activation.
Examples of resources listed might include workstations,
laptops (both with and without VPN access), phones, conference
rooms, etc.
Tasks
The Business Continuity Security Policy is being written by you
13. as the data centerfacility manager. This supplementary DR/BCP
policy will be used to ensure that needed security controls are
restored and functioning as designed in the event that the
business continuity plan is activated. These controls must
ensure that information, information systems, and information
infrastructure (e.g. networks, communications technologies,
etc.) are protected to the same level as required during normal
business operations. Your policy must ensure that security
requirements are adequately addressed during all four phases of
the Business Continuity Planning process (see Table 4-1).Your
policy must also addressrequired content (sections) for the
DR/BCP plan (see Table 4-2) even if that means requiring
modifications to standard sections of the document or even
adding sections.
Your policy must also address the roles and responsibilities for
data center recovery operations. During recovery operations, the
data center manager and recovery team personnel (including
system administrators and network engineers) must ensure that
IT systems and services, including required IT security controls,
are operational within the required Recovery Time Objectives
and Recovery Point Objectives. These metrics are established
using the results of the BIA and are included in the DR/BCP
plans. These metrics are used to determine the restoral order for
systems and services and guide the selection and
implementation of recovery strategies. The metrics also provide
performance criteria for outside vendors and service providers
from whom your organization purchases or will purchase IT
services and products to implement its recovery strategies.
Recovery Time Objective: the maximum time allowed to restore
critical operations and services after activation of the business
continuity plan. Different RTO’s may be set for different IT
systems and services.
Recovery Point Objective: the point in time to which you must
restore data during startup operations for DR/BCP(used to
determine backup frequency for data during normal operating
periods and the maximum allowable amount of “lost data”
14. which can be tolerated).
Your Business Continuity Security Policy must address the
requirement to set appropriate RTO and RPO metrics for
hardware and software, which provide IT security controls. For
example, if the data center relies upon an Active Directory
server to implement role based access controls, that server
should have both an RTO and an RPO and be listed in the
business continuity plan.
The primary audience for your policy will be the CIO and CISO
staff members who are responsible for developing IT business
continuity plans.Your policy will be communicated to other
personnel and to the senior managers who are ultimately
responsible for the security of the organization and its IT assets.
These managers include: CEO, CIO/CISO, and CSO. The policy
must be approved and signed by the CEO and CIO of the
organization.Tasks:
1. Review the Contingency Planning control family and
individual controls as listed in NIST SP 800-53.(See Table 4-3).
Identify policy statements, which can be used to ensure that the
required controls are in place before, during, and after business
continuity operations. (For example, for CP-6 your policy
statement should require that IT security requirements be
included in plans / contracts involving alternate storage sites for
critical business data.) You must address at least 5 controls
within the CP control family.Table 4-3. Contingency Planning
Control Family (from NIST SP 800-53)
2. Review the phases in the Business Continuity Planning
Process (see Table 4-1). Identify policy statements which can be
used to ensure that IT security requirements are addressed
during each phase. These statements should include ensuring
that RTO/RPO objectives for security services will be addressed
during the planning process. (You may wish to include these as
part of your policies for implementing CP-1, CP-2, CP-3, and
CP4).
3. Review the outline for a Business Continuity Plan (Table 4-
15. 2). Analyze the outline to determine specific policy statements
required to ensure that the required CP controls and any
additional or alternative IT security measures (e.g. controls
required to implement CP-13) are set forth in a business
continuity plan.(Your policy statements will tell Business
Continuity Planners where and how to “build security in.”)
4. Write your Business Continuity Security Policy usingthe
outline in Table 4-4. You must tailor your policy to the subject
of IT Security Requirements for the Business Continuity
program and address the required controls and actions identified
during steps 1-3.Table 4-4. Outline for an IT Security Policy
I. Identification
a. Organization: [name]
b. Title of Policy: Data Center Business Continuity Policy
c. Author: [your name]
d. Owner: [role, e.g. Data Center Manager]
e. Subject: Business Continuity for [data center name]
f. Review Date: [date submitted for grading]
g. Signatures Page: [authorized signers for the policy: CEO,
CISO, Data Center Manager]
h. Distribution List
i. Revision History
II. Purpose
a. Provide a high level summary statement as to the policy
requirements which are set forth in this document.
III. Scope
a. Summarize the business continuity activities and operations
that this policy will apply to.
b. Identify who is required to comply with this policy.
IV. Compliance
a. Identify the measures which will be taken to ensure
compliance with this policy (e.g. audits, compliance reporting,
exception reporting, etc.)
b. Identify the sanctions which will be implemented for
compliance failures or other violations of this policy.
c. Include information about how to obtain guidance in
16. understanding or interpreting this policy (e.g. HR, corporate
legal counsel, etc.)
V. Terms and Definitions
VI. Risk Identification and Assessment
a. Identify the risks which could arise if IT security
requirements are not included in business continuity planning
and subsequent operations.
b. Identify and describe the impacts of such risks (include an
assessment of the possible severity for each impact).
VII. Policy
a. Present policies which will ensure that IT security is
addressed
i. In all phases of DR/BCP planning
ii. In all relevant sections of the DR/BCP plan
iii. By requiring implementation of relevant NIST guidance, e.g.
controls from the CP family
iv. By specifying roles and responsibilities for IT security
during data center recovery operations
v. Using RTO/RPO metrics for restoral of IT security services
and functions
b. Include an explanatory paragraph for each policy statement.
5. Prepare a Table of Contents and Cover Page for your policy.
Your cover page should include your name, the name of the
assignment, and the date. Your Table of Contents must include
at least the first level headings from the outline (I, II, III, etc.).
6. Prepare a Reference list (if you are using APA format
citations & references) or a Bibliography and place that at the
end of your file. (See Item #3 under Formatting.) Double check
your document to make sure that you have cited sources
appropriately. Formatting:
1. Cite sources using a consistent and professional style. You
may use APA formatting for citations and references. Or, you
may use another citation style includinguse of footnotesor end
notes. (Citation requirements for policy documents are less
stringent than those applied to research papers. But, you should
still acknowledge your sources and be careful not to plagiarize
17. by copying text verbatim.)You are expected to write
grammatically correct.Criteria and Steps to follow (Below in
bold are subheadings)
***Please make sure three reference sites per subheading.***
Policy Outline & Body
Provided an excellent IT Security Policy, which clearly,
concisely, and accurately presents all required information (see
outline in assignment for sections, fields, and content
requirements). Presentation of information is organized in a
logical fashion and uses 3 or more tables to group related
information for presentation. All required fields under each
section are listed and filled in (e.g. Owner Name in ID Section
has a name filled in.)
Policy Section: DR/BCP Planning Phases
Presented an excellent policy statement or statements, which
will ensure that IT Security is addressed during all four phases
of the DR/BCP planning process.Policy statement(s) and
supporting explanations are clear, concise, and accurate. Use
and cited at least two authoritative sources.
Policy Section: IT Security in DR/BCP Plan
Presented an excellent policy statement or statements which
will ensure that IT Security is addressed within DR/BCP plans.
Identified and discussed five or more sections of the plan (using
outline from assignment) which must address requirements for
IT Security during recovery operations.Policy statement(s) and
supporting explanations are clear, concise, and accurate. Use
and cited at least two authoritative sources.
Policy Section: IT Security Roles & Responsibilities in DR/BCP
Plan
Presented an excellent policy statement or statements which
will ensure that roles and responsibilities for IT Security are
addressed within DR/BCP plans. Identified and discussed five
or more sections of the plan (using outline from assignment)
which must address who is responsible for ensuring IT security
during recovery operations.Policy statement(s) and supporting
explanations are clear, concise, and accurate. Use and cited at
18. least two authoritative sources.
Policy Section: Security Controls during DR/BCP Planning,
Implementation, & Execution (NIST CP Family)
Presented an excellent policy statement or statements which
will ensure that NIST recommended security controls for
Contingency Planning (CP family) are addressed as part of
DR/BCP planning, implementation, and execution.Identified and
discussed five or more controls from the CP family which
should be implemented (using NIST SP 800-53 guidance) to
ensure adequate IT security during recovery operations.Policy
statement(s) and supporting explanations are clear, concise, and
accurate. Use and cited at least two authoritative sources.
Crediting Sources
Work credits all sources used in a professional manner using
APA format citations/references, footnotes with publication
information, or endnotes with publication information. Provides
a Bibliography or "Works Cited" if not using APA format.
Publication information is sufficient to retrieve all listed
resources.