Assignment: Planning for Information Security
You have been hired as a consultant to design BCP for SanGrafix, a video and PC game design company. SanGrafix's newest game has become a hot seller, and the company anticipates rapid growth. It's moving into a new facility and will be installing a new network. Because competition is fierce in the game industry, SanGrafix wants to be fully secured, documented, and maintained while providing high availability, scalability, and performance.
Based on your current technology and information security knowledge, for this project you will design a BCP based off of the company profile below:
A. Primary location in San Francisco, CA
B. Secondary location/hot site in Sunnyvale, CA
C. Capable of supporting 220 users in these departments: Accounting and Payroll, 16; Research and Development, 48; Sales and Marketing, 40; Order Processing, Shipping, and Receiving, 36; secretarial and office management staff, 20; upper management (including the president, vice president, and general manager), 10; Customer Relations and Support, 30; Technology Support, 20.
D. Full OC3 Internet connection
First step is to issue a clear policy statement on the Business Continuity Plan. At a minimum, this statement should contain the following instructions:
• The organization should develop a comprehensive Business Continuity Plan.
• A formal risk assessment should be undertaken in order to determine the requirements for the Business Continuity Plan.
• The Business Continuity Plan should cover all essential and critical business activities.
• The Business Continuity Plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed.
• All staff must be made aware of the Business Continuity Plan and their own respective roles.
• The Business Continuity Plan is to be kept up to date to take into account changing circumstances.
• BELOW IS THE EXAMPLE
• Policy Statement1. Agencies are required to develop, implement, test and maintain a Business Continuity Plan (BCP) for all Information Technology Resources (ITR) that deliver or support core systems and services on behalf of the Commonwealth of Massachusetts. For purposes of this policy, the BCP is the overall plan that facilitates sustaining critical operations while recovering from a disruption. BCP's are required to include, at a minimum:
o Standard Incident Response Procedures: An information system-focused set of procedures to be used when an event occurs that is not part of the standard operation of a service and may or does cause disruption to or a reduction in the quality of services and Customer productivity.
o Disaster Recovery Plan (DRP): An information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure in the event of large scale disaster and/or other cataclysmic event.
o Continuity of Operations Plans (COOP): An information system-focused plan invoked under a DRP when access to the primary facility infrastructure is prevented for an extended period, requiring operations to be restored from an alternate site after an emergency. The COOP may be supported by multiple information system contingency plans to address recovery of impacted individual systems once the alternate facility has been established. The COOP only addresses information system disruptions that require relocation. (From NIST SP 800-34).
2. Agencies are required to conduct risk assessments to identify, estimate, and prioritize risks to organizational operations and conduct business impact analyses to identify all critical functions of the agency, entity or business unit and their supporting information systems. ITD's Compliance Assurance Office is available to assist and/or conduct such assessments.3. Agencies are required to articulate specific information, including the details necessary to effectively respond, manage, and recover from either an incident or a catastrophic event. Further, protecting data and confidential information should be integrated into the above referenced details.4. Agencies are required to ensure that all BCPs and supporting DRPs and COOPs are in alignment with and in support of any and all legal and regulatory requirements that the agency ITR's are subject to.5. Agencies are required, at a minimum, to include the following documentation and procedures in their BCP and its supporting components:
1.
1. Scope / Objectives
2. Risk Evaluation and Required Security Controls
3. Business Impact Analysis
4. Communications Procedures
5. BCP Organization Structure
1. Activation of plans
2. Succession of Authority Procedures
3. BCP Team Roles and Responsibilities
1. Incident/Event Response Teams
2. Emergency/DR Response Teams
4. Primary and Alternate Contact Lists
6. Damage Assessment
7. Recovery Plans
1. Critical System Recovery
1. Prioritization of Recovery
2. Interdependencies
3. Resource requirements
4. Security Controls
5. COOP
1. Mobilizing Alternate Locations / Resources
2. Managing Alternate Locations / Resources
3. Critical System Support
1. Short term
2. Long term
3. Local
4. Regional
5. Pandemic
6. Agencies are required to verify that critical third party vendors meet agency business continuity requirements during the contract negotiating process and prior to contract agreement and signature. Alternate third party vendors are required to be identified where appropriate.
7. Agencies are required to securely store copies of plans and supporting materials in a remote location; at a sufficient distance to escape any damage from a disaster at the agency's main information processing facilities and be available (via remote connection, external e-mail location, etc.).
8. Agencies are required to document, implement and annually test plans including the testing of all appropriate security provisions to minimize impact to systems or processes from the effects of major failures of IT Resources or disasters.
9. Agencies are required to identify appropriate mechanisms to ensure that plans remain current and updated between annual tests and reviews accounting for:
1.
1. Change management implications
2. New/Major upgrades of system implementations
3. New policy adoption
4. New contract implementations
5. New threat/risk identification
6. Staff/resource/responsibility changes
1. Agencies are required to publish plans and sufficiently train any and all individuals that are required or responsible for supporting the BCP.