1 COMP9721 Assessment 3, S1-2018 COMP9721- Enterprise Information Security Assessment 3 - Completion of Contingency Plan: Implementation, Guideline & Timeline Proposal Semester 1, 2018 Details: Title:...

Executive summary
A guide of contingency planning provides an exhaustive list of recommendation, operations and considerations for Information Technology (IT) contingency planning. Contingency planning is defined as the plan of action to recover IT operations after a system disruption or emergency. Plan of action or interim measures may include moving IT system and services to another location, restoring IT functions by using other tools and equipment or restoring IT functions by using manual methods.
IT systems can be affected by various inte
uptions. They vary from mild such as short time power-
eak, disk failure, etc. to severe such as destruction of equipment, fire out
eak in equipment, etc. also they may occur from sources like natural disasters, te
orist attacks. Though there are many disruptions which can be avoided, minimized or eliminated with the help of different technical solutions or operations managements. They are cover under the risk management step of the organization. However, it is nearly not feasible to eliminate all risks. Sometimes, the critical resource IT system functioning is present out of the control of organization - electric power, etc. and hence organization will not be able to ensure their 24x7 availability. It can be infe
ed that contingency planning, execution and end user testing are important for risk mitigation and service availability.
Table of Contents
Executive summary    1
Introduction    4
Adherence to International Standards    5
Overview of BCP phases    6
Roles and Responsibilities    7
Summary of Preceding Plan    8
Business Contingency Planning for Server Systems in Megacorp    10
Business Contingency Planning for Networking Systems in Megacorp    14
Business Contingency Planning for Information System in Megacorp    18
Maintenance    22
Testing, Exercise and Training    23
Summary of Terms and Definitions used in the Document    25
References    26
Introduction
This document presents the contingency plan for Megacorp. It will act as a central repository for all required information, procedures, processes and tasks that are essential to provide a restoring facility to the Megacorp. It will also facilitate the decision-making capacity of the management and it shall provide timely response to any inte
upted or extended inte
uptive in the normal business operations. This is very important in case when the cause of disruption is such which requires immediate restoration of services and cannot be implemented by using normal daily processes. The personnel and financial resources indicated in the document represents the commitment of the management towards the response, resumption and restoration services. Hence, it becomes necessary that information and plans should be maintained in a state that they remain viable and maintain a state to ensure the accuracy of contents of the document.

Scope
This document covers all information related to information systems used, managed or operated by the organization or contractor or agency or any other organization on behalf of agency. The mentioned procedures are applicable to all users, contractors and employees of the organization.
Objectives
There are various types of systems being used in the organization which can be classified as information systems, servers and networking systems. Information systems provide critical functionality to the organization such as email, internet access and whereas the Servers and Networking systems provides the fundamental structure to support the aforementioned information system. They allow customer and organization to perform their respective task. As mentioned above, some of the risks can be mitigated but not all of them. Hence, it is essential for the organization to develop contingency plan and also disaster recovery plans. They will ensure that organization will have uninte
upted operations and regular services to the customers.
The key motive of the contingency planning is to protect two types of assets of the organization: data and personnel. All sections of contingency plan should provide ways to protect and safeguard the personnel and procedures to restore data in case of disaster. The primary focus of the plan is creating policies and processes to protect information system in case a contingency occurs and ensures that assets keep functioning. This covers the operational capability to identify and analyze (Sonfield, 1984) the critical applications, data recovery from alternate backup locations and data restore to pre-disaster state. Along with the above-mentioned objectives, other objectives of plan are as follows:
· Identification of resources to be used during contingency to execute the plan.
· Minimizing the number of decisions to be taken during contingency.
· Identification of actions to be executed by pre-allocated teams.
· Identification of critical data associated with customers that needs to be recovered at the time of contingency.
· Establishing testing and maintenance processes to be used for this plan and also training procedure for contingency teams.
Critical success factors
Following are critical factors and issues which should be applied to the contingency plan of the organization for its successful implementation:
· Commitment of budget for disaster recovery.
· 100% availability of senior management for disaster recovery and contingency planning.
· Establishing and execution of required Memorandums of Agreements, Service Level Agreements and Memorandums of Understanding (MOUs).
· Changes in the cu
ent scheduling procedures for transportation of backup data files to the offshore or alternate storage facility.
Adherence to International Standards
For the Business Contingency Plan to be effective, it needs to adhere to international standards. The BCP adheres to the following standards:
· Federal Information Security Management Act of 2002
· National Institute of Standards and Technology or commonly known as NIST under the Special Publication 800-34 R v1, Contingency Planning Guide for Information Technology Systems published in the year May 2010.
· NIST SP 800-53, R v4, Security and Privacy controls for Information Technology and Systems and Organizations published in the year April 2013
· NIST SP 800-84, Guide to Test, Exercise and Training Programs for IT Plans and Capabilities published in the year September 2006.
· Australian Standard or AS: 3745-2010 (Standards Australia, 2010b)
Overview of BCP phases
The BCP or Business Contingency Plan has been designed to recover the data of the organization using a 3-phased approach. This approach ensures that all the data recovery actions are executed in a methodical sequence. This will increase the effectiveness of the recovery effort and reduce the system down-time during contingency. Following are three phases of BCP:
· Activation and Notification phase - This phase comes into execution once a disruption occurs which goes beyond the RTO established for the information system. After the activation of BCP, all the users of the system are notified that an outage has occu
ed and a detailed assessment of outage will be ca
ied out. The presented collected from outage assessment is sent to the owners of the system. This information is used to modify the recovery procedures of the occu
ed specific outage.
· Recovery phase - This phase provides details of the recovery procedure followed by the recovery of the system. Procedures are written in a way which suits the demands of skilled technician who can then execute this plan to recover the system with immediate effect and without having any prior information of the system. This phase contains the procedures used for communication of status of recovery to the system users and owners.
· Reconstitution phase - This phase includes the definitions of actions used to test and validation of system functionality. It performs two major activities: validation of successful system recovery and deactivation of plan. During the validation phase, the system is tested prior to returning back to pre-disruption state. These validation procedures may conduct regression testing, concu
ent processing o
and validation of data. Once the data is completely restored and system is
ought back to normal working state, then system is declared as recover and fully functional by system users and owners. Deactivation part includes sending notification to users about the system being operational. Reconstitution phase also includes the documentation of recovery steps, finalization of logs activities, framing lesson learnt during the updating of plans and preparing resources for any recovery event of future.
Roles and Responsibilities
There are various resources and team involved in the execution and recovery of the system. The following teams have been framed and developed during the contingency times which may affect the IT system. The contingency plan establishes various teams which are assigned with the contingency planning of the recovering functions. The team is assigned with the responsibility of system recovery of the affected computer environment and all its associated applications. Team members include staff who are involved in day-to-day operations and maintenance of the system. The team leader leads the team. The following table describes the roles and responsibilities of the members of the team.
    Role
    Responsibility
    Director, Facility Leadership (Departmental Head)
    · All the responsibility of the development, implementation and maintenance of the contingency plan.
· Ensures that Contingency Plan has been developed with the help of managers who are associated with the business processes of the system.
· Provides information regarding the duration of system down to the contingency plan coordinator based on outage assessment.
· Declares the activation of contingency plan.
· Determines whether the intermediate processing should be activated to maintain the cu
ent business operations or the operations should be halted till the system is recovered.
· In case of escalation, high management is to be consulted.
· Responsible for testing, maintenance and sending IS contingency plan to delegates and other personnel.
· Approves all changes in the contingency plan.
    Administrato
    · Manage and monitor the activities of recovery team until the system recovery is completed.
· Ensures that all recovery activities have been performed consistently as the service level agreements.
· Provides timely statues to Contingency plan director.
· Creates an After-Action Report once operations are resumed.
· Assists the contingency plan director in testing, implementing and distributing the Contingency plan
    Recovery Team
    · Determines the expected downtime of the system i.e. Duration between failover and alternate site.
· Prioritizes the resource recovery sequence.
· Conducts all activities of system recovery and resumption activities.
· Retrieve backups
· System configuration.
· Ensures that voice and data communication are working, activates the phones and pagers.
· Provides IP numbers and information network routing.
· Includes validation testing teams.            
    Alternate Contingency Planning Coordinato
    · Same responsibilities as that of contingency coordinator.
· Becomes active in absence of contingency planning coordinator.
Summary of Preceding Plan
    System Acronym
    System Name
    Description
    Server and Mainframes
    Web Serve
    Hosting of company’s website
    
    SharePoint Serve
    Intranet SharePoint website
    
    Database Serve
    Hosting of website’s database and internal database
    
    Exchange Serve
    Hosting of Microsoft Exchange server for emails
    
    File Serve
    File hosting serve
    
    General Purpose Serve
    General purpose server for IT admin to control other systems, manage deployments and for security
    Networking Infrastructure
    WAN and LAN Components
    LAN and WAN Access for the company
    
    Firewall and IDS
    Software and hardware-based security for protection
    Information System
    Email
    Enterprise emailing service based on MS Exchange
    
    Payroll
    Payroll and employee attendance system
    
    Invoice Management
    Invoice management system for the business
    
    Communication Management
    Provides enterprise chat and VOIP services
    
    Document Management
    Helps manage company’s document
    
    Corporate Intranet Services
    Helps host corporate intranet website using Sharepoint serve
Business Contingency Planning for Server Systems in Megacorp
Activation
The activation of CP procedures as well as notification phase defines the actions that takes place once the Server systems disruption is imminent or detected. This detection may be observed by an employee working on the Server or the application hosted by the server, or it may be reported by a group of users, Server administrators or perhaps due to e
or-detection and fault-prevention system in place. I
espective of these, as soon as an anomaly is detected on the server, the decision is taken by the leadership teams and then passed on to the recovery team so that the recovery team can conduct measures to recover the system functions.
Activation Criteria and Process
· A type of outage that would indicate that the Servers (Namely File Server, Database Server, Web Server etc.) would be down for more than the RTO i.e., 12-24 hours.
· The director would determine that whether the system would be able to be recovered on the primary site.
· Additionally, the director would determine if the Server’s CP procedures requires consulting with the appropriate department’s leadership. This includes the following:
· The database administrators.
· The web-server...