An organization must acknowledge that risk management controls may fail; thus, contingency planning is necessary to help organizations anticipate and react to events that threaten information security. Contingency planning entails the forming of four major components: business impact analysis, incident response plan, disaster recovery plan, and business continuity plan1. The following examples of these four components serve as a very basic contingency plan responding to an event in which a computer virus is spreading through the network of Organization XYZ imagined for the physical security strategy on the Security Awareness page; the central database server is of particular concern. Show
Business Impact AnalysisThis business impact analysis is outlined in accordance with the template provided in NIST Special Publication 800-34 Rev. 12. 1. Overview This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the Organization XYZ database server. It was prepared on April 26, 2013. 1.1 Purpose The purpose of the BIA is to identify and prioritize system components by correlating them to the mission/business process(es) the system supports, and using this information to characterize the impact on the process(es) if the system were unavailable. The BIA is composed of the following three steps:
This document is used to build the Organization XYZ database server Information System Contingency Plan (ISCP) and is included as a key component of the ISCP. It also may be used to support the development of other contingency plans associated with the system, including, but not limited to, the Disaster Recovery Plan (DRP) or Cyber Incident Response Plan. 2. System Description The Organization XYZ database server is comprised of Microsoft SQL Server 2012 Enterprise Edition installed and running on Microsoft Windows Server 2012; this platform is housed on a Dell R720 server-class system. The database server is located in the server rack located on the second floor server room. Local administrators connect directly through the local area network; other users connect indirectly through the web server. Daily snapshot backup operations are conducted every day 3 hours after close of business. 3. Data Collection 3.1 Determine Process and System Criticality Step one of the BIA process - Working with input from users, managers, mission/business process owners, and other internal or external points of contact (POC), identify the specific mission/business processes that depend on or support the information system.
3.1 Identify Outage Impacts and Estimated Downtime Outage Impacts The following impact categories represent important areas for consideration in the event of a disruption or impact. Impact category: Cost Impact categories for assessing category impact:
Estimated Downtime Working directly with mission/business process owners, departmental staff, managers, and other stakeholders, estimate the downtime factors for consideration as a result of a disruptive event.
The table below identifies the MTD, RTO, and RPO (as applicable) for the organizational mission/business processes that rely on the Organization XYZ database server.
3.2 Identify Resource Requirements The following table identifies the resources that compose the Organization XYZ database server including hardware, software, and other resources such as data files.
It is assumed that all identified resources support the mission/business processes identified in Section 3.1 unless otherwise stated. 3.3 Identify Recovery Priorities for System Resources The table below lists the order of recovery for the Organization XYZ database server resources. The table also identifies the expected time for recovering the resource following a “worst case” (complete rebuild/repair or replacement) disruption.
Incident Response PlanThe following incident response plan enumerates actions to be taken under conditions before, during, and after an attack in which a virus is detected on a networked device. Before an Attack Users
Technology Services
During an Attack Users
Technology Services
After an Attack Users
Technology Services
Disaster Recovery PlanThis example disaster recovery plan portrays a scenario in which a computer virus has pervaded the Organization XYZ network, all stations are assumed to be infected, and data has been corrupted. The focus of the plan is placed on the Organization XYZ database server, but it also provides some information on subsequent actions to be taking during the disaster recovery effort, referring to other constituent disaster recovery plan documents. Roles and Responsibilities
Alert Roster
Priorities
Disaster DocumentationActions outlined in the following steps are to be monitored by SIRT members; upon completion of each action, SIRT members are to prompt individuals performing respective actions for their signatures on the Database Server DRP Record document. Actions
Business Continuity PlanThe following example of a business continuity plan (BCP) outlines the high-level actions that occur to move Organization XYZ to the designated warm site. BCP Actions
1Whitman, M. E., Mattord, H. J. (2010). Management of information security (3rd ed.). Boston, MA: CENGAGE Learning. 2 Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, May). NIST special publication 800-34 rev. 1: Contingency planning guide for federal information systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf. What is the maximum tolerable downtime for these critical business functions and processes?Maximum allowable downtime = RTO + WRT
For example, if a critical business process has a three-day maximum allowable downtime, the RTO for systems, networks and data might be one day. This is the time the organization needs to recover technology. The remaining two days are for work recovery.
When should a hardware device be replaced to minimize downtime?When should a hardware device be replaced in order to minimize downtime? A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state? Which of the following are backed up during an incremental backup?
How often should change control management be implemented?How often should change management be implemented? At regular intervals throughout the year.
What refers to how quickly a system can transform to support environmental changes?Maintainability means the system quickly transforms to support environmental changes.
|