...Task 1(C) Implementation Plan • Formally assign ownership of field level IT Business Continuity initiatives to IT division CIO’s with an indirect ownership to IT Business Continuity to assure comprehensiveness of division level Business Continuity program requirements. • Provide the necessary resources and subject matter experts in the field of business continuity for each of the organization’s operational groups. • Mandate, define, develop, and implement the processes necessary to conduct a comprehensive risk assessment necessary to identify and define the potential risks and vulnerabilities to the decentralized information system infrastructure components, as similarly conducted for the Regional Data Centers, with the further requirements as mandated by HIPAA. • Perform risk management processes for the field level entities and their information system infrastructure, in order to prioritize and rank risks for mitigation purposes. • Conduct Application Impact Assessment (AIA) at field level facilities to identify and measure the effect of information system infrastructure resource loss and escalating losses over time in order to provide the business with reliable data upon which to base decisions concerning risk, hazard and vulnerability mitigation, recovery strategies, and continuity planning, as well as to provide application and data criticality analysis as addressed by the HIPAA Security Rule. • Implement mitigation...
Words: 639 - Pages: 3
...from the effects of major system and network disruptions and to ensure the timely restoration of business ops if significant disruptions occur BCP and DRP BIA stands for Business Impact Analysis MTD stands for Maximum Tolerable Downtime first step in building BC program Project initiation and management activites of project initiation and mgmt 1) obtain senior mgmt support 2) define a project scope, the objectives, to be achieved and planning assumptions 3) estimate the project resources needed (human and financial) 4) Define a timeline and major deliverables Senior leadership's two major goals 1) Grow the business 2) Protect the brand What are the risk to a corporation for not having BC/DRP? 1) Financial 2) Reputational 3) Regulatory Formula for calculating financial risk P * M = C P: Probability of harm M: Magnitude of harm C: Cost of prevention Prudent man rule exercise the same care in managing the company affairs as in managing one's own affairs 1. Which of the following is considered the most important component of the enterprisewide continuity planning program? c. Executive management support 2. During the threat analysis phase of the continuity planning methodology, which of the following threats should be addressed? a. Physical security b. Environmental security c. Information security d. All of the above d. All of the above 3. The major objective of the business impact assessment process is to: a. Prioritize time-critical business processes ...
Words: 2067 - Pages: 9
...Information Systems Audit Information Systems Audit An information system audit examines and evaluates an organization’s information systems, practices, and operations. The audit is designed to confirm that the information system is safeguarding the organization’s assets, ensuring data integrity, and performing in an efficient way so as to meet the organization’s goals. Information system audit plans seek to evaluate the robustness of the organization’s information system. Is the system available at all times when needed by the organization? What are the security mechanisms in place to ensure confidentiality and security of data? Is the information provided by the systems accurate? Audits of information systems may be initiated to address these individual specific issues within the overall IS environment. Information Systems Audit Program The elements of an information systems audit will address the effectiveness of controls in the following general areas: * Physical and environment review that includes physical property security, power supply, air conditioning, etc. * System administration review encompassing operating systems, databases, and system administration policies and procedures. * Application software review which is an encompassing examination of the applications being used by the organization as well as the access controls, authorizations, process flows, error and exception handling, and similar activities that effect software applications including...
Words: 2359 - Pages: 10
...The Cost of Business Continuity Planning Versus the Potential of Risk Though the cost of mitigating risk can be high, the lack of proper business continuity planning and disaster recovery planning will leave a company is at risk of a catastrophic loss of revenue due to the loss of the Information Systems. Any company that relies on its Information Systems for their operations should invest the time and revenue in developing an efficient and effective Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). This study will compare the differences in what a Business Continuity Plan is used for and what a Disaster Recovery Plan is used for. Additionally, it will evaluate the risk having a Business Continuity Plan and Disaster Recovery Plan versus accepting the potential loss of revenue and business in the event of a disaster. It is important to any company that uses it Information Systems to generate revenue. If a company is effected by a disaster, the longer a company takes to respond to the emergency and recover its resources, the more time it will take the company to get back to normal operations (Harris, 2013, p. 887). As history has shown, our world has and will continue to experience many destructive events such as, floods, earthquakes, terrorism, hurricanes, and many other catastrophic events that could cripple a company that is not prepared. Disasters are uncontrollable and over time, every organization will have to deal with the fallout of a disaster. Three...
Words: 2924 - Pages: 12
...Introduction and Overview Business complexity and increase in uncertainty amplifies the conflict between documented means of managing risk and current practices. While companies had been conventionally addressing issues of foreign exchange, taxation, interest rate and prices, the widespread adaptation of internet in sourcing customers and online facilities are creating a new wave of corporate risks. Do current corporate risk practices prove wrong the established academic theories? Large Corporation such as Lehman Brothers, Northern Rock, Royal Bank of Scotland and many organisations had fallen to receivership all across the world showing the evident of the necessity of risk management strategy and a business continuity strategy. Some multi national organisations had also been exposed to risks such as Sony with unidentified battery issue before release of product in 2006, Dell supply chain problem in 2007, fiasco caused by software failure in 2008 to British Airways etc. This is because they had failed to take into account risks that could be created by people, resources and occurrence that is outside the normal business practises. Risk management is now an essential element of organisation’s strategy by putting in place a process to handle risk in priority of the likelihood of occurrence. The managerial decisions necessary for smooth running of organisation cannot be taken without element of risk. As a cornerstone of business practice the question management need to be...
Words: 2842 - Pages: 12
...IA2: Business Continuity Plan for Information Technology CSEC 650 University of Maryland University College Abstract Business contingency and continuity of operations plan are vital to business, especially those reliant on digital media. Whether through nature events or the more likely interruption of computer systems and networks, a disruption of any type is a serious business concern. A disruption can harm operational revenue, services, supply-chain, and reputation. Any of the preceding effects from a disruption could possibly be severe enough to mean the end of business as a going concern. To avoid severe or long term damaging disruption, a comprehensive contingency plan can provide a guide for how resources and personnel will be allocated in the event of a crisis. Keywords: Business Continuity Plan (BCP), Information Technology, contingency plan Table of Contents Business Continuity Plans 4 Planning Steps 5 Business Impact Analysis 6 Recovery Strategies 8 Data Backup 10 IT Personnel Training 10 Alternate Site 11 Contingency Plan Development 12 Training and Testing 13 Recommended Training and Testing 14 Test Schedule 15 Summation 17 References 18 Business Continuity Plans Greater numbers of businesses now must consider the protection of their computer information systems as a vital aspect of their operations. Even as organizations became ever more reliant on computer systems over the past several decades, information technology (IT) contingency planning was not...
Words: 4274 - Pages: 18
...Purpose Business Continuity / Disaster Recovery program is implemented to ensure that ITT-Tech capability to respond to and reduce the effect(s) of incidents that may impact the ability of one or more of the of it’s locations ability to carry out normal activities. Business Continuity and Disaster Recovery Plans shall identify and address critical events that have the potential to cause materially adverse consequences. Scope The school Information Services Business Continuity / Disaster Recovery program is applicable to each it’s functional organization. This document along with other documents, will provide guidance for all departments to; • determine their exposures to loss of business activities by conducting Business Impact Analysis and Risk Assessment(s), • to develop Business Continuity and Disaster Recovery plans • to maintain those plans using provided or similar documents meeting the intent of the Business Continuity Program. Objective Objective of the Business Continuity program is to ensure that each functional unit has evaluated business conditions and developed plans which will enable it to survive business-interruption events and continue operations at an acceptable level until normal operations can be restored. Responsibility Designated leaders are responsible for implementing, developing and maintaining the Business Continuity program for their operational area. Systems and Operations continuity for each...
Words: 263 - Pages: 2
...between a risk analysis (RA) and a business impact analysis (BIA)? Any business uses resources, be it people, systems, money or information. These resources are all to a certain extent exposed to risks, and a risk analysis is supposed to give a comprehensive list of relevant risks. The resources are used by the business however, so losing a resource has a business impact. A Business Impact Assessment analyses the effects of the loss of a resource and hence the risk. 2. What is the difference between a Disaster Recovery Plan and a Business Continuity Plan? A Business Continuity Plan describes a set of procedures your company will use to continue critical business operations in the event of disruption (of those specific and/or all critical business operations). For instance, if the ability to take phone calls is a critical business operation (i.e. maybe you run a help desk), then you may define, in your BCP, what may cause a phone interruption, and what procedures you would take to respond to it. Conversely, as stated by Massimo, the Disaster Recovery Plan (DRP) is a subset of your BCP. The DRP specifies the further reaching implications of disaster -- where your primary place (or all places) of business are uninhabitable. Not only is this relevant to your place of business, but your workforce as well (Workforce Continuity). 3. Typically, a business continuity plan is also a compilation or collection of other plans. What other plans might a BCP and all supporting...
Words: 354 - Pages: 2
...Describes existing resources and procedures that support disaster recovery and business continuity planning and provides support for the resources and procedures identified. Roles in Disaster Recovery Identifies appropriate roles and responsibilities that will be involved in disaster recovery and business continuity planning and provides support for their selection. Risks to Ignoring Developing a Disaster Recovery Plan Describes risks to organizational security of failure to develop disaster recovery and business continuity plans and provides support for chosen position. Steps to Creating an Effective Contingency Plan Identifies the steps to create an effective contingency plan and provides support for chosen position. http://www.itl.nist.gov/lab/bulletns/bltnjun02.htm http://www.govinfosecurity.com/nists-7-step-contingency-planning-process-a-2615 http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf National Institute of Standards and Technology (NIST) developed an effective information system contingency plan. Responsibility for the planning process will fall under one of the senior managers. Although the senior manager is responsible for the information system contingency plan they do not work on the plan alone. The strategy and development of the contingency plan is in cooperation with other employees working in all functional information systems, such as networking and enterprise applications. Develop the contingency planning...
Words: 579 - Pages: 3
...Business Continuity Plan Template Version 1.0 August 2014 Table of Contents DOCUMENT CHANGE CONTROL 6 Section I: Introduction 7 A. How to Use This Plan 7 B. Objectives 7 C. Scope 8 D. Assumptions 8 E. Changes to the Plan/Maintenance Responsibilities 9 F. Plan Testing Procedures and Responsibilities 10 G. Plan Training Procedures and Responsibilities 10 H. Plan Distribution List 11 Section II: Business Continuity Strategy 12 A. Introduction 12 B. Business Function Recovery Priorities 12 C. Relocation Strategy and Alternate Business Site 12 D. Recovery Plan Phases 13 1. Disaster Occurrence 13 2. Plan Activation 13 3. Alternate Site Operations 13 4. Transition to Primary Site 13 E. Vital Records Backup 13 F. Restoration of Hardcopy Files, Forms, and Supplies 14 G. On-line Access to <ORGANIZATION NAME> Computer Systems 14 H. Mail and Report Distribution 15 Section III: Recovery Teams 16 A. Purpose and Objective 16 B. Recovery Team Descriptions 16 C. Recovery Team Assignments 16 D. Personnel Notification 17 E. Team Contacts 17 F. Team Responsibilities 17 Business Continuity Coordinator – <Insert Name> 19 EOC Communications Team – 19 EOC Human Resources Team – 20 EOC Administration Team – 20 Emergency Response Team – 21 Information Technology Recovery Team (See also Disaster Recovery Plan) – 21 Section IV: Recovery Procedures 23 A. Purpose and Objective 23 B. Recovery Activities and Tasks 24 PHASE I: Disaster Occurrence...
Words: 8008 - Pages: 33
...(RA) and a business impact analysis (BIA)? a. Risk assessment (RA) is a structure discipline that must discover the threats, vulnerabilities, and values of an organization’s assets. A key factor in risk assessment is the determination of the likelihood of an adverse event affecting an Organization, process, or system. Risk assessment is a valuable tool to help the organization recognize itself threat environment and ensure that the steps are undertaken to minimize the resulting risks to an acceptable level. b. Business Impact Analysis (BIA) is the key to a successful BCP implementation. Understanding and standardizing Enterprise business process names is critical to the success of the BIA. The intent of the BIA process is to help the organization’s management appreciate the magnitude of the operational and financial impacts associated with a disaster or serious disruption. When they understand, management can use this knowledge to calculate the recovery time objective (RTO) for time-critical support services and resources. For most Organizations, these support resources include: Facilities - IT infrastructure (including voice and data communications networks) - Hardware and software - Vital records Data - Business partners The connection is made when each of the time-critical business processes is mapped to the above supporting resources. 2. What is the difference between a disaster recovery plan (DRP) and a business continuity plan (BCP)? a. Disaster Recovery Plan (DRP) is...
Words: 966 - Pages: 4
...practicing, and maintaining both a continuity and disaster recovery plan. Enterprise, organizational, and business continuity plans all have the same roots. These programs shape the methods and actions required to maintain an acceptable level of business function while facing a myriad of operational challenges (Lindros & Tittel, 2014). The variables that create these challenges may in include, but not limited to, environmental disasters, internal mishaps, and political unrest. Nonetheless, a complete enterprise continuity plan (ECP) includes an organizational disaster recovery plan (DRP) for technical systems restoration. A DRP serves to outline the process and procedures needed by an organization’s information technology team when restoring critical technical systems after a crisis (Lindros & Tittel, 2014). The university is hoping to become as a center of academic excellence through a certification presented by the National Security Agency (NSA). With this certification, the school may see the possibility of increased funding from the government and external organizations. Additionally, other designations may include, but not limited to, research awards, the hiring of esteemed faculty members and the increase in enrollment. The organization will have to develop and show the execution of their ECP and DRP, to achieve the NSA certification. To kick this off the school must first assess several areas before structuring the plans. The university must identify what...
Words: 1369 - Pages: 6
...[Organization Logo] <Insert Organization Name Here> Business Continuity Plan Template Version 1.0 Month Day, Year Table of Contents DOCUMENT CHANGE CONTROL 6 Section I: Introduction 7 A. How to Use This Plan 7 B. Objectives 7 C. Scope 8 D. Assumptions 8 E. Changes to the Plan/Maintenance Responsibilities 9 F. Plan Testing Procedures and Responsibilities 10 G. Plan Training Procedures and Responsibilities 10 H. Plan Distribution List 11 Section II: Business Continuity Strategy 12 A. Introduction 12 B. Business Function Recovery Priorities 12 C. Relocation Strategy and Alternate Business Site 12 D. Recovery Plan Phases 13 1. Disaster Occurrence 13 2. Plan Activation 13 3. Alternate Site Operations 13 4. Transition to Primary Site 13 E. Vital Records Backup 13 F. Restoration of Hardcopy Files, Forms, and Supplies 14 G. On-line Access to <ORGANIZATION NAME> Computer Systems 14 H. Mail and Report Distribution 15 Section III: Recovery Teams 16 A. Purpose and Objective 16 B. Recovery Team Descriptions 16 C. Recovery Team Assignments 16 D. Personnel Notification 17 E. Team Contacts 17 F. Team Responsibilities 17 Business Continuity Coordinator – <Insert Name> 19 EOC Communications Team – 19 EOC Human Resources Team – 20 EOC Administration Team – 20 Emergency Response Team – 21 Information Technology Recovery Team (See also Disaster Recovery Plan) – 21 Section IV: Recovery Procedures 23 A. Purpose and Objective...
Words: 8018 - Pages: 33
...breathe a sigh of relief for being able to secure important data centers and keep bank operations running. All this was a result of successful implementation of Citi’s “Disaster Recovery Plan”. What is a Disaster Recovery Plan? Just like the disaster discussed above, every week, month, and year, companies are exposed to risks of potential disasters that can affect the continuation of vital business processes. When critical processes and applications are lost, the company can incur damages ranging anywhere from $5,000- $5,000,000 per minute, depending on the size and function of the company. Some companies never recover from the excessive damage they incur during the time of the disaster, and may be forced out of business. To avoid such a situation, companies, particularly banking institutions, are heavily encouraged to have a disaster recovery plan in place. A disaster recovery plan is a powerful tool that allows companies to shield itself from any calamity that occurs, be it natural or man made. The focal point of a disaster recovery plan is business continuity. Business continuity is an activity performed by a company to ensure that critical business functions will be available to customers, clients, and regulators. Disaster recovery is a process that allows for business continuity, particularly in operations and technology infrastructure, during a time of disaster. The...
Words: 2454 - Pages: 10
...Introduction: DLIS has decided to develop a business continuity plan (BCP) with the full support of management. Instructions: DLIS business continuity plan will come into effect as soon as all elements meet specific guide lines and have been tested. Scope: DLIS will build and maintain a business continuity plan to insure operations will continue in the event of a single point of failure. Objective: DLIS has a warm site located 50 miles from the head quarter office ready to conduct business with a fully mirrored system and minimum staffing available in case of an unplanned interruption or disaster should occur. System Description and Architecture: The BCP for DLIS will identify critical business functions that need to remain operational during a disruption * 50 file servers * 12 databases * Enterprise Resource Planning software (ERP) * Electronic Funds Transfer software (EFT) DLIS Mission: To receive, edit, and route logistics transactions for the Military Services and Federal Agencies to provide value added services for standard MILS transactions provide information about anything, anywhere, anytime, anyway, to anyone in the DoD and Federal Logistics Community. * Army * Navy * Marines * Air Force, Defense Agencies * NATO/Allies Alert/Notification/Activator Procedures: The BCP coordinator for DLIS will declare the notification/activation phase and notify all team leads. Team leads will be responsible...
Words: 661 - Pages: 3
