Question:
The assignment has a set purpose or objective that would identify the target business. It aims to create a Business Impact Analysis Policy that helps to discern key business elements. These business components suffer crucial problem during the time of disaster. In the assignment, a global IT organization is considered.
The first IT system is VoIP call servers (transmutation from Local Area Network to Wide Area Network). The business function of the particular IT system is interior and exterior voice communication with the customers in real time. The business impact factor is critical and the recovery time is eight hours (Chen et al. 2014).
The next IT system is Email server (transmutation from LAN to WAN network).The business function of the specific IT system is interior and exterior email dialogue with the customers through store and forward messaging. This system is integral, as far as social media communication is concerned. The business impact factor is critical and recovery time is four hours.
The next IT system is DNS server (transmutation from LAN to WAN network). The business function is internal and external Internet Protocol communication (IP) through Domain Name Server (DNS server).The business impact aspect is critical and the specified recovery time is four hours.
The next IT infrastructure is Wide Area Network (WAN), which entails LAN to Wan network. The business impact function is internet liaising for email, store and forward customer service. It is indispensable for the development of internet communication with the potential customers. The business impact factor is critical and the recovery time is four hours.
The next IT system is customer service server (transmutation from LAN to WAN network). The business impact function is personalized website that helps the customers derive information related to personal account. The business impact factor is major and the recovery time is 36 hours.
The next IT infrastructure is Web servers (transmutation from LAN to WAN network). The business function of the system is initiation of e-commerce site for digitized customer purchase or scheduling of appointment for the whole year. The business impact factor is critical and the recovery time is 12 hours.
The next IT infrastructure is fundamental on, as it is used by the HR team of any organization. The IT infrastructure is LAN servers, HR servers and payroll servers. The business function is integration of payroll and human resources for employees. The business impact factor is major and the recovery time is 48 hours.
Answer:
Task 1: Business Impact Analysis
- Overview
This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system. It was prepared for Health Network, Inc (Health Network).
- System Description
Health Network has operations in three data centers which are available across the company’s product line. They data have around 1,000 production servers, and 650 laptops and company provided mobile devices for its employees.
The organization has its headquarters in Minneapolis and has two corporate branches in Portland, Oregon and Arlington, Virginia. Each corporate office is located close to a data center where the actual production servers and systems operated by third-party vendors.
The infrastructure consists of an HNET Exchange server, HNET Connect Database Directory and HNET Pay Payment Database amongst others of which HNET Exchange Server is the major revenue generator for the company. The service is secure electronic medium of communication between customers and hospitals & clinics.
HNetPay is a payment portal used by HNetExchange’s customers which supports secure payments. The HNetPay Web portal, hosted at Health Network production sites operates like any other e-commerce shopping website which supports all major credit card and banking networks.
HNetConnect is a database or directory that has a list of specialist doctors, clinics and hospitals that allow the Health Network’s customers to find the correct type of specialists or care givers they are looking for. Like all other major e-commerce websites, specialists and customers both can update their information, profile, contact details and other personal and professional information to serve and receive proper response.
Other operational firewalls and servers are as follows;
- Email Server
- Database Server
- Web Server
- Internal Firewall
- External Firewall
| Business Function or Process | Business Impact Factor | Recovery Time Objective | IT Systems/Apps Infrastructure Impacts |
| Telephonic Customer Service | Level 3 | > 24 hours | Systems Application Domain |
| Email Customer Service | Level 1 | > 5 hours | Systems Application Domain |
| Domain Servers | Level 2 | > 24 hours | LAN to WAN Domain |
| Email and messaging service | Level 2 | > 24 hours | Systems Application Domain |
| Internet & Intranet | Level 2 | > 24 hours | Remote Access Domain |
| Website | Level 2 | > 24 hours | Systems Application Domain |
| HR resources & Accounts | Level 2 | > 24 hours | LAN Domain |
| Chat based Customer service | Level 2 | > 24 hours | LAN Domain |
| Technical Support | Level 3 | 1-2 Days | LAN Domain |
| Accounting and Finance Support | Level 2 | > 24 hours | Systems Application Domain |
| Marketing and Events | Level 4 | 2-4 days | Systems Application Domain |
| Sales | Level 1 | > 24 hours | Systems Application Domain |
| Communication with other departments | Level 2 | > 24 hours | Systems Application Domain |
3.1.1 Identify Outage Impacts and Estimated Downtime
Estimated Downtime
The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.
| Mission/Business Process
For HNetExchange |
MTD | RTO | RPO |
| Telephonic Customer Service | <48 hours | <24 hours | <4 hours |
| Email Customer Service | <48 hours | <24 hours | < 4 hours |
| Mission/Business Process
For HNetConnect |
MTD | RTO | RPO |
| Internet & Intranet | <48 hours | < 24 hours | < 4 hours |
| Email and messaging service | <48 hours | <24 hours |
< 4 hours |
| Mission/Business Process
For HNetPay |
MTD | RTO | RPO |
| Accounting and Finance Support | <48 hours | <24 hours | < 4 hours |
| Website | <48 hours | <24 hours | < 4 hours |
Task 2: Business Continuity Plan
After discussions with management, the organization implemented the following Back-up Plan: all database files are backed-up to tape at the end of the day. These tapes are then stored offsite. The HNetPay data is backed-up daily and retained for 6 months. The HNetMessage messages are backed-up daily and retained for 3 months. All other data is backed-up weekly and retained for 60 days. If the BCP is executed, the most current tapes are copied and mailed to the alternate site.
Emergency management standards
Data backup policy
Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.
Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.
IT follows these standards for its data backup and archiving:
Tape retention policy
Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system.
Billing tapes
- There must be a daily back up at the end of the business day.
- They must be backed up daily and stored for a minimum of 3 months.
- The system supervisor is responsible for the transition cycle of the tapes.
System image tapes
- A copy of the most current image files must be made and backed up at least once per week.
- This backup must be stored offsite, preferably on multiple locations.
- The system supervisor is responsible for this activity.
Off-site storage procedures
- Tapes and disks, and other suitable media are stored in environmentally secure facilities.
- Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.
Access to backup databases and other data is tested annually
Task 3: Disaster Recovery Plan
Disaster Recovery Plan for HNetPay
OVERVIEW |
|
| PRODUCTION SERVER | Location: Arlington, Portland, Minneapolis
|
| IT INFRASTRUCTURE | HNET Payment Database |
BACKUP STRATEGY FOR SYSTEM ONE |
|
Daily / Monthly / Quarterly |
Daily |
DISASTER RECOVERY PROCEDURE |
|
Risk #1: Loss of company data due to HNetPay hardware removed from production systems. |
This will majorly impact the payments process as the customers won’t be able to make any payments and without a payment all service will be disrupted. In order to keep this in check, all credit card and other transactional activities need to have an alternate payment plan on a different server. |
Risk #2: Loss of customers due to production outages. |
This impacts the revenues and services being imparted directly. To avoid this an alternate payment plan needs to be in effect, preferably in a remote location and there should be a disaster recovery plan in place. |
Disaster Recovery Plan for <HNetConnect>
OVERVIEW |
|
| PRODUCTION SERVER | Location: Arlington, Portland, Minneapolis |
| IT INFRASTRUCTURE | HNET Connect Directory Database |
BACKUP STRATEGY FOR SYSTEM ONE |
|
Daily / Monthly / Quarterly |
Daily |
DISASTER RECOVERY PROCEDURE |
|
Risk #1: Loss of company data due to HNetConnect hardware removed from production systems. |
Impacts the ability to find care using online services. Customers would not be able to view and compare doctors and clinics. Customers would not be able to find the right care. The company would not be able to find new customers. Maintain proper backups and follow proper access control techniques. |
Risk #2: Loss of customers due to production outages. |
Customers would not be able to find the right care. Maintain disaster recovery servers in case the primary fails. |
Disaster Recovery Plan for <HNetExchange>
OVERVIEW |
|
| PRODUCTION SERVER | Location: Arlington, Portland, Minneapolis
|
| IT INFRASTRUCTURE | HNET Exchange Server |
BACKUP STRATEGY FOR SYSTEM ONE |
|
Daily / Monthly / Quarterly |
Daily |
SYSTEM DISASTER RECOVERY PROCEDURE |
|
Risk #1: Loss of company data due to HNetExchange hardware removed from production systems. |
There wouldn’t be any exchange of information between customers and specialists which in turn affects company’s revenue. There should be proper backups and access control techniques. |
Risk #2: Loss of customers due to production outages. |
Customers might not be able to get proper care. There should be a proper disaster recovery plan and servers be allocated. |
Task 4: Computer Incident Response Team Plan – extracts from the Boiler Plate
- Threat: Loss of company information on lost company-owned laptop
Preparation:
What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach?
Identification: When an incident is reported, it must be identified and properly documented.
- Business Impact- HNET pay, HNET Connect, HNET Exchange.
- Threat- Loss of sensitive data & information.
- Risk impact- Severely critical.
- MTD- > 12 hours,
- RTO- > 4 hours
- RPO- > 2 hours
Containment: The immediate objective is to limit the scope and magnitude of the computer/security-related incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.
- Disable all incoming communication from the laptop or the user.
Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.
- Limit the access of production data only to authorized users on a as-is basis. Restrict the access of data externally.
Recovery: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.
- Recover lost data using backups
- BCP plan would be executed in response to the incident.
- The BIA, BCP and DR plans need to be updated with new procedures to mitigate the incident.
