ISOL 533 – Information Security and Risk Management:553270

Question:

The assignment has a set purpose or objective that would identify the target business. It aims to create a Business Impact Analysis Policy that helps to discern key business elements. These business components suffer crucial problem during the time of disaster. In the assignment, a global IT organization is considered.

The first IT system is VoIP call servers (transmutation from Local Area Network to Wide Area Network). The business function of the particular IT system is interior and exterior voice communication with the customers in real time. The business impact factor is critical and the recovery time is eight hours (Chen et al. 2014).

The next IT system is Email server (transmutation from LAN to WAN network).The business function of the specific IT system is interior and exterior email dialogue with the customers through store and forward messaging. This system is integral, as far as social media communication is concerned. The business impact factor is critical and recovery time is four hours.

The next IT system is DNS server (transmutation from LAN to WAN network). The business function is internal and external Internet Protocol communication (IP) through Domain Name Server (DNS server).The business impact aspect is critical and the specified recovery time is four hours.

The next IT infrastructure is Wide Area Network (WAN), which entails LAN to Wan network. The business impact function is internet liaising for email, store and forward customer service. It is indispensable for the development of internet communication with the potential customers. The business impact factor is critical and the recovery time is four hours.

The next IT system is customer service server (transmutation from LAN to WAN network). The business impact function is personalized website that helps the customers derive information related to personal account. The business impact factor is major and the recovery time is 36 hours.

The next IT infrastructure is Web servers (transmutation from LAN to WAN network). The business function of the system is initiation of e-commerce site for digitized customer purchase or scheduling of appointment for the whole year. The business impact factor is critical and the recovery time is 12 hours.

The next IT infrastructure is fundamental on, as it is used by the HR team of any organization. The IT infrastructure is LAN servers, HR servers and payroll servers. The business function is integration of payroll and human resources for employees. The business impact factor is major and the recovery time is 48 hours.

Answer:

Task 1: Business Impact Analysis

  1. Overview

This Business Impact Analysis (BIA) is developed as part of the contingency planning process for the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.  It was prepared for Health Network, Inc (Health Network).

  1. System Description

Health Network has operations in three data centers which are available across the company’s product line. They data have around 1,000 production servers, and 650 laptops and company provided mobile devices for its employees.

The organization has its headquarters in Minneapolis and has two corporate branches in Portland, Oregon and Arlington, Virginia. Each corporate office is located close to a data center where the actual production servers and systems operated by third-party vendors.

The infrastructure consists of an HNET Exchange server, HNET Connect Database Directory and HNET Pay Payment Database amongst others of which HNET Exchange Server is the major revenue generator for the company. The service is secure electronic medium of communication between customers and hospitals & clinics.
HNetPay is a payment portal used by HNetExchange’s customers which supports secure payments. The HNetPay Web portal, hosted at Health Network production sites operates like any other e-commerce shopping website which supports all major credit card and banking networks.

HNetConnect is a database or directory that has a list of specialist doctors, clinics and hospitals that allow the Health Network’s customers to find the correct type of specialists or care givers they are looking for. Like all other major e-commerce websites, specialists and customers both can update their information, profile, contact details and other personal and professional information to serve and receive proper response.

Other operational firewalls and servers are as follows;

  • Email Server
  • Database Server
  • Web Server
  • Internal Firewall
  • External Firewall
Business Function or Process Business Impact Factor Recovery Time Objective IT Systems/Apps Infrastructure Impacts
Telephonic Customer Service Level 3 > 24 hours Systems Application Domain
Email Customer Service Level 1 > 5 hours Systems Application Domain
Domain Servers Level 2 > 24 hours LAN to WAN Domain
Email and messaging service Level 2 > 24 hours Systems Application Domain
Internet & Intranet Level 2 > 24 hours Remote Access Domain
Website Level 2 > 24 hours Systems Application Domain
HR resources & Accounts Level 2 > 24 hours LAN Domain
Chat based Customer service Level 2 > 24 hours LAN Domain
Technical Support Level 3 1-2 Days LAN Domain
Accounting and Finance Support Level 2 > 24 hours Systems Application Domain
Marketing and Events Level 4 2-4 days Systems Application Domain
Sales Level 1 > 24 hours Systems Application Domain
Communication with other departments Level 2 > 24 hours Systems Application Domain

 

3.1.1    Identify Outage Impacts and Estimated Downtime

Estimated Downtime

The table below identifies the MTD, RTO, and RPO for the organizational business processes that rely on the HNetExchange Message system, HNetConnect Directory system and HNetPay Payment system.

 

Mission/Business Process

For HNetExchange

MTD RTO RPO
Telephonic Customer Service <48 hours <24 hours <4 hours
Email Customer Service <48 hours <24 hours < 4 hours

 

Mission/Business Process

For HNetConnect

MTD RTO RPO
Internet & Intranet <48 hours < 24 hours < 4 hours
Email and messaging service <48 hours <24 hours  

< 4 hours

 

Mission/Business Process

For HNetPay

MTD RTO RPO
Accounting and Finance Support <48 hours <24 hours < 4 hours
Website <48 hours <24 hours < 4 hours

 

Task 2: Business Continuity Plan

After discussions with management, the organization implemented the following Back-up Plan: all database files are backed-up to tape at the end of the day.  These tapes are then stored offsite.  The HNetPay data is backed-up daily and retained for 6 months.  The HNetMessage messages are backed-up daily and retained for 3 months.  All other data is backed-up weekly and retained for 60 days.  If the BCP is executed, the most current tapes are copied and mailed to the alternate site.

 

Emergency management standards

Data backup policy

Full and incremental backups preserve corporate information assets and should be performed on a regular basis for audit logs and files that are irreplaceable, have a high replacement cost, or are considered critical. Backup media should be stored in a secure, geographically separate location from the original and isolated from environmental hazards.

Department-specific data and document retention policies specify what records must be retained and for how long. All organizations are accountable for carrying out the provisions of the instruction for records in their organization.

IT follows these standards for its data backup and archiving:

Tape retention policy

Backup media is stored at locations that are secure, isolated from environmental hazards, and geographically separate from the location housing the system.

Billing tapes

  • There must be a daily back up at the end of the business day.
  • They must be backed up daily and stored for a minimum of 3 months.
  • The system supervisor is responsible for the transition cycle of the tapes.

 

System image tapes

  • A copy of the most current image files must be made and backed up at least once per week.
  • This backup must be stored offsite, preferably on multiple locations.
  • The system supervisor is responsible for this activity.

 

Off-site storage procedures

  • Tapes and disks, and other suitable media are stored in environmentally secure facilities.
  • Tape or disk rotation occurs on a regular schedule coordinated with the storage vendor.

Access to backup databases and other data is tested annually

Task 3: Disaster Recovery Plan

Disaster Recovery Plan for HNetPay

 

OVERVIEW
 
PRODUCTION SERVER Location: Arlington, Portland, Minneapolis

 

IT INFRASTRUCTURE  HNET Payment Database

 

 

BACKUP STRATEGY FOR SYSTEM ONE
 
Daily / Monthly / Quarterly
Daily

 

DISASTER RECOVERY PROCEDURE
 
 
Risk #1: Loss of company data due to HNetPay hardware removed from production systems.
 

This will majorly impact the payments process as the customers won’t be able to make any payments and without a payment all service will be disrupted. In order to keep this in check, all credit card and other transactional activities need to have an alternate payment plan on a different server.

 
Risk #2: Loss of customers due to production outages.
 

This impacts the revenues and services being imparted directly. To avoid this an alternate payment plan needs to be in effect, preferably in a remote location and there should be a disaster recovery plan in place.

 

Disaster Recovery Plan for <HNetConnect>

OVERVIEW
 
PRODUCTION SERVER Location: Arlington, Portland, Minneapolis
IT INFRASTRUCTURE HNET Connect Directory Database
BACKUP STRATEGY FOR SYSTEM ONE
 
Daily / Monthly / Quarterly
Daily
DISASTER RECOVERY PROCEDURE
 
 
Risk #1: Loss of company data due to HNetConnect hardware removed from production systems.
Impacts the ability to find care using online services. Customers would not be able to view and compare doctors and clinics. Customers would not be able to find the right care. The company would not be able to find new customers. Maintain proper backups and follow proper access control techniques.
Risk #2: Loss of customers due to production outages.
Customers would not be able to find the right care. Maintain disaster recovery servers in case the primary fails.

 

 

Disaster Recovery Plan for <HNetExchange>

OVERVIEW
 
PRODUCTION SERVER Location: Arlington, Portland, Minneapolis

 

IT INFRASTRUCTURE HNET Exchange Server
BACKUP STRATEGY FOR SYSTEM ONE
 
Daily / Monthly / Quarterly
Daily

 

SYSTEM DISASTER RECOVERY PROCEDURE
 
 
Risk #1: Loss of company data due to HNetExchange hardware removed from production systems.
 

There wouldn’t be any exchange of information between customers and specialists which in turn affects company’s revenue. There should be proper backups and access control techniques.

 
Risk #2: Loss of customers due to production outages.
 

Customers might not be able to get proper care. There should be a proper disaster recovery plan and servers be allocated.

 

Task 4: Computer Incident Response Team Plan – extracts from the Boiler Plate

  • Threat: Loss of company information on lost company-owned laptop

 

Preparation:

What tools, applications, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach?

Identification: When an incident is reported, it must be identified and properly documented.

  • Business Impact- HNET pay, HNET Connect, HNET Exchange.
  • Threat- Loss of sensitive data & information.
  • Risk impact- Severely critical.
  • MTD- > 12 hours,
  • RTO- > 4 hours
  • RPO- > 2 hours

Containment: The immediate objective is to limit the scope and magnitude of the computer/security-related incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.

  • Disable all incoming communication from the laptop or the user.

Eradication: The next priority is to remove the computer/security-related incident or breach’s effects.

  • Limit the access of production data only to authorized users on a as-is basis. Restrict the access of data externally.

Recovery: Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.

  • Recover lost data using backups
  • BCP plan would be executed in response to the incident.
  • The BIA, BCP and DR plans need to be updated with new procedures to mitigate the incident.