The issues, procedures, and techniques involved in IT resource contingency planning - Research Paper Example

? Full Paper Introduction The ineffectiveness of incidence response and recovery from incidences which have been recorded in many organizations has motivated the need for scientific investigation to prove how this effectiveness can be attained. Therefore, the proposed project is aimed at performing a scientific investigation on incident response and recovery which is aimed at ensuring that losses are minimized within organizations in event of incidences. In this regard, a study of a sampled organization which has implemented a range of technologies is to be accomplished. The primary purpose of the investigation is to evaluate the policies, approaches, procedures, and teams which are associated to incident response and recovery. A secondary purpose of the investigation is to develop a set of the effective measures to ensure that the organization achieves business continuity after incidences with minimum incurrence of costs. As per the hypothetical case study, currently there is no business continuity, disaster recovery and incident response plans. In order to do so, there are many factors that can be taken into consideration. The first objective is to establish a risk management framework. The risk assessment framework will incorporate asset identification and classification. Asset identification can also be called as asset inventory. Asset inventory comprises of all assets that are deemed critical, important or general. After establishing asset inventory, asset classification is carried out. Likewise, the classification scheme will be drawn, as defined by the data, system or application owners, as they are the relevant people to determine the levels for each asset. After defining the asset inventory and asset classification, our next objective is to carry out risk management. Likewise, risk management comprises of two components i.e. Risk assessment and Risk management. Risk assessment incorporates cost benefit analysis that justifies the total cost of the asset and the total cost required to protect and ensure redundancy. However, it is essential to make a balance or the total cost of an asset may not exceed the total cost required for securing it or providing redundancy. Critical questions that need to be answered for conducting a successful risk management are: Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the highest profitability? Which information asset is the most expensive to replace? Which information asset is the most expensive to protect? Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability? After the completion of risk assessment, risks can be prioritized and can be managed with associated or allocated cost and their impact levels on the business. Moreover, for establishing a comprehensive business continuity plan, following factors are mandatory: Business Continuity Planning Governance Business Impact Analysis (BIA) Procedures and activities for business continuity Instant procedures Quality assurance The disaster recovery sites must ensure to meet the Recovery Time Objectives, Recovery Point Objectives Service Delivery Objectives, Crisis Opening (Disaster Declaration) and Crisis end. Figure 3 illustrates the formulation of designing and validating a BCP plan based on these parameters. Figure 3 Image Retrieved from (Sheth, McHugh, & Jones, 2008) Furthermore, for establishing incident response functions, Computer security incident response teams are required with trained staff. Through a sampling methodology, a convenient sample will be attained from organizations which have heavily employed technology in their operations and have been affected by security incidences and breaches. Therefore a primary research methodology will be conducted to gather data and information on the approaches which the organizations selected in the sample employ in the achievement of effective response and recovery from system attacks. The investigation will also employ secondary research methodology with an aim or comparative analysis of the gathered data with the previous studies on incidence response and recovery of organizations from system attacks. Both quantitative and qualitative research designs will be employed in order to achieve and analyze both quantifiable and qualitative data on the area under investigation (Fulmer & Rothstein, 2005). 2 Expected Results The results of the investigation will include both quantitative and qualitative data and information on the area of study. The policies, procedures and approaches to the incidence response and recovery comprise the expected qualitative deliverables of the investigation. Moreover, the composition and the roles of the incidence response and management team in addition to the ability of the organizations to recover from incidences are the expected quantitative results of the investigation. The cost and time deliverables on the response and recovery of the various system attacks to the organizations comprise the expected quantitative deliverables. In addition to the findings of the primary investigation, secondary sources of information will also provide important quantitative and qualitative deliverables for analysis, discussion, conclusion and recommendations (Stewart & Gibson, 2012). The presentation of the results is among the expected deliverables which will include the approaches, procedures and policies used by the sampled organization in the responses and recovery from various incidences. Additionally, the analysis of the response and recovery process will present recommendations on the most effective strategies and plans for response and recovery from attacks to information system attacks. The presentation of the results is expected to illustrate the various quantifiable data and costs which are associated with the loss of business continuity which emanates from ineffective response and recovery strategies to incidences. 3 Work Plan and Schedule The work that will be carried out during the investigation is scheduled within a period of six weeks. During the first week, the preparation, selection of the sample organization and identification of data collection tools will be achieved. In the second week, actual collection of data both from the primary sources and secondary information resources will be done. The third and fourth week will be spent in the integration of the primary finding and the secondary sources of information and the analysis of the gathered data. Additionally, both quantitative and qualitative data and information will be integrated during the analyses. The fifth week will be for the writing of an organizational report which will contain the major findings of the investigation. Finally, the results, and recommendations of the investigation on incident response and recovery will be presented. Task Details: Timeline: 4 Findings In an organization significant services as well as products must be provided in order to ensure sustainability, reduce negatives and to gather business requirements. Business continuity planning is based on the practical planning that provides important services as well as significant products during disruption. There are the some points that are included in the Business Continuity Plans for example, in order to deliver significant services and products several plans, procedures and provisions must be made to make sure continuous delivery of products allowing the organizations to improve protect their assets, data and other facilities. In addition, it is also compulsory to identify assets that may not limited to employees, information, hardware/network devices, financials, legal counsel, security and locations for facilitating BCP. The BCP increases the image of an organization among the employees, shareholders and consumers through representing a positive approach. Importantly, an effective BCP recognizes the link between human and assets. 4.1 Importance of Business Continuity Planning (BCP) Organizations are always at probable catastrophe for instances tornadoes, floods, blizzards, earthquakes and fire mishaps. However these are known natural disasters but other risks includes power and energy distractions, sabotage, cyber assaults, hackers, infrastructure, transportation and security failure. Moreover, ecological disasters for example pollution and harmful materials spills are also a possible risk for organizations. Therefore, generating BCP ensures any organization is able to resolve any of the above crises. 4.2 Identify and Classify Critical Functions for the Organization The data related to the services or the goods that need to be delivered can be obtained through the mission statement of the organization. Moreover, the legal and delivering specifications of the products or the services can also be achieved via mission statement. The objective of the IT department states mission critical functions and services for the organization. 4.3 Categorize Areas of Potential Business Loss Initially the procedures and the functions of significant product or services that are involved in the generation of revenue must be determined. After evaluating the necessary cause of revenue generation following questions must be answered If the functions and procedures are not performed well, what is the impact on the loss of revenue is measured? How much loss is identified? What if the proper services or products are not provided by the organization will the organization losses its revenue? If so, then what is the total cost of revenue that is lost? What time till the organization will face the loss in revenue? If the services or products are not provided in time then customer will go for another option, therefore further loss in revenue is measured? As the I.T department has not implemented a risk management and I.T service management framework, we were not able to find the required answers. 4.4 Ascertain Supplementary Costs The additional expenses must be determined if the functions or procedures related to the business are untreatable. Moreover, this should also be taken into consideration that for the duration of time the functions can be operated without the hiring of additional staff. Similarly, the government regulations regarding the fines, penalties, breaches must be determined and factored into the BCP budget. Risk management framework address risks that can be mitigated, transferred, void or accepted. As mentioned earlier, risk management also calculates the associated cost against each risk. In this case, risk can be transferred to the insurance companies or can be void if the organization is not willing to accept the risk or the mitigation cost out weights the asset cost. Moreover, the existence of DR sites is also applicable. Therefore, we were not able to consider additional cost for mission critical functions and processes. 4.5 Ranking The ranking of significant services or the products can be created once all the relevant data has been composed. The ranking is based on the potential loss of revenue, time of recovery and severity of impact a disruption would cause. Here the downtimes that are allowed are precisely specified. 4.6 Business Continuity Plan These documented plans must be applied to ensure the continuity include the arrangements and methods that can deliver significant products and services with less service levels and downtime. Therefore, it is important to make continuity plans for each and every services or products. 4.7 Examine Existing Recovery Capabilities The recovery preparations must be considered by the organization and ensures its continuous implementation. Furthermore, the recovery arrangements can be included in the BCP if they are significant. 4.8 Continuity Plan BIA results derived from the BCP reveal the plans for the continuity of the significant services and the products (Hiles, 2002). However, these plans are created in order to cope with the severity of increasing levels of impacts from a disruption. For instance, sand bags can be used in order to prevent flooding near the organization building. If the water level rises to the first floor then the work load must be moved toward the second floor or on the higher floor of the building. In fact, if the flooding is more severe than it is the best option to relocate the critical parts of the business. However, in corporate financial institutions, disruption of services may have large consequences and can be unacceptable; this can address by a replicated device, component or a disaster recovery site that may restore services instantly. The risks and the advantages of all the plans and strategies must be measured. For better risk prevention, effective and practical options must be approached (Hiles, 2002). 4.9 Response In order to plan a response, planning team work is required by skilled professionals following the incident response plan. Likewise, the presence of computer incident response teams that comprises of highly skilled and experienced staff will make the plan easier to implement (Blyth, 2009). However, the size of a team depends on the size and nature of business of the organization. Our organization cannot afford a separate team of six to eight people for responding to incidents. However, a small team of two to three people will be sufficient enough for handling incidents. A variety of incident management teams exist, for instance, a command and control team that incorporates a team that manages crises and response and recovery management. Moreover, there are tasks oriented teams that incorporates a secondary team available at alternate location, procurement team, damage valuation team, Accounting team, Dangerous material team, Insurance teams, teams for handling legal issues, telecommunication teams, mechanical issue teams, networking team, media relation teams, transportation teams and record management teams. All of these defined teams and their responsibilities must be defined along with associated members, authority levels, member responsibilities, member job descriptions, backup member lists, backup member telephone numbers etc. 5 Recommendations After conducting a comprehensive risk management, BCP, DR and IR plan incorporate certain factors that are essential for the IT department to initiate a BCP plan. Recommendations are mentioned below: 5.1 Establishing a Business Continuity Plan (BCP) A complete BCP consists of five characteristics mentioned below: BCP Governance Business Impact Analysis (BIA) Procedures, strategy and provisions for business continuity Instant procedures Quality assurance techniques (exercises, maintenance and auditing) 6 Conclusion The hypothetical case study focuses on our organization’s IT department that is a small medium enterprise with a primary objective of delivering uninterrupted IT services to the customers in the region. Initially, there were no BCP/DR plans, Incident management plans and Risk management. The first step was to identify assets and establish an asset inventory followed by asset classification scheme developed by the stakeholders. Secondly, risk assessment identifies critical risks along with the cost justified by cost/benefit analysis. Thirdly, a comprehensive BCP/DR plan and lastly, an incident management functions are demonstrated. References Fulmer, K. L., & Rothstein, P. J. (2005). Business continuity planning: A step-by-step guide with planning forms on CD-ROM Rothstein Associates. Blyth, M. (2009). Business continuity management: Building an effective incident management plan Wiley. Stewart, J. M., & Gibson, D. (2012). CISSP: Certified information systems security professional study guide Wiley. Hiles, A. (2002). Enterprise risk assessment and business impact analysis: Best practices Rothstein. Image Sheth, S., McHugh, J., & Jones, F. (2008). A dashboard for measuring capability when designing, implementing and validating business continuity and disaster recovery projects. Journal of Business Continuity & Emergency Planning, 2(3), 221-239. Read More