A Plan for Restoration and Recovery for Information Systems - Case Study Example

Running Head: RESTORATION AND RECOVERY PLAN Considering the Worst: A Plan for Restoration and Recovery for Information Systems Considering the Worst:A Plan for Restoration and Recovery for Information Systems The rise of cyber-terrorism and common occurrences of natural disasters prove that governmental information systems are in danger. Though convenient, information systems may be considered easy targets, as they lack adequate protection and are extremely vulnerable to widespread damage. With these facts in mind, systems operators should not only enhance security and devise risk management plans, but they should also plan for the worse by updating methods to restore damaged systems and recover corrupt or deleted files. Targeted Convenience Information systems act as the nucleus of interconnectivity and efficient communication (ISACA). Interconnected capabilities of information systems allow system operators instant feedback from an inquiry. Moreover, their interconnectedness provides added resources as they provide links to other databases with critical information. For those with harmful intentions, the interconnectivity of public safety systems represents an opportunity. One vile or deleted piece of information can easily infiltrate and corrupt or lock an entire system’s operations and subsequently infect connected systems. It is believed that government systems may become targets of attack (Wilmot, 2004; Wilson, 2003). Instead of using explosives, terrorists may resort to the destructive effects of data packets. According to Lieutenant General Kenneth A. Minihan, groups harboring hostility towards the United States are currently developing “offensive information warfare capabilities” (Wilcot, 2004, p. 284) making government computers and information systems targets (Wilson, 2003). As a connected subsidiary of the federal government (SafirRosetti, 2006), the Fort Lauderdale Police Department of Florida FLPD and its information systems are equally susceptible to attacks. Need for System Restoration and Data Recovery/ Adequate Systems Protection The Fort Lauderdale Police Department implements several strategies to combat imminent attacks against information systems; however, its strategies require added forethought and planning. Though the risks of information systems is known among systems operators, protection plans are far and few between. Scarce time is invested into the protecting systems. Wilcot (2004) points out the haphazard security of information systems: “In most agencies, security is relegated to someone in the information services (IS) department, who usually has many other duties.” (p 291) To ensure the safety of its information systems, FLPD relies on its staff (SafirRosetti, 2006) and the administrative department of the Risk Management Division (BCL). The person in charge of managing FLPD’s Information Systems Unit (ISU) observes and evaluates staff members who work with the information system (SafirRosetti, 2006). Since managing the ISU entails more duties than observing and evaluating staff members, observations and evaluations provide limited protection for the system. Performing a host of other duties undoubtedly interferes with supervisors’ competence while evaluating subordinates. One way or the other, systems operators will invest time into their information systems—either they will be proactive and devise risk management plans, or they will be forced to restore the entire system or recover deleted files in a feeble response to the aftermath of disturbance. Apparently, FLPD’s security measures for its information systems are mediocre, at best. Thus, the following plan to identify and provide information systems’ restoration and recovery is duly warranted. Methods of Restoration Strengths of current restorative methods. The task of system restoration appears to be an easy fix, as the same method is utilized to restore systems. Wilson (2003) states, “Highly skilled engineers and technical experts who understand the systems would, as always, work tirelessly to restore functions as quickly as possible.” (p. 6) Using human labor as a means of restoration is beneficial. Technicians’ knowledge accompanies their skill in dealing with the information systems. Since their work requires hands-on encounters with the systems, technicians can immediately assess and respond to the system’s malfunction. Weaknesses of current restorative methods. On the other hand, total dependency on human labor to complete such a critical task has an absolute disadvantage. Human labor is not instant. First, humans require time for arrival on site of the problem. Secondly, technicians must first perform a diagnostic assessment prior to implementing a possible solution. If that solution fails, technicians must reassess then apply a different solution. For the most part, the repair phase should not be trial and error, as a wrong could precipitate further damage. Combining strengths and weaknesses to maximize efficiency. Since most systems operators are dependent on the benefits of human labor, resolving the issue of damage in a timely manner proves to be challenging. To adequately protect its citizens, FLPD relies on the apt responses of its information systems and staff (flpd.org). To maximize the element of time, FLPD should plan to combine the benefits of human labor with the convenient basics of technology. Since technicians are equipped to deal with information systems, the proposed plan would require technicians to compile scenarios they have encountered and possible scenarios that would also warrant repairs. The compiled scenarios and repairs would be programmed into the operating systems so that sensors could check and instantly modify or regulate systems’ operations to rectify problems for resulted restoration. To further avoid manual restoration of services, Turoff et al (2003) suggest the creation of a virtual command center. A virtual command center would continue to utilize the efficiency of basic technology. In the event that the technology is disabled, it could be restored without requiring human presence at a particular site. Once systems have been restored using a timely method, however, files must still be recovered. Methods of Recovery Strengths and weaknesses of current recovery methods. Unlike the intricate methods of restoring an information system, recovering lost or deleted files could be less complicated. However, the task of recovering files is haphazard at best. In its commendable effort to plan for unforeseen disasters, FLPD partners with The Risk Management Division (BCF). The partnership between FLPD and The Risk Management Division serves as established effort to improve guards for information systems. The Risk Management Division acknowledges responsibility for responding to claims regarding hardware but omits specific detail about its efforts to recover corrupt or deleted data. Thus, the current use of forethought in risk management planning considers foreboding possibilities. However, current considerations should be examined to further scrutinize the consequential effects of internal and external threats, including a plan of recovery, should a calamity occur. Unfortunately, systems operators neglect to initiate adequate plans for recovery until after a disastrous event. A false sense of security allows system operators to think that nothing will happen that purchased software or the system itself cannot fix. Wilson (2003) reports that a simulation attempt to cripple a telecommunication system was unsuccessful because the “system redundancy [prevented] damage from becoming too widespread.” (p. 7) Though the system’s redundancy may be a beneficial component of the system, injected viruses or foreign elements designed to induce malfunction could alter the operation of the redundant component. Purchased software is another effort to secure information systems. Wilson (2003) comments about the process for software vendors illustrates security measures: Agencies operating national security systems must purchase software products from a list of lab-tested and evaluated products in a program that requires vendors to submit software for review in an accredited lab, a process (known as certification under the Common Criteria, a testing program run by the National Information Assurance Partnership…” (p. 21) Though commercial software companies strive to develop secured products, most software possesses the same features (Wilson, 2003). One mastermind could gain access to the securing features and sabotage the effectiveness of all software. In addition, more pressing matters provoke ill preparation in systems operators. Ulfelder (2004) points out that “disaster recovery takes a back seat to other IT [information technology] projects.” (p. 2) Blinded faith in security features and attention to more demanding projects deflect consideration from the recovery process, thereby, leaving the task of recovering lost or damaged data less of a priority and resulting in an unwary reactive effort of recovery. Plans of proposed recovery method. Based on Ulfelder (2004) and Mearian’s (2004) articles about past mistakes companies made when preparing or recovering from a disaster, the following is a proactive plan for recovering altered, stolen, or destroyed data. First, the FLPD will determine which software and information will be initially restored and store a replica of the software and information in alternate locations, thereby reducing data recovery from days to hours. Secondly, the department will identify and include personnel who are critical to the recovery process and make them an integral part of the recovery planning process. However, the department will be careful not to overlook other personnel, as the department will train others, as well. According to Elbert Lane, a lead software developer, documents should be “fashioned so anyone in the business should be able to restart and application” (Ulfelder, 2004, p. 2). Lane adds that even someone from the mailroom should have the same capabilities to restart and restore applications. Ensuring efficiency of proposed plan. To avoid obstruction of the recovery process, the proposed plan will also ensure that basic items are in place. Accessibility to the critical areas will be preplanned, as an emergency contact tree, which includes numbers for other emergency personnel (i.e. fire, town officials, etc.) and mobile numbers of officers and supervisors will be created, circulated, and stored in alternate areas. Crisis-only overrides will allow selected low-level staff members authorization to passwords. Most importantly, backup generators and flashlight batteries will be checked periodically to ensure the presence of light. Though menial and seemingly unimportant in comparison to other preparations for recovery, basic necessities sometimes sabotage the most meticulous plans to reinstate operability of information systems. To further enhance the entire recovery process, regular surprised tests will be conducted to evaluate the proficiency and efficiency of the recovery process. Exercised recovery plans prove beneficial. On the other hand, dormant recovery plans may complicate the overall recovery process. Results of survey illustrate of exclusion of end users: In a recent survey of 283 Computerworld readers, 81% of the respondents said their organizations have disaster recovery plans. But 71% of the respondents at the companies with plans said the plans hadn’t been exercised in 2003. (Mearian, 2004, p. 2) A plan only runs smoothly if trained personnel remain. However, what are the odds that people will continue working with an organization for more than five years? Companies must depend on the plan, not the people. Thus, the recovery plan should be reviewed and tested regularly. Instead of a feeble reaction to a calamitous event that disables the entire system or corrupts or delete important files, the outlined plan will implement proactive measures that will adequately plan for effects of crises. References Broward County Florida. Risk management division. Retrieved January 16, 2007, from http://www.broward.org/riskmanagement/welcome.htm. Fort Lauderdale Police Department. Communications center. Retrieved January 7, 2007, from http://www.flpd.org/commcenter.html. ISACA: Serving IT Governance Professionals. ISACA overview and history. Information Systems Audit and Control Association. Retrieved January 3, 2007, from http://www.isaca.org/PrinterTemplate.cfm?section=overview_and_History&Template=Co... Mearian, L. (2004). Rising from disaster. Computerworld. Retrieved February 4, 2007, from EBSCOhost via Academic Search Premier: http://web10.epnet.com/DeliveryPrintSave.asp?tb=1&_ug=sid+72415389-46B3-45EB-9F3... SafirRosetti (2006) Staffing Study of Fort Lauderdale Police Department. Retrieved January 5, 2007, from http://ci.ftlaud.fl.us/documents/safir_study071505.pdf. Ulfelder, S. (2004). Classic mistakes. Computerworld. Retrieved February 4, 2007, from EBSCOhost via Academic Search Premier: http://web10.epnet.com/DeliveryPrintSave.asp?tb=1&_ug=sid+72415389-46B3-45EB-9F3... Wilmot, R. (Ed.) (2004). Domestic and international terrorism. Boston, MA: Pearson Custom Publishing. Wilson, C. (2003). Computer attack and cyber terrorism: vulnerabilities and policy issues for congress. Congressional Research Service Reports and Issue Briefs. Retrieved January 29, 2007, from InfoTrac OneFile via Thomson Gale: http://find.galegroup.com/itx/printdoc.do?&prodId=ITOF&userGroupName=21667_hbplc... Read More