Final Project

Final ProjectTrisha RoseUniversity of Advancing TechnologyBusiness Continuity/Disaster RecoveryNTW 440Kevin McLaughlinNovember 09, 2012

Table of ContentsRisk Assessment3Program Process or Business Practice: Servers3Program Process or Business Practice: Server Room3Program Process or Business Practice: Internet Access4Program Process or Business Practice: Email Access4Program Process or Business Practice: Firewall + anti-virus5Program Process or Business Practice: Router5Program Process or Business Practice: Guest access6Program Process or Business Practice: backup6Business Impact Analysis7Unit: Registration Services7Unit: Financial Services7Unit: Human Resources8System Data & Sensitivity Classification8Process ID: RS-018Process ID: FS-029Process ID: HR-039IT System Inventory & Definition10Process ID: FS-0210Emergency Response Teams11Data Recovery Team This team is put together to manage all data recovery for Rose University11Physical Damage Crisis Team.11People Management Team.11Financial Management Team.12

Running head: FINAL PROJECT1

FINAL PROJECT2

FINAL PROJECT3

Final ProjectRisk AssessmentProgram Process or Business Practice: ServersInformation Type/Sensitivity Level: Information is stored digitally on TB Towers. Various types of information are stored from student and faculty information to financial information.Associated Risks: The servers could get backed up or shut down. The impact would slow down or stop workflow. The servers are vulnerable through the firewall.Examples of Current Controls: A firewall and restricted user access are in place to help mitigate potential risksDetermination of the Effectiveness of this control currently in place: YesRegulation or Standard Referred to: noneNext Action; require by whom and when: controls for all unused ports to be closed by the network administrators to be completed by the end of the week.

Program Process or Business Practice: Server RoomInformation Type/Sensitivity Level: This room contains all physical servers. Only the network administrator has access to this room.Associated Risks: the room could be breached by someone and control of the whole network could be seized. There is no protection on the door.Examples of Current Controls: noneDetermination of the Effectiveness of this control currently in place: NoRegulation or Standard Referred to: noneNext Action; require by whom and when: a security system for key card access is to be installed by security and the key card that allows access is to only be given to those who need access to perform their job.

Program Process or Business Practice: Internet AccessInformation Type/Sensitivity Level: allows employees to access the internet.Associated Risks: an employee could go to a bad website or download an infected file or program. Information could be stolen, and data could be lost. The reputation of the college could be ruined.Examples of Current Controls: noneDetermination of the Effectiveness of this control currently in place: noRegulation or Standard Referred to: noneNext Action; require by whom and when: internet access will be configured by the network administrator on a user to user basis and employees will only be able access certain websites that pertain to their jobs. Everything else will be blocked. Effective immediately.

Program Process or Business Practice: Email AccessInformation Type/Sensitivity Level: allows employees to communicate with each other in a quick manner.Associated Risks: an employee could download an infected file or program or click a bad link in a spam email. Information could be stolen, and data could be lost. The reputation of the college could be ruined.Examples of Current Controls: noneDetermination of the Effectiveness of this control currently in place: noRegulation or Standard Referred to: noneNext Action; require by whom and when: the network administrator will put into efect spam controls along with constant monitoring and disabling attachments unless it is pertenant to their job.

Program Process or Business Practice: Firewall + anti-virusInformation Type/Sensitivity Level: helps to protect the network from the internet and external threats.Associated Risks: it could let through a virus that infects the network. Information could be stolen, and data could be lost. The reputation of the college could be ruined.Examples of Current Controls: the firewall is set to update automatically during off hours. After the update, it is set to automatically scan for viruses and send an alert the to the network administrator if something is found.Determination of the Effectiveness of this control currently in place: YesRegulation or Standard Referred to: NoneNext Action; require by whom and when: None

Program Process or Business Practice: RouterInformation Type/Sensitivity Level: directs data packets across the network to where it should be.Associated Risks: data could get scrambled or lost or intercepted. Work flow would be interupted until the flow of data was returned to normal.Examples of Current Controls: the router is encrypted and monitored for unauthorized access by the network administrator. If something outside the usual pattern of data exchange happens, an alert is created.Determination of the Effectiveness of this control currently in place: YesRegulation or Standard Referred to: NoneNext Action; require by whom and when: None

Program Process or Business Practice: Guest accessInformation Type/Sensitivity Level: allows anyone to access a computer or internet on the network with guest privileges.Associated Risks: someone could use that privilege to hack the system. Student and faculty information could be stolen and the reputation of the school would be ruined.Examples of Current Controls: guest access is disabled. A username and password is required for access and provided to every faculty member and student.Determination of the Effectiveness of this control currently in place: YesRegulation or Standard Referred to: NoneNext Action; require by whom and when: None

Program Process or Business Practice: backupInformation Type/Sensitivity Level: backs up all files on all computers, servers and external hard drives.Associated Risks: the data could be old or corrupt. This could cause the company to be unable to restore lost files.Examples of Current Controls: all files are backed up onsite and offsite through another company to provide double the protection.Determination of the Effectiveness of this control currently in place: YesRegulation or Standard Referred to: NoneNext Action; require by whom and when: None

Business Impact AnalysisUnit: Registration ServicesProcess ID: RS-01Activity (Type of Data): Registration for new studentsActivity Owner: Tiffany GeorgeDegree of Impact: 2Political or Sensitivity: 1Financial Cost: 2Probability of Loss: 3Overall Weight: 2

Unit: Financial ServicesProcess ID: FS-02Activity (Type of Data): manages finances for all students and payroll for facultyActivity Owner: Kyle RoseDegree of Impact: 1Political or Sensitivity: 1Financial Cost: 1Probability of Loss: 2Overall Weight: 1.25

Unit: Human ResourcesProcess ID: HR-03Activity (Type of Data): manages all problems among students and facultyActivity Owner: Amy KeyserDegree of Impact: 3Political or Sensitivity: 1Financial Cost: 2Probability of Loss: 3Overall Weight: 2.25

System Data & Sensitivity ClassificationProcess ID: RS-01Overall Weight: 2Application/Manual Resource: HR-03, FS-02Activity Owner: Tiffany GeorgeAcceptable Down Time: 1 DayData Owner: Trisha RoseConfidentiality: ModerateIntegrity: LowAvailability: LowOther Regulatory Requirements: Privacy act of 1974

Process ID: FS-02Overall Weight: 1.25Application/Manual Resource: HR-03, RS-01Activity Owner: Kyle RoseAcceptable Down Time: 2 HoursData Owner: Trisha RoseConfidentiality: HighIntegrity: HighAvailability: HighOther Regulatory Requirements: Privacy act of 1974

Process ID: HR-03Overall Weight: 2.25Application/Manual Resource: FS-02, RS-01Activity Owner: Amy KeyserAcceptable Down Time: 3 DaysData Owner: Trisha RoseConfidentiality: HighIntegrity: ModerateAvailability: ModerateOther Regulatory Requirements: Privacy act of 1974

IT System Inventory & DefinitionProcess ID: FS-02System Name: Financial ServicesInventory Information: n/aSystem Owner: Kyle Rose, Rose University, 1-800-555-5555 ext.5502Data Owner: Trisha Rose, Rose University, 1-800-555-5555 ext.5500System Administrator: Umbrion Rose, Rose University, 1-800-555-5555 ext.5512Data Custodian: Espion Rose, Rose University, 1-800-555-5555 ext.5522External Contact Information: Bank of AmericaPrimary Users: Kyle Rose, Trisha RoseRequired Recovery Time: 2 HoursSystem Description: 1 server labeled as FS-02, router connecting to core server, firewall protecting it from internet and outside sources.Network Access: LANSystem Interface and Boundary: n/aIf the IT system connects to other IT systems, is an Interoperability Security Agreement (ISA) in place? n/aAuthentication Mechanism: Firewall, PasswordChange Management Description: n/a

Emergency Response TeamsData Recovery Team This team is put together to manage all data recovery for Rose University Trisha Rose (Team leader) - 1-800-555-5555 ext.5500, PO Box 5500 Rose City, RE 00000 Bella Rose - 1-800-555-5555 ext.5510, PO Box 5510 Rose City, RE 00000 Donna Rose - 1-800-555-5555 ext.5520, PO Box 5520 Rose City, RE 00000

Physical Damage Crisis Team This team is in charge of managing all physical damage done and ensuring that all damage is repaired and taken care of. Tiffany George (Team Leader) - 1-800-555-5555 ext.5501, PO Box 5501 Rose City, RE 00000 Katie Lore - 1-800-555-5555 ext.5511, PO Box 5511 Rose City, RE 00000 Pika Chu - 1-800-555-5555 ext.5521, PO Box 5521 Rose City, RE 00000

People Management Team This team is in place to make sure everyone that may have been affected by the crisis is taken care whether it is someone who needs someone to talk to or someone who needs medical attention. Amy Keyser (Team Leader) - 1-800-555-5555 ext.5503, PO Box 5503 Rose City, RE 00000 Raisa Ana - 1-800-555-5555 ext.5513, PO Box 5513 Rose City, RE 00000 Marianna Wolf - 1-800-555-5555 ext.5523, PO Box 5523 Rose City, RE 00000 Financial Management Team This team is meant to take care of all finances surrounding the crisis and ensure the other teams have the money needed to perform their team duties. Kyle Rose (Team Leader) - 1-800-555-5555 ext.5502, PO Box 5502 Rose City, RE 00000 Umbrion Rose - 1-800-555-5555 ext.5512, PO Box 5512 Rose City, RE 00000 Espion Rose - 1-800-555-5555 ext.5522, PO Box 5522 Rose City, RE 00000