-------------------------------------------------
Week 5 Laboratory: Part 1
Part 1: Assess and Audit an Existing IT Security Policy Framework Definition
Learning Objectives and Outcomes
Upon completing this lab, students will be able to complete the following tasks: * Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure * Review existing IT security policies as part of a policy framework definition * Align IT security policies throughout the 7 domains of a typical IT infrastructure as part of a layered security strategy * Identify gaps in the IT security policy framework definition * Recommend other IT security policies that can help mitigate all known risks, threats, and
…show more content…
2. Business Continuity – Business Impact Analysis (BIA) Policy Definition:
Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. A BIA is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk.
3. Business Continuity & Disaster Recovery Policy Definition:
Business Continuity and Disaster Recovery (BCDR or BC/DR) are closely related practices that describe an organization's preparation for unforeseen risks to continued operations. The trend of combining business continuity and disaster recovery into a single term has resulted from a growing recognition that both business executives and technology executives need to be collaborating closely instead of developing plans in isolation.
4. Data Classification Standard & Encryption Policy Definition:
Encryption is the conversion of electronic data into another form, called cipher text, which cannot be easily understood by anyone except authorized parties. The primary purpose of encryption is to protect the confidentiality of digital data stored on computer systems or transmitted via the Internet or other computer networks. Modern encryption algorithms play
While these situations are not entirely avoidable, an organization’s ability to recover from such setbacks largely depends on how much energy has been invested into identifying and mitigating risk through the use of a well-established business continuity plan. Lindros and Tittel (2013) explain that business continuity refers to maintaining business functions, or quickly recovering such functions in the event of a major disruption, and the lack of planning doesn’t just mean an organization will take longer to recover, but may never recover at all. The first step to developing an effective continuity plan is a thorough planning process in which an organization establishes
What is the purpose of a Business Impact Analysis (BIA)? It identifies possible business failurs in a company. It looks at the resources that may be needed.
5. Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one requires a disaster recovery plan and business continuity plan to maintain continued operations during a catastrophic outage? The mainframe or complete data loss. This should have an extensive DRP.
Among one of the missions of The U.S. Department of Homeland Security is to protect and preserve the security of the Cyberspace in the country. The principal objective of this Security Plan is to give instructions and direction for the Department’s workers and help the Homeland Security to create best practices and strategies in the IT security system.
A Business Impact Analysis (BIA) is a methodology used to determine the effect of an interruption of services to DLIS and its total impact on the DLIS mission within the DLA.
The security plan is formulated to protect the information and important resources from a wide variety of potential threats. This will promote business continuity, reduce business risks and increase the return on investment together with business opportunities. The security of information technology is attained by executing a suitable set of control, efficient policies, processes, organization structures, software and the hardware. These given controls ought to be formulated, put into action, assessed, analyzed and developed for productivity, where necessary. This will allow the explicit security and business objectives of the United States Department of health and Human Services to be accomplished (Easttom, 2006, p.32).
After the business continuity plan is completed Incident Response (IR) planning and incident response plan should be performed and established. An incident response plan is “a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.” (Whitman) This is done by first forming an IR committee, establishing an IR policy that integrates the business impact analysis into the incident response plan.
2. Why is a business impact analysis (BIA) an important first step in defining a business continuity plan (BCP)?? It allows you to address the critical issues and possible risks
Areas similar to standards discussed Overview of the corporate philosophy on security Documents the Introduction and Purpose of the Information security policy of Chicago It provides a reasonable framework that helps the reader to understand the intent of the document
Encryption is a process of converting Plain text into Cipher text. This un-readable message can be communicated over an unsecure network without the fear of loss of integrity and confidentiality. Encryption process is done using encryption algorithm.
“Encryption is a way to enhance the security of a message or file by scrambling the contents so that it can be read only by someone who has the right encryption key to unscramble it” (Microsoft). Encryption uses an algorithm to change plain text data to cipher text. It played a very important role in wars and in military circles to protect top secret information from foreign countries.
Often disaster recover plan (DRP) and business continuity plan (BCP) aren’t the plan but some time both terms are used in place of each other. There are distinct differences in the two, disaster recover plan incorporates information assets and services after disasters such as floods, fires or any other catastrophic events as well as hardware failure. On the other hand business continuity plan encompasses a much wider responsibility than DRP, BCP plans recovery for the entire business or organization in the event of a major disaster, included in business continuity plan is communication between employees, work facilities,
Business impact analyses help business continuity/disaster recovery experts recognize business needs and accept or adjust them for plan developement (Paul, n.d.). Once dangers to an association have been recognized - through a risk analysis- the following next in a BIA is to decide how the distinguished risks affect particular business operations.
The purpose for an IT security policy is to provide “strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure” ("Cyberspace policy RevIew", 2016).
Disaster recovery planning and risk management is an initiative built to prohibit greater business loss out of circumstances that could impact firms. This is a mitigating and prohibitive action to brace the business entities when the disasters strike the market. The action plan is intended to make sure that businesses are resilient enough to restore its operations even after such unexpected events to happen.