Login Signup
Verified Document

How To Prepare And Test A Continuity Of Operations Plan Term Paper

Related Topics:
Cyber Security Cybersecurity Preparing Business Continuity
Open Document Cite Document

Contingency Planning Information Security contingency plans are very important for firms operating in today's world, where cyber security is a top issue a result of business's technological and digital dependence. This paper will discuss the planning steps, possible recovery options, and recommended testing requirements needed to support a successful business contingency/continuity of operations environment. Included will be recommendations for a proposed 24-month cycle business contingency testing plan, what should be tested and how the test should be conducted. Critical corporate assets will be ranked with the type of testing (i.e. plan reviews, tabletop exercises and backup recovery tests). Costs associated with the recommended testing process will also be taken into consideration, including personnel, equipment and production costs.

Planning Steps

Step 1 is to examine the organization of the IS department. An IS department should be organized in order to guard against an attack, blackout or any other natural or man-made disaster that can impact the integrity of information related to a business's procedures and processes. The purpose of a contingency plan/continuity of operations environment is to ensure that the hierarchy of structure (including hardware, software, work teams, management and crews involved in supervision) are able to conduct business fluidly and without interruption while maintaining safety of data through secure networks and storage devices. This requires a high degree of diligent oversight, supported by weekly assessments, made routine according to a standardized formula that incorporates analysis of the latest development in technology, threats, and safety issues related to cyber security. Advisory notices should be directed towards proper personnel within the IS department, so that individual staff members are alerted to any adjustments that require attention; and the department should organize itself into teams or squads consisting of a threat recognition team, a problem solving team, an info/data gathering team, a specs squad, a systems design unit, and a maintenance/review squad.

Once the IS department is organized, it can proceed to Step 2: risk assessment and business impact assessment. The purpose of each is to analyze the impact that a disruption can have on the organization and how to mitigate it (Vacca, 2009). Stakeholders in the organization (including but not limited to: directors, board members, employees, creditors, government advisors/agencies, owners, unions, and suppliers) must be called upon to assess the drivers that propel the firm forward and that are indispensible to the business's smooth operation. Drivers are the core components/strategies that offer real value to the organization, such as intellectual property or operations of data -- and once these are determined and rated, the organization can perceive how much time, energy, and available resources should be directed towards ensuring that the driver is supported and backed-up should a disaster strike. As Bahan (2003) indicates, it is the top priority of managers overseeing the business impact assessment to determine a top-down arrangement of drivers that require immediate support and are, therefore, first in line to be restored to working order in an infrastructure collapse event.

The risk assessment development can then proceed: it is accomplished by identifying risks to operational facilities based on precedent as well as potential threats that are currently at large (this is why a department team should be assigned to threat identification). Stemming the impact of potential disasters via risk management is a necessary step in any contingency/continuity of operations plan. The more potential disasters that can be averted ahead of time, the better (Haes, Grembergen, 2009).

Recovery Options

A recovery option is only as effective as the organization's ability to maintain communication lines in the event of a disaster. Therefore, a contingency plan as well as a continuity of operations plan must consider how a communications strategy that will enable the business to stay online in terms of connectivity between stakeholders (i.e., suppliers, supply chain managers, directors, consumers, clients, etc.). Recovery options are available for a range of scenarios for a range of business types. Selecting the right option will depend on the type of business being conducted and the type of disaster being prepared for. Strategic continuity software can be purchased by any business from a number of distributers/producers who specialize in supporting organizations in recovery type situations. Ponemon Institute and companies like Symantec are leaders in the industry of helping firms to identify their recovery needs (cyber security options include utilizing a data breach risk calculator, which helps in the risk management stage identified above, and which can be used to help the firm develop its recovery plan). Other recovery...

A recovery manager should be appointed and should be able to identify the various options to key players in the firm. These would include cloud services, virtualization, mobile connectivity, social networking, electronic-based vaulting (if applicable), managed recovery, and recovery point objectives (LaChapelle, 2014).
Cloud-based recovery options allow firms to back up data systems by utilizing cloud technology, which stores data for smaller firms at affordable rates. Virtualization is another option that gives firms even more flexibility by allowing them duplicate a total copy of a data center, which can then be accessed and utilized when needed. Virtual machines are available for server extension. Mobile connectivity can be an essential element of a recovery plan and should be considered as a potential additional option for helping workers to stay connected and in communication. Likewise, social networking facilitates this end. At the same time, some firms may not have the resources to manage their own recovery; therefore, outsourcing may be a recovery option to consider (this would be a managed recovery. Another option is to cut the amount of backups that are needed by the firm by implementing an electronic-based vaulting system (such as remote libraries and software replication systems). Finally, recovery point objectives are an option as they cover a total scenario in which strategic points are identified and objectives (whether zero data loss prevention is critical or whether recover time objectives are critical) in the maintaining of business operations).

Recommended Testing Requirements

In order for effective testing of the firm's contingency plan and continuity of operations place to be enacted, it is essential to have the complete staff trained on what is in store for the operation. Training the staff about how a contingency operation is the highest imperative/requirement at this stage of the implementation program.

A contingency response team should be organized and trained to handle an emergency event that requires implementation of the continuity plan. The response team is responsible for restoring system functions and ensuring that data is back online within the requisite amount of time.

At the same time, test objectives must be identified and met. In order to guarantee that these objectives are met, a review process should be in place for verifying response times, achievement, and maintenance of data and support systems.

Prior to the implementation of the testing of the plan, a series of pre-tests can be conducted in order to test the effectiveness of the risk management portion of the cyber security contingency plan.

Penetration testing is one method of testing cyber security as a means of risk management -- the first stage of a contingency plan. The method of testing is one in which hacker's attack is simulated so the operating form can observe whether there is any exposure or holes in the system's security (Haes, Grembergen, 2009). Auditing and monitoring tools incorporated in the plan are the use of CORE Security Technology which is a security auditing tool that graphs security-related data for users to see a visual representation of the degree to which the security system in place is effectively thwarting attacks and is set up to protect against possible assaults from a number of areas. The determination of where backups are stored is based on system preferences, whether backups are desired to be locally controlled or whether cloud backups are desired in which case an alternate system is in control. Both are approved in the case of disaster to guarantee the integrity of the data (Krutz, Vines, 2010).

Another area of concern that is a recommended area for testing is the use of cell phones, laptops and other mobile devices within a firm. The Government Accountability Office reported in 2012 that laptops and cellular devices are a risk for businesses and that one way to mitigate this risk is to enable encryption for these devices. Users are susceptible to hacking and can thereby be used by cyber attackers to gain access to data inside a firm's secure walls. Thus testing should include these devices as well and to make sure that networks are properly secured via pass codes.

Once these pre-tests are conducted, the contingency test can proceed. An effective contingency plan test will involve developing

Notification procedures

Coordination among recovery the recover team(s)

A plan for systems recovery on…

Continue Reading...
Sources used in this document:
References

Bahan, C. (2003). The Disaster Recovery Plan. SANS.org. Retrieved from https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-1164

Gilbert, J. (2015). Contingency Planning. Retrieved from http://jamesegilbert.blogspot.com/2013/11/it-contingency-planning.html

Haes, S., Grembergen, W. (2009). Exploratory study in IT governance implementations and its impact on business/IT alignment. Information Systems Management, 26: 123-137.

Information Technology Contingency Planning. (2012). Apd.Army.Mil. Retrieved from http://www.apd.army.mil/jw2/xmldemo/p25_1_2/main.asp
NetworkWorld. Retrieved from http://www.networkworld.com/article/2174112/tech-primers/disaster-recovery-options-for-smaller-companies.html
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Business Continuity and Disaster Recovery
Words: 2036 Length: 7 Document Type: Essay

Protection for employees If employees adhere to the rules of the acceptable use policy, there are less liable to questionable issues. This also prevents them from engaging in hazardous internet issues, for instance, they are less likely to disclose their contacts to crackers using social engineering approaches. Moreover, ABBA should settle on using universal guidelines and principles with respect to network security, it risk assessment, risk analysis, and risk management. In

Read More
Essay
DHS Introductions and Business Continuity Planning Strategy
Words: 602 Length: 2 Document Type: Research Paper

DHS Introductions and Business Continuity Planning Strategy Department of Homeland Security: Continuity Plans Continuity planning is an essential component of the Department of Homeland Security. Annual Department of Homeland Security (DHS) continuity planning exercises "test the readiness and capabilities of federal departments and agencies -- coordinating with the White House -- to execute their Continuity of Operations (COOP) plans" (Continuity plans, 2009, DHS). Additional exercises may be necessary in the wake of new threats

Read More
Essay
Business Continuity Plan Audits
Words: 857 Length: 2 Document Type: Research Paper

Change Management Audit While technology and information systems are there in order to make management much more efficient, these systems may also expose an organizations to various risks which might often be serious in nature. These risks increase when changes are brought about in an existing system. In order to minimize such risks it is important that organizations have a change management plan, which is duly audited and tested for compliance

Read More
Essay
It Infrastructure to the Day-To-Day
Words: 4621 Length: 16 Document Type: A-Level Coursework

Table 1 Since the manufacturing activities at JMC should be brought back online in a period of 12 hours, it is evident from the above table that the classification of the disaster recovery plan is mission critical.The whole focus of Disaster recovery Plan is to try and restore the operation of various system components that are termed as mission critical. The process of restoring the system does not have to be

Read More
Essay
Strategic Planning for Training Companies
Words: 16101 Length: 55 Document Type: Term Paper

" Of these respondents, over 50% of them stated that they lack a disaster recovery plan (Anthes, 1998). However, most of the problems stem from the lack of communication at the corporate level. (Hawkins, et al., 2000). Business Continuity Plans (BCP) and other forms of strategic planning are no longer a luxury, but a must-have factor and an important element of any organisation's risk management system. Organisations are increasingly dependent upon

Read More
Essay
Emergency Planning for San Diego State University
Words: 1859 Length: 7 Document Type: Essay

Emergency Plan for San Diego State University Evaluation of Emergency Plan of San Diego University San Diego State University has set out "emergency preparedness, response, and recovery guidelines for students, faculty, staff and campus auxiliary organizations so that the effects of campus emergency situations can be minimized." (San Diego State University, Division of Business and Financial Affairs, 2014, p. 1) San Diego State University has placed emergency numbers across the campus and

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now