Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a

Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Project 3: Business ContinuityStart Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a worst-case scenario event take place. Your work on vulnerabilities, threats, and risk in the first two projects will support this. The BCP assignment will detail the following elements: resources required and defined stakeholder roles business impact analysis recommended preventative controls recovery strategies contingency plan that includes implementation and maintenance guidelines and defined procedures for testing the plan Grades are determined on the ability to clearly articulate a developed, effective business continuity plan that considers relevant environmental factors and aligns with organizational objectives. This is the third of four sequential projects. There are 13 steps in this project. Begin below to review your project scenario. Transcript Competencies Your work will be evaluated using the competencies listed below. 1.4: Tailor communications to the audience. 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem. 9.1: Continuity Planning and Implementation: Develop, implement, and maintain a business continuity plan, ensuring alignment with organizational goals and objectives. Step 1: Review Assigned Organization The process of business continuity planning addresses the preservation and recovery of business in the event of outages to normal business operations. The output of the process is the business continuity plan (BCP), an approved set of documented arrangements and procedures that enables an organization to facilitate the recovery of business operations, minimize losses, and replace or repair incurred damages as quickly as possible (Ouyang, n.d.). According to the National Institute of Standards and Technology’s Special Publication 800-34, Contingency Planning Guide for IT Systems, business continuity planning is an ongoing task, the goals of which are to (Ouyang, n.d.): sustain operations recover and resume operations protect assets Goals of the BCP Cycle In the case of your particular organization (use the one assigned to you in CMP 610 or another organization of your choice), the company may have an existing BCP. However, in your organization, as with many others, the BCP was written, put on the shelf, and rarely, if ever, referenced unless an emergency required implementation. Knowing this, conduct operations as if there were no existing plan and create a new plan. The next step will involve planning for the BCP, including establishing a need and defining a scope. References Ouyang, A. (n.d.). CISSP common body of knowledge: Business continuity & disaster recovery planning domain. http://opensecuritytraining.info/CISSP-9-BCDRP_files/9-BCP+DRP.pdf Step 2: Define the Scope In the first step, you reviewed BCP methodologies. You are now ready to continue the first part of the planning process, which involves establishing the need for a BCP and defining an appropriate scope for the company outlined in the scenario. The BCP should address aspects of business continuity, business recovery, contingency planning, disaster recovery, and related activities. Focus on those elements that are adequate and expedient, based on your risk assessment for the enterprise. Governmental agencies are required to develop an enterprise continuity of operations program (COOP). A COOP is a detailed framework that documents how the agency will ensure that essential functions continue through an emergency situation until normal operations can resume. Outside of federal, state, and local government, enterprises call that kind of framework a BCP. Both COOPs and BCPs are created to help organizations recover from disasters. Consider what aspects of business continuity the BCP will address, such as business recovery, contingency planning, and disaster recovery. Submit a brief description for feedback (one page or less) of the topic areas to be covered in the BCP. Submission for Project 3: BCP Scope Previous submissions 0 Top of Form Drop files here, or click below. Add Files Bottom of Form In the next step, you will use a risk management framework to put together a business impact analysis. Step 3: Conduct a Business Impact Analysis You’ve defined the scope for the BCP. Next, use an established risk management framework to conduct a business impact analysis (BIA). The BIA provides written documentation to assist Maria and the other executives in understanding the business impact should an outage occur. Such impacts may be financial, in terms of lost revenues and additional expenses; operational, in terms of inability to deliver products and services; or even intangible, in terms of damage to the organization’s reputation and loss of public confidence. This analysis should include all departments and facilities of the enterprise, list what it would take for each to resume adequate operations to meet the needs of the enterprise, and must include each phase of the recovery activities. Remember, a key element to “business impact” is the financial aspect. What will it “cost” to take a particular action and, equally important, what could be the “cost” of inaction? Prioritization is a key to the successful recovery of operations. The sequence of activities is an essential element in your contingency planning. Use the Business Impact Analysis Template and then upload your BIA here for feedback. Submission for Project 3: Business Impact Analysis Previous submissions 0 Top of Form Drop files here, or click below. Add Files Bottom of Form In the next step, you will take a look at needed resources and who will be responsible for meeting those needs. Step 4: Identify Key Resources and Stakeholders After the BIA, the next step is to identify the key resources necessary and the stakeholders (executives and management) responsible for those resources. Remember, some resources necessary for a successful BCP might be external to the company. Be sure to include these aspects in the plan. Now that all resources and stakeholders are identified and listed, answer these two questions: What resources are needed? Who are the players? Expand the table for the BCP by including a column for accountability. With an assumed and reasonable job title, make a list of probable stakeholders responsible for execution of each recovery effort. Clearly identify their respective responsibilities during the reactivation of business processes. Use the Key Resources and Stakeholders Template to indicate key resources and stakeholders involved in the recovery for feedback. Submission for Project 3: Key Resources and Stakeholders Previous submissions 0 Top of Form Drop files here, or click below. Add Files Bottom of Form In the next step, you will look at what can be done to prevent or reduce the impact of a significant event. Step 5: Consider Preventive Controls After identifying the key stakeholders and resources, take a look at what can be put in place in advance to prevent or reduce risk. Based on previous research, plus what you have learned in the business impact analysis, what could be done to eliminate or minimize the impact of a major event? These are called preventive controls in the business process realm, or risk countermeasure implementation in technology language. Either way, the BCP should contain controls that can be classified as measures taken in advance of a catastrophe that are designed to reduce the risk of a negative impact. In the process of itemizing the controls, make sure they are properly aligned with organizational goals and the strategic direction of the enterprise. The preventative controls selected should be aligned with the organizational goals and strategies. You will list these controls in the next step. Step 6: List Preventive Controls In this step, you will write a description of the preventative controls that you considered in the previous step. These controls could eliminate or minimize the impact of a major event. Upload a description of the preventative controls to be used in the BCP here for feedback. Submission for Project 3: Preventive Controls List Previous submissions 0 Top of Form Drop files here, or click below. Add Files Bottom of Form In the next step, you will conduct research on recovery strategies. Step 7: Research Recovery Strategies A BCP is uniquely different from a complete disaster recovery plan (DRP), neither of which is a small undertaking. Both are required to return the enterprise to 100 percent functionality. The view for the enterprise is to have one BCP that contains multiple DRPs generally broken into department or business function categories. The BCP is an overarching strategic approach to getting any business back “in” business with all mandatory functionality as soon as possible after disaster strikes. This is why the previous steps and projects have required these elements to be identified and prioritized. As such, the BCP is not as detail-oriented as the DRP and only contains DRP requirements that are absolutely mandatory to get the business back in action at the earliest opportunity. The DRP is usually more technical, very specific, and very much a necessity in today’s highly connected technology infrastructure. The DRP includes descriptions of data backup strategies, recovery sites, and postincident requirements. There will naturally be several aspects of the rebuild that might not go exactly as planned. This exercise will be to demonstrate an ability to follow multiple paths in a decision tree environment. The objective will be to create a drawing or descriptive list that follows both options to each decision of “yes” or “no” or “success” or “failure” to the reconstructive effort. Specifically, for each step, conclude with an answer to the question “was the action successful?” If “yes,” what is the next step? Or, if “no,” what is the alternative step to take next? Continue this process until you have successfully returned to operational status or determined you cannot reactivate under current circumstances. If the result of the plan is an inability to recover, the plan needs additional work to make it successful. In the next step, you will document the selected recovery strategies. Step 8: Document Recovery Strategies Now that you have researched recovery strategies as they pertain to a BCP, list or map multiple strategic options to accomplish the recovery effort. Upload a description of the planned recovery strategies here for feedback. Submission for Project 3: Viable Recovery Strategies Previous submissions 0 Top of Form Drop files here, or click below. Add Files Bottom of Form When that is complete, move to the next step, where you will consider how the contingency plan will be implemented and maintained. Step 9: Develop Implementation and Maintenance Procedures for the Contingency Plan You’ve documented recovery strategies and are well on the way to completing the BCP. But writing a BCP is not enough. You must also have a clear plan for implementing and maintaining the BCP. Answer these questions: What resources are needed? Under what conditions, such as fire, natural disasters, occurrence of a terrorist attack, etc., will the BCP will be activated? How will stakeholders be made aware of the policies and procedures of the BCP? How will employees be trained on the plan? How often will training occur? Will there be a general training for all employees or role-based trainings for people in specific functional areas? How/where will the plan for stored for safekeeping and accessibility when needed? When and how will BCP maintenance reviews be scheduled? How will updates and changes to the plan be handled? How often will the plan be updated? In this step, begin to develop a strategy for how the BCP will be implemented and maintained. This information will be used in Step 11, in which the contingency plan will be documented. Next, you will develop testing procedures for the plan. Step 10: Develop Testing Procedures for the Contingency Plan You’ve begun to outline your strategy for how to implement and maintain a BCP. It is also important to conduct business continuity testing to evaluate the effectiveness of a preparedness program in practice. This will give insight into whether the parts of the preparedness program will work and can help identify aspects of the BCP that work on paper but are ineffective or impractical in reality. Examples of BCP Tests Types of Tests Description Structured walk-through Step-by-step review of BCP plans with organization’s functional representatives Checklist test Functional representatives review BCP plans and check off the points that are listed to ensure concerns and activities are addressed Simulation A scenario-based practice execution of the BCP plans. Parallel test Operational test conducted at the alternate site(s). Full interruption test Full-scale operational test including shutdown of primary site and recovery of business operations at alternate site(s). Source: Ouyang, A. (n.d.). CISSP common body of knowledge: Business continuity & disaster recovery planning domain. Used under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Taking time to develop, document, and test consistent processes and controls will also help you prepare for the annual audit of your information security system under any of the commonly used security and audit frameworks. Under these security and audit methodologies, auditors will gather information about the organization’s security systems, confirm that appropriate security measures are in place, and provide a report on their findings. Now develop your strategy for how the BCP will be tested. Your plan will be included in the contingency plan to be submitted in the next step. Step 11: Document the Contingency Plan You’ve developed testing procedures. However, an effective BCP must outline how the plan will be implemented and maintained and also how it will be tested to ensure its viability in a real emergency situation. Therefore, an integral part of the BCP should be a discussion of plans for implementation and maintenance and for business continuity testing. Upload your contingency plan with a description of how the BCP will be tested and plans for ensuring the proper implementation and maintenance of the plan here for feedback. Submission for Project 3: Contingency Plan Previous submissions 0 Top of Form Drop files here, or click below. Step 12: Consolidate and Update Your Work You’ve documented testing and implementation procedures, and the plan is nearly complete. In the next step, you will submit your final BCP. Take some time now to update your work on the project to this point and make updates based on feedback received or new information uncovered. In the final step, you’ll complete and submit the BCP. Step 13: Write the Business Continuity Plan (BCP) Use the results from the previous steps to create a five- to seven-page business continuity plan. Explain the thought process of creating the specific plan steps and how each is related to business strategy considerations. Use this Business Continuity Plan Template to submit your final assignment. Check Your Evaluation Criteria Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title. 1.4: Tailor communications to the audience. 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem. 9.1: Continuity Planning and Implementation: Develop, implement, and maintain a business continuity plan, ensuring alignment with organizational goals and objectives. Submission for Project 3: Business Continuity Plan Previous submissions 0 Top of Form Drop files here, or click below. Bottom of Form Bottom of Form
Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Business Continuity Plan Template CIO Maria Sosa has asked you to provide her and the other executives with a business continuity plan for your organization. Final Business Continuity Plan (five- to seven-page report using this template). The plan should include the following components: Title Page Include: for whom you are preparing the document, the title, the date prepared, and your name as the preparer of the document Overview Include: justifications demonstrating the value of a BCP for the organization description of the scope of the BCP (one-page narrative, from Step 2) Business Impact Analysis and Key Resources and Stakeholders (table from Step 4, plus one-page summary of findings) Include: table from Step 4 summary of findings Preventative Controls (one to two pages, from Step 6) Recovery Strategies (two to three pages, from Step 8) Contingency Plan (from Step 11) Include: implementation and maintenance procedures testing procedures Summary Include: explanation of the thought process of creating the specific plan steps and how each is related to business strategy considerations
Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Key Resources and Stakeholders Template Copy the BIA findings into the table below and add information on the resources that are needed and person or groups accountable for that specific aspect of the BCP. Threat Impacts Priority Assessment Recovery Methods Accountability Note: You can add more rows to the bottom of the table if needed.
Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Business Impact Analysis Template Threat Impacts Priority Assessment Recovery Methods Note: You can add more rows to the bottom of the table if needed.
Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Learning Topic Print Security and Audit Frameworks Security and audit frameworks provide benchmarks for cybersecurity practitioners to audit or review systems. Some frameworks are government-created. These frameworks are not mandatory, only recommended, and encouraged to be implemented by cybersecurity enterprises. Most of the security and audit frameworks are created by private organizations. Those frameworks are recognized as best practices, which give credibility to the organizations following the guidelines. Examples of best practices security and audit frameworks include: Committee of Sponsoring Organizations of the Treadway Commission (COSO); IT Infrastructure Library (ITIL); Control Objectives for Information and Related Technology (COBIT); and ISO/IEC 27002:2013. The ISO/IEC 27002:2013 standards provide guidelines for organizational information security standards and information security management practices, including the selection, implementation and management of controls, with consideration of the organization’s information security risk environment(s). According to the website for the International Organization for Standardization (ISO), the ISO/IEC 27002:2013 was designed to be used by organizations that intend to: select controls within the process of implementing an information security management system based on ISO/IEC 27001 implement commonly accepted information security controls develop their own information security management guidelines ITIL is a collection of books published by the government of the United Kingdom. The books feature best practices that align IT services with the needs of businesses. The latest version of ITIL is version 4, and was released in Feburary 2019. COSO was originally organized in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, and eventually developed recommendations for public companies and their auditors, other regulators, and educational institutions, according to the organization’s website. COBIT, a set of best practices for IT management, was created in 1996 by the Information Systems Audit (ISA), the Control Association (ISACA), and the IT Governance Institute (ITGI). References Committee of Sponsoring Organizations of the Treadway Commission. (n.d.). About us. https://www.coso.org/Pages/aboutus.aspx International Organization for Standardization (ISO). (n.d.). ISO/IEC 27002: 2013: Information technology — security techniques — code of practice for information security controls. http://www.iso.org/iso/catalogue_detail?csnumber=54533
Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Learning Topic Print Risk Management Framework ISACA Risk IT describes risk management framework as risk holistically across the organization and explains that IT affects risk and the organization concurrently (ISACA, 2009). According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), enterprise risk management is defined as “a process … applied … across the enterprise, designed to identify potential events … and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). The COSO framework is used by risk executives to manage enterprise risks. Risk is identified as: the risk of not realizing a benefit from IT the risk of not delivering on IT programs the risk of not providing intended services with IT What’s important is that the risk management framework definition is largely consistent across four organizations concerned with standardization: ISACA, COSO, ISO (International Organization for Standardization), and NIST (National Institute for Standards and Technology). Differences are understandable for the audience and emphasize variations. The guidance to system security engineers is to recognize requirements, clarify responsibilities, and work as a team to identify and mitigate risk holistically and continuously across the organization. Risks are evaluated along with benefit using this framework, for a more complete strategic decision process.  Otherwise, the ISACA model is similar to the NIST risk management model in NIST Special Publication 800-39, Managing Information Security Risk. The ISACA risk model (2009) stresses connectivity to the business model (framing), risk governance (leadership involvement), evaluation (assessment) and response, and prescribes communication (cross-organization teams) and continuous assessment (monitoring). ISACA framework definitions are consistent with ISO 31000 definitions. ISO 31000:2009, “A Practical Guide for SMEs (small- and medium-sized enterprises),” features a process cycle similar to NIST guidance, featuring planning (frame and assess), implementing (respond) and monitoring (monitor), but adds an important continuous improvement prescription to improve the plan and process in response to a changing environment. ISO Guide 73:2009 is a definitions standard that contains a definition of risk management. Like all ISO standards, it is available for purchase. Nonetheless, the freely available online ISO 31000:2009 defines risk as a combination of the consequences of an uncertain event (including changes in circumstances) and the associated uncertain likelihood of occurrence. Importantly, “Risk in ISO 31000:2009 is neutral; the consequences associated with a risk can enhance the achievement of objectives (i.e. positive consequences) or can limit or diminish the achievement of objectives (i.e. negative consequences)” (ISO/ITC, 2009). This interpretation is different from that of the NIST special publications. References Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2014). Enterprise risk management — integrated framework. Executive summary. https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf ISACA. (2009). The risk IT framework. https://www.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf ISO/ITC. (2009). ISO 31000:2009: A practical guide for SMEs. http://www.iso.org/iso/iso_31000_for_smes.pdf
Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Learning Topic Print Security and Audit Methodologies One mistake made by cybersecurity practitioners is to believe that when a critical infrastructure sets countermeasures against hacking, the system is forever protected. Cybersecurity practitioners need to be on continuous alert, and security and audit methodologies provide peace of mind. Auditing allows the opportunity to assess security risks and mitigate potential vulnerabilities. In addition, security and auditing methodologies are good business practices. For example, customers assume that their information is protected when they open an account or apply for a loan. Security and auditing are important for an organization to ensure that controls and countermeasures are implemented correctly or appropriately, and to ensure that the controls and countermeasures are performing to their potential. There are several common security and audit methodologies about which a cybersecurity professional must be knowledgeable. The CCTA Risk Analysis and Management Method (CRAMM) is a risk analysis method developed by the United Kingdom government organization CCTA (Central Communication and Telecommunication Agency), now called the Office of Government Commerce (OGC). Another important risk assessment approach is Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE defines a risk-based strategic assessment and planning technique for security. Other important security and audit methodologies are value at risk (VAR) and Facilitated Risk Analysis Process (FRAP). While VAR is a methodology based on the notion that in order to assess the potential damage of an attack, cybersecurity practitioners should understand the worst loss due to a security breach, FRAP assumes that a narrow risk assessment is the best way to assess risk.