isa4330 project template v3

1

Brightington AcademySecurity Program Recommendations

(General Note: This project should be SPIRAL/COMB bound – no 3 ring binders and no binder clips or paper clips. You should insert TABs at the major sections.)

Ima StudentISA 4330Date

Note to students: This is not a perfect template – feel free to add/remove/modify sections as you see fit, as long as you have the minimum components specified in the Project requirements. On average a good project is between 50 and 100 pages long. While length is not assessed, I have found that longer projects tend to have better grades (since they have better detail) than excessively short projects. Simply adding content to this template does not ensure an “A” on the project. Since you’re given a complete template, I expect to see excellence in the details of the project, rather than in the organization of the project.

Develop a framework for a Contingency Plan to allow the organization to a) react to Incidents, b) recover from a Disaster and c) establish operations at an alternate site if (b) does not appear feasible in an amount of time determined by you to be acceptable. Whenever the case does not provide enough information, feel free to extrapolate and assert assumptions.

The following outline provides the structure for the CP Plan, the comments in italics beneath each heading are for additional information and are not intended to be included in the final project. Each major (Roman numeral) heading provided here should start on its own page. In the hard copy it will be tabbed.

In addition to submitting an electronic copy, create a spiral-bound hard copy, complete with tabs, and provide to my office by the due date. The electronic copy is used to determine your “submission by” date, but I prefer to actually grade the hard copies, using the rubric in Vista.

2

Executive Summary

1 page summary of the overall CP Plan including specifics for IR, DR and BC operations.

3

Table of Contents (Page numbers will change when content updated)Executive Summary.......................................................................................................................................3

I. Overview of Organization.....................................................................................................................7

A. Organization Overview......................................................................................................................8

B. Organization Chart.............................................................................................................................8

C. Current IR/DR/BC Operations...........................................................................................................8

II. Senior Management Commitment........................................................................................................9

A. Need for Commitment and Support for Senior Management..........................................................10

III. The CP Management Team (CPMT)..................................................................................................11

A. CPMT Roles and Responsibilities...................................................................................................12

B. CPMT Composition and Contact Information.................................................................................12

IV. The CP Policy Document....................................................................................................................13

CP Policy Overview.................................................................................................................................14

A. Issue Statement................................................................................................................................14

B. Organization’s Position....................................................................................................................14

C. Applicability....................................................................................................................................14

D. Roles and Responsibilities...............................................................................................................14

E. General CP Policies.........................................................................................................................14

F. Compliance......................................................................................................................................14

G. Supplemental Information...............................................................................................................14

H. Points of Contact..............................................................................................................................14

V. Business Impact Analysis..................................................................................................................15

BIA Overview..........................................................................................................................................16

A. Identification and prioritization of threats and attacks....................................................................16

B. Business Unit Analysis....................................................................................................................16

C. Attack Success Scenario Development............................................................................................16

D. Potential Damage Assessment.........................................................................................................16

E. Subordinate Plan Classification.......................................................................................................16

F. BIA Questionnaire...........................................................................................................................16

VI. Incident Response Plan......................................................................................................................17

Incident Response Plan Overview...........................................................................................................18

A. Incident Response Policy.................................................................................................................18

4

1. Statement of management commitment...................................................................................18

2. Purpose and objectives of the policy.......................................................................................18

3. Scope of the policy...................................................................................................................18

4. Definitions................................................................................................................................18

5. Organizational structure and delineation of roles, responsibilities, and levels of authority....18

6. Prioritization or severity ratings of incidents...........................................................................18

7. Performance measures.............................................................................................................18

8. Reporting and contact forms....................................................................................................18

B. Incident Response Plan....................................................................................................................19

1. IR Team Composition and Functions......................................................................................19

2. SIRT Team Composition and Functions..................................................................................19

3. Index of Attacks against organizational information assets....................................................19

4. Attack 1:...................................................................................................................................19

5. Attack 2:...................................................................................................................................20

C. IR Plan Testing, Training and Exercise...........................................................................................20

D. IR Plan Maintenance........................................................................................................................20

VII. Business Resumption Strategies.....................................................................................................21

Business Resumption Strategies Overview.............................................................................................22

A. Data Backup and Recovery Policy..................................................................................................22

1. Statement of management commitment...................................................................................22

2. Purpose and objectives of the policy.......................................................................................22

3. Scope of the policy...................................................................................................................22

4. Definitions................................................................................................................................22

5. Organizational structure and delineation of roles, responsibilities, and levels of authority....22

6. Data Retention and Destruction Guidelines.............................................................................22

7. Reporting and contact forms....................................................................................................22

B. Description of Onsite and Offsite Backup and Recovery Plans......................................................22

C. Description of Site Recovery Strategy.............................................................................................22

5

VIII. Disaster Recovery Plan...................................................................................................................23

Disaster Recovery Planning Overview....................................................................................................24

A. DR Team Composition and Responsibilities...................................................................................24

B. DR Planning Policy Statement.........................................................................................................24

C. BIA Review for DR Planning..........................................................................................................24

D. DR Preventative Controls................................................................................................................24

E. DR Strategies...................................................................................................................................24

F. DR Plan............................................................................................................................................24

1. Index of Attacks Which could Escalate into Disasters............................................................24

2. Attack 1:...................................................................................................................................25

H. DR Plan Testing, Training and Exercise..................................................................................25

I. DR Plan Maintenance..................................................................................................................25

IX. Business Continuity Plan...................................................................................................................26

Business Continuity Planning Overview.................................................................................................27

A. BC Team Composition and Responsibilities...................................................................................27

B. BC Planning Policy Statement.........................................................................................................27

C. BIA Review for BC Planning..........................................................................................................27

D. BC Preventative Controls................................................................................................................27

E. BC Alternate Site Occupation and Evacuation Strategies...............................................................27

F. BC Plan............................................................................................................................................27

G. BC Plan Testing, Training and Exercise..........................................................................................27

H. BC Plan Maintenance......................................................................................................................27

6

7

Computer Gaming Technologies

I. Overview of Organization

Ima StudentDate

A. Organization OverviewIn this section the student should write a general overview of the company (typically 1 page).

B. Organization ChartIn this section the student should provide the organization chart of the company focusing on information security personnel and positions (typically 1 page).

C. Current IR/DR/BC OperationsIn this section the student should write a general overview of the company’s current IR/DR/BC functions and preparations (typically 1 page).

D. Need for Commitment and Support for Senior Management1-2 Pages describing this subject

8


III. The CP Management Team (CPMT)

9

Ima StudentDate

A. CPMT Roles and Responsibilities2-5 pages describing the composition, roles and responsibilities of the CPMT,

B. CPMT Composition and Contact InformationCan be done in a table on a single page- include names, titles and roles of various CPMT (and subordinate team) members.

10

11


IV. The CP Policy Document

Ima StudentDate

CP Policy OverviewFor this section, you will describe the CP policy process and provide insight into the development of the CP Policy, then you will fully flesh out a CP policy for the organization.

A. Issue StatementUsing the information provided in the text, create a CP Policy Document to be used as guidance for this entire Plan. Total policy should average 3-5 pages long, no more than 10.

B. Organization’s Position

C. Applicability

D. Roles and Responsibilities

E. General CP Policies

F. Compliance

G. Supplemental Information

H. Points of Contact

12

Ima StudentDate

13


V. Business Impact Analysis

BIA OverviewCreate a Business Impact Analysis, using 3 sample attacks for the scenario development. Provide a template for the organization to continue to use for other scenarios. Section a) should be as comprehensive as possible. Create a BIA questionnaire or find a suitable one from an outside source (but fully reference/cite!). Average length 10-20 pages.

A. Identification and prioritization of threats and attacks

B. Business Unit Analysis

C. Attack Success Scenario Development

D. Potential Damage Assessment

E. Subordinate Plan Classification

F. BIA Questionnaire

14

15


VI. Incident Response Plan

Ima StudentDate

Incident Response Plan OverviewFor this section, you will research and organize policy and plans for incident response in the organization. You will identify and prioritize attacks, further develop the three attack success cases and prepare recommendations for actions DURING, AFTER and BEFORE these attacks.

A. Incident Response PolicyFor this section, you will create an IR policy for the case organization. Average length 3-5 pages.

1. Statement of management commitment

2. Purpose and objectives of the policy

3. Scope of the policy

(to whom and what it applies and under what circumstances)

4. Definitions

Definitions of information security incidents and their consequences within the context of the organization

5. Organizational structure and delineation of roles, responsibilities, and levels of authority

should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, and the requirements for reporting certain types of incidents

6. Prioritization or severity ratings of incidents

7. Performance measures

8. Reporting and contact forms

16

B. Incident Response Plan

1. IR Team Composition and Functions

2. SIRT Team Composition and Functions

3. Index of Attacks against organizational information assets

(Listed in order of priority, in a weighted table showing selected criteria and weights).

Criterion 1

Criterion 2

Criterion 3 Score

Criterion Weights ## ## ## Attack 1Attack 2Attack 3

Attack n

4. Attack 1:

(Listed in order of priority

a) Attack Success End Case for Attack 1

b) Incident Response Plan Addendum to Attack Success End Case

c) Actions to take DURING Attack 1

d) Actions to take AFTER Attack 1

e) Actions to take BEFORE Attack 1

17

5. Attack 2:

(list continues through all attacks deemed critical by organization)

C. IR Plan Testing, Training and Exercise

D. IR Plan Maintenance

18


VII. Business Resumption Strategies

19

Ima StudentDate

Business Resumption Strategies OverviewFor this section, you will research and organize policy and plans for business resumption strategies, specifically the options for off-site locations, and backup/recover plans. You will identify options (with pricing if possible), and compare and contrast the options. You will then recommend 1-3 “finalists” for each section.Resumption strategies are organized separately from the DR/BC plans to facilitate use in IR, DR or BC operations. This section should average 10-15 pages.

A. Data Backup and Recovery Policy

1. Statement of management commitment

2. Purpose and objectives of the policy

3. Scope of the policy

(to whom and what it applies and under what circumstances)

4. Definitions

Definitions of information security incidents and their consequences within the context of the organization

5. Organizational structure and delineation of roles, responsibilities, and levels of authority

should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, and the requirements for reporting certain types of incidents

6. Data Retention and Destruction Guidelines

7. Reporting and contact forms

B. Description of Onsite and Offsite Backup and Recovery PlansThis section contains recommendations for alternative onsite and offsite data backup and recovery strategies for the organization…

C. Description of Site Recovery StrategyThis section contains recommendations for alternative site recovery strategies for the organization…

20


VIII. Disaster Recovery Plan

21

Ima StudentDate

Disaster Recovery Planning OverviewFor this section you provide a brief overview of the DR Planning Process. You will then providing guidance and advice to the organization on accomplishing the primary tasks associated with BC Planning. You should have some recommendations on each of the stages listed, but you will not develop these documents. You will also provide a sample disaster ranking table and sample attack success scenario and end cases focused on one (1) sample disaster to illustrate the development process. This section should average 5-10 pages.

A. DR Team Composition and Responsibilities

B. DR Planning Policy Statement

C. BIA Review for DR Planning

D. DR Preventative Controls

E. DR Strategies

F. DR Plan

1. Index of Attacks Which could Escalate into Disasters

(Listed in order of priority, in a weighted table showing selected criteria and weights).

Criterion 1

Criterion 2

Criterion 3 Score

Criterion Weights ## ## ## Attack 1Attack 2Attack 3

Attack n

22

2. Attack 1:

(Listed in order of prioritya) Attack Success End Case for Attack 1

b) Disaster Recovery Plan Addendum to Attack Success End Case

c) DR Actions to take DURING Attack 1

d) DR Actions to take AFTER Attack 1

e) DR Actions to take BEFORE Attack 1

H. DR Plan Testing, Training and Exercise

I. DR Plan Maintenance

23


IX. Business Continuity Plan

24

Ima StudentDate

Business Continuity Planning OverviewFor this section you provide a brief overview of the BC Planning Process. You will then providing guidance and advice to the organization on accomplishing the primary tasks associated with BC Planning. You should have some recommendations on each of the stages listed, but you will not develop these documents. This section should average 5-10 pages.

A. BC Team Composition and Responsibilities

B. BC Planning Policy Statement

C. BIA Review for BC Planning

D. BC Preventative Controls

E. BC Alternate Site Occupation and Evacuation Strategies

F. BC Plan

G. BC Plan Testing, Training and Exercise

H. BC Plan Maintenance

25

isa4330 project template v3

Documents