Business Continuity and Disaster Recovery Plan
Disaster recovery plan focuses on the approaches to follow after a business faces a disaster. Most organizations adopt plans that are technology-oriented that aim at reshaping the network and systems. Business continuity deals with sustaining the organization after experiencing a disaster and involves more than technology. Numerous companies and businesses are embracing business continuity into their environment because of increased awareness of disastrous circumstances, as well as new legal requirements that assume top management obligations for financial responsibility.
Enterprise Business Continuity and Disaster Recovery Plan (BCDR) for ABBA Agency with 10 employees
Business Continuity and Disaster Recovery Plan (BCDR) are procedures that assist organizations prepared for unexpected events. While preparing for BCDR, the company must incorporate the following requirements.
a) Practices, standards and guidelines, for business security, risk assessment and mitigation
b) Planned for disaster recovery and business recovery to include computer and network security
c) Effective security policy, risk factors, security-related organizations, and general security threat types and access controls.
d) Using universal guidelines and principles with respect to network security, it risk assessment, risk analysis, and risk management
e) Guidelines for Cyber law, copyright, patent, and privacy laws, within the bounds of the legal systems for digital media in the U.S. Court
It is crucial that organizations value the extent of probable damage and revenues losses that business disruptions can cause. The interruptions can range from fabricated, natural calamities, technology misgivings and others. Almost any type of business disruption experienced can cause either some direct or some indirect impacts on the efficiency of a business. Businesses should discover the large and small issues that can have a negative effect on the company and discover alternatives to counteract the disasters (Alexander, 2002).
The most significant part in Business Continuity and Disaster Recovery Plan is implementing practices, standards and guidelines that endorse management support. Management must accept the significance for executing such a plan. It is necessary for any business case to obtain the management support. Some of the issues included in the disaster recovery plan entails; current vulnerabilities, regulatory and legal requirements, status of recovery plans and proposals (Alexander, 2002).
It is also necessary to incorporate cost/benefit issues as this helps in gathering preliminary numbers and estimate potential losses. In addition, the disaster recovery plan should include a computer and network security. While the implemented practices, standards and guiding principles ascertains business security, the computer and internet security ensures data maintenance. The policies implemented by ABBA agency must ensure that private and discrete data remains within the right people (Davis, 2007).
To carry on with significant business functions in the event of business disruptions, it is essential to continue with a functional risk assessment. This helps address the significant functions and make the suitable investments, in terms of time and money. The risk assessment adopted by the company helps identify the various functions, procedures, resources and suppliers. This has tremendous effect on the ability of the company to fulfill the agency’s ability to realize its mission objectives. It also involves the discovery and assessment of the viable threats, the existing vulnerabilities and the possibility that a disruption will exploit the discovered disruptions. Furthermore, it assists in the discovery of the relative risk exposure to diverse components of the business, so that there is the occurrence of fact-based decision making on mitigation plans (Alexander, 2002).
In addition to employing functional risk assessment, the company should consider adding physical securities for the offices, various rooms and facilities against foreseen business disruptions. The company should ascertain that it concentrates on safeguarding all the essential equipments, facilities and documents in order to avoid jeopardizing the network security. In administering the security policy, the company may require allotting additional human resources (Alexander, 2002).
The it security employees should have new obligations that ease control and authentication. It is necessary to manage user accounts, passwords, group membership and other authentication devices. In addition, the company will require installing and employing network security tools that observe any suspicious activity. These tools assist the company to proactively assess and authenticate servers, firewalls and routers to discover security holes or breaches.
The company will probably need to choose, set up and apply watchdog software that examines network traffic and/or OS commands and activates an alarm. This happens when an event occurs that is contrary to company’s security policy. Furthermore, the security employees will require expending time examining log files from Web and application servers, and examining audit trails, when suspicious events arise. This is in addition to assigning more routine responsibilities, for instance having backup files and recovery and installation of new software. Another guideline to security policy is helping staffs with computer related problems. The company should occasionally test the enforcement mechanisms to authenticate that they offer the projected levels of safety. When there is a violation of security policy, it will be significant for the company to assume suitable and appropriate disciplinary action (Frank, 2006).
Based on the severity of the violation caused, the penalties to the employees may range from loss of remuneration or loss of jobs. Suitable authorities for probable criminal prosecution should handle increased violation, for instance, malicious access of network by outsiders. In ascertaining appropriate handling of security threats, the company should implement effective security policy. The security policies that organizations should implement include;
Physical Access Security Policy
In ensuring there is complete access control policy, the company should develop a strong physical access policy and educate all employees on the policy. The security level of the company determines the type of physical security required. Most organizations prefer employing either guarded or non-guarded entrances. It is essential for the company to issue security access cards on guarded premises. This ascertains that only recognized and authorized personnel enters the organization (Alexander, 2002).
This policy controls the number of people accessing various places within the company as identified by their particular job descriptions. For instance, only the network and systems personnel can access servers and networks communications department. This is with personalized access cards. As a policy of ensuring effective business continuity, employees must learn how to lock doors behind them and shut out people that may follow them through the doorway. The company should encourage employees to report any suspicious persons in the premises with unknown identification. In addition, the company should publish the security policies because physical access guarantees that employees have appropriate knowledge on security policies.
The following are some of the access control policies that provide a steady business structure and procedures to control internal fraud and dishonesty in the company.
This principle gives users only access rights they require for effective performance of their assigned tasks. Users get limited access that prevents them from misusing their access rights.
Separation of duties
Delegation of duties ensures that every individual performs a task that is within their power. Competent personnel effectively handle the high security and risky tasks. Furthermore, several people mutually share the significant responsibilities in order to ascertain accuracy, honesty and accountability. This recovery plan ensures that those risky tasks initially entrusted to single individuals are handled by several people that are aware of the responsibilities required (Frank, 2006).
It is an effective disaster recovery plan policy because the employee retains an access control for a given responsibility for a period. This controls internal dishonesty from staffs that may take advantage of their loyalty to the organization and their long time service and security access.
These policies require staffs to utilize their vacations at given times of the year or even use the entire vacation period. The policy helps identify the security issues held by employees, for instance, fraud because irregularities may occur when employees are absent from the company.
Network Security Policies
Numerous policies provide standard guiding principles for network security within the organization. They cover areas such as the internet and internet network use, data confidentiality, security incident response, human resource principles and security of documents. It is vital to develop acceptable policy that enhances performance of computer network. The policy should also regulate legal liability in the incident of security issues (Frank, 2006). Acceptable policies should encompass the following incidences;
The legal department in the company should approve the implemented policy before it is handed over for signing. This policy acts as a legal document that prevents the company from any legal liability in cases of internet related issues and other threats. Some of the threats controlled include; cracking, security interruptions among others.
Distinctiveness to company environment
This policy aims at covering the company’s specific network and the data contained in it. Every company has unique security issues.
Far from the rules of behavior, the policy entails a statement that explains the position of the company on internet use.
The internet is evolving on an everyday basis, and the policy implemented should be updated as new issues crop up. It is impossible to anticipate every event, and for this reason, the policy implemented should address the likelihood of an event occurring but not outlined (Frank, 2006).
Protection for employees
If employees adhere to the rules of the acceptable use policy, there are less liable to questionable issues. This also prevents them from engaging in hazardous internet issues, for instance, they are less likely to disclose their contacts to crackers using social engineering approaches. Moreover, ABBA should settle on using universal guidelines and principles with respect to network security, it risk assessment, risk analysis, and risk management. In this respect, regulatory compliance is a vital aspect influencing the creation of business continuity approach (Frank, 2006).
Furthermore, while Business Continuity or Disaster Recovery regulations may be insignificant in some business incidents, companies should be aware of legislation regulating data integrity, availability and compliance. This helps the company in setting up a Business Continuity strategy. The following is a universal disaster preparedness principle for a company facing network security issues with respect to it risk assessment, analysis and management (Frank, 2006).
The ABBA agency should ensure its security and flexibility against probable disasters by implementing the following policies;
1) Telecommunications Asset Management: ABBA should maintain suitable safeguarding of telecommunications assets.
2) Physical Security: ABBA should prevent illegal physical access, harm and intrusion to business premises.
3) Communications and Operations Management: ABBA should ascertain the acceptable and safe operation of telecommunication facilities.
4) Information Security: ABBA shall guarantee safeguarding of data in networks, and the secure operation of data processing facilities.
5) the company should identify the existing Telecommunication Asset (“asset”), and preserve a record of all vital assets.
Furthermore, while reviewing the overall company policies and procedures that are significant for maintaining security, ABBA agency must evaluate the rights and permissions granted to the users by the legal systems for digital media in the U.S. Court. It is essential for ABBA to regularly audit user security rights and permissions to ensure that existing security rights falls in user rights policies and users are unable to violate the rights and policies provided. One of the policies maintained by the company is data loss prevention and regulatory compliance. This policy safeguards organizational security, and concerned with internal risks and threats, for instance, malware, network attacks, and hacker intrusions internal data security and external data loss (Frank, 2006).
Data Loss Prevention is a security policy that prevents the loss of data and safeguards its discretion and privacy. The security measure encompasses the company’s data as well as the customer’s data stored and disseminated by the company. It is the role of the company to protect data from theft, loss and interference during either storage or transit.
ABBA must have Data Loss Prevention mitigation techniques that employ internal security that utilizes standard network security techniques. Some of the techniques consist of firewalls and antimalware appliances to avoid internal threats, and security for external traffic by employing content filtering and encryption technology. In addition, there are numerous government-driven regulations and policies concerning the protection of data for companies in various industries (Frank, 2006).
Alexander, D. (2002). Principles of Emergency Planning and Management Harpenden: Terra
Davis, I. (2007). ‘Learning from Disaster Recovery- Guidance to Decision Makers’ Geneva: International Recovery Programme (IRP)
Frank C. (2006) “Disaster recovery and continuity planning for digital library systems,” OCLC Systems & Services, Vol. 22 Issue: 3, pp.173-178