Identify a task that you would need to perform in your current career or future career, and explain in detail how you would apply the knowledge you have learn

SEC 4301, IS Disaster Recovery 1

Course Learning Outcomes for Unit VIII Upon completion of this unit, students should be able to:

1. Explain business continuity procedures.

2. Develop an asset ranking report.

3. Analyze an impact assessment for organization threat analysis.

5. Explore alternative operation sites.

6. Appraise organizational funding for disaster recovery plans. Required Unit Resources There are no required unit resources to read or view in this unit. Unit Lesson

Unit Wrap-Up First of all, congratulate yourself for making it to the end of this course. Make sure that you have completed the last discussion board for Unit VIII, and you will also find the final exam in this unit. Below is the summation for Unit VIII and Unit I–VII reflections. Please note that you can also go back to the course unit study guides for each unit as well as the textbook as a refresher. By all means, this course will not make you an expert in one night, day, week, month, or even year. The main emphasis for disaster recovery is to make sure the organization has a disaster recovery plan (DRP); if not, create one. Remember, the DRP is a living document, which means it should be monitored continually for any change that will affect the strategic goals of the business processes. Unit VIII Summary It is the hope of this course that you will become knowledgeable in the basics of developing an organization’s DRP and to make you aware that your organization should have a plan. Many businesses have failed or lost customers because they could not sustain the business during a disaster. Such failures are from not understanding the objective of the DRP. For example, the tragedy of September 11th, during which the World Trade Center collapsed, from the standpoint of information technology, data storage of many businesses within the towers was a failure. The tower information technology data was stored in the other tower; in the event of the loss of data in one tower, they planned to recover the backups from the other tower. There were other companies who did not budget for DRP; hence, no backups of any type were created by many businesses. However, the businesses did not predict the unimaginable in which both towers were destroyed and all information technology data was lost. The importance of the business continuity plan (BCP), DRP, and the computer incident recovery team (CIRT) cannot be overlooked and must be tested before, during, and after any event. Additionally, CIRT should try to predict the unimaginable for business sustainment (Gibson, 2015). Even after the September 11th disaster, there are still organizations that have developed contingency plans for disasters, such as the BCP, DRP, and CIRT, but these documents are left on the shelf and forgotten until they are needed. These precious documents are living documents, and organizations must not become complacent in the acts of protecting the business sustainability for their customers and other businesses. These plans need to be tested and updated and provide lessons learned from the tests. Above all,

UNIT VIII STUDY GUIDE Course Review and Final Examination

SEC 4301, IS Disaster Recovery 2

UNIT x STUDY GUIDE Title

management needs to forecast a budget requirement to support the BCP, the DRP, and the CIRT (Gibson, 2015). Below is a brief summation of Units I through VII on the course subject of disaster recovery. Unit I Reflection Before progressing into disaster recovery, there are a few elements that need to be understood. The elements discussed are the meaning of risk and mitigation and how risk and mitigation affects the seven domains of a typical information technology (IT) infrastructure. You learned that risk is the act of relating oneself to danger, while mitigation is the act of reducing that danger (Gibson, 2015). The three important components that make up the CIA triad are confidentiality, integrity, and availability. Compliance and regulations also play a big part of making sure the organization stays within compliance when operating within an IT paradigm. Compliances and laws that were touched upon are the Health Insurance Portability and Accountability Act (HIPAA) and the payment card industry data security standard (PCI DSS). Unit II Reflection We looked into the depths of risks and mitigation and found some basic mechanisms that affect the risks and mitigation. These mechanisms are threats, vulnerabilities, and exploits. To help identify and mitigate these mechanisms; several initiatives are created to combat these threats. Such initiatives discussed are the National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), and the National Cybersecurity and Communications Integration Center (NCCIC), to name a few. This unit provides the first look at the risk management plan that is covered throughout the rest of this course. Since this is a planning document, the most important aspect of this document will be the scope of the document (Gibson, 2015). The major creators of the risk management plan and those held responsible for the development include the chief information officer (CIO) or chief information security officer (CISO), and the chief financial officer (CFO). Unit III Reflection Learning the important concepts of risk assessment is the highlight for this unit. You know that these risks must be prioritized by the risk attributes of time, monitoring, and controls. Remember the risk assessment is a tool management uses to evaluate and identify the controls; the steps discussed to identify the risk assessment are 1) threats and vulnerabilities must be identified, 2) recognize the possibility that a risk will arise, 3) categorize the asset values, 4) audit the recurrence of risk impact, 5) deduce the practicality of the safeguard controls (Gibson, 2015). How we measure risk assessment is also discussed in this unit. Qualitative and quantitative are two measurement methods management and risk assessors can use to help measure the risks. Unit IV Reflection This unit explains what key components need to be identified along with its risk assessment. This identification is very important, since the data gathered will help in planning for the BCP. One major concern in reference to the BCP is identifying those assets that are critical and are subject to system access and availability. Three organization assets are susceptible to system access and availability: hardware, people, and software assets. Other data can be used such as the historical data or modeling to determine critical assets that need to be identified in the risk assessment plan and budgeted for within the BCP (Gibson, 2015). The types of safeguarding controls are also covered in this unit: in-place, planned, categories, procedural, technical, and physical controls. These are all very important in suppressing the threats, vulnerabilities, and exploits within the seven domains of a typical information technology infrastructure. Unit V Reflection The risk management scope is driven by two components of control and compliance. These components are essential to the risk mitigation process identification within the risk management planning. The areas that are affected by controls and compliances are business operations, service delivery, systems-applications data, the seven domains, and security gaps (Gibson, 2015). Each of these areas has assets that either can be controlled or complied to ensure the mitigation of risks. There are legalities as to which laws, regulations, and compliances should be followed, depending on the organizational strategy of the business. Part of risk management is the development of the pre-mitigation plan in which the countermeasures for the risk

SEC 4301, IS Disaster Recovery 3

UNIT x STUDY GUIDE Title

assessment have been approved and identified. An outline of the pre-mitigation plan as well the risk matrix can be found in your Unit V Study Guide. Unit VI Reflection Remember, in this unit there are crucial components that must be included in the risk management plan before it becomes reality. Those four components are the business impact analysis (BIA), BCP, DRP, and CIRT documentations. Recall that the BIA is to identify critical functions so that if there was an outage, it would not become a disaster for the operation of the business. Therefore, the BCP is needed for business sustainment, and the DRP is necessary to recover from the disaster (Gibson, 2015). The CIRT is called upon to mitigate the threats or incidents and provide knowledgeable advice to other co-located or remote business locations regarding incident management. Unit VII Reflection This unit looks into the details of the DRP and the CIRT. The main difference between BCP and the DRP is discussed. Essentially, the BCP concentrates on the sustainment of the business operations while the DRP focuses on the recovery of the critical business operations (Gibson, 2015). The main DRP emphasis is the maximum acceptable outage. The acceptable outage of a critical function that the business will accept for recovery of the critical function is the key emphasis for the DRP (Gibson, 2015). Backup or alternate sites must be identified in the event of a disaster; the organization then would relocate the business functions elsewhere. Depending on the type of CIRT, this team can be deployed locally or remotely to assist in the mitigation of the risk assessment. A budget must be created that should take into account the before, during, and after recovery of the business functions.

Reference Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.

https://online.vitalsource.com/#/books/9781284107753 Suggested Unit Resources In order to access the following resources, click the links below. Review Units I–VII PowerPoint Presentations. Chapter 1 PowerPoint Presentation PDF Version of Chapter 1 PowerPoint Presentation Chapter 3 PowerPoint Presentation PDF Version of Chapter 3 PowerPoint Presentation Chapter 2 PowerPoint Presentation PDF Version of Chapter 2 PowerPoint Presentation Chapter 4 PowerPoint Presentation PDF Version of Chapter 4 PowerPoint Presentation Chapter 5 PowerPoint Presentation PDF Version of Chapter 5 PowerPoint Presentation Chapter 6 PowerPoint Presentation PDF Version of Chapter 6 PowerPoint Presentation Chapter 7 PowerPoint Presentation PDF Version of Chapter 7 PowerPoint Presentation

SEC 4301, IS Disaster Recovery 4

UNIT x STUDY GUIDE Title

Chapter 8 PowerPoint Presentation PDF Version of Chapter 8 PowerPoint Presentation Chapter 9 PowerPoint Presentation PDF Version of Chapter 9 PowerPoint Presentation Chapter 10 PowerPoint Presentation PDF Version of Chapter 10 PowerPoint Presentation Chapter 11 PowerPoint Presentation PDF Version of Chapter 11 PowerPoint Presentation Chapter 12 PowerPoint Presentation PDF Version of Chapter 12 PowerPoint Presentation Chapter 13 PowerPoint Presentation PDF Version of Chapter 13 PowerPoint Presentation Chapter 14 PowerPoint Presentation PDF Version of Chapter 14 PowerPoint Presentation Chapter 15 PowerPoint Presentation PDF Version of Chapter 15 PowerPoint Presentation Review Chapters 1–15 of the textbook. Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. The internet can provide you with a wealth of information concerning the topics in this unit. For example, the following video is from CSU Films on Demand database and provides additional information on disaster recovery. Falling Walls Foundation (Producer). (2012). Practical use in disaster recovery (Segment 7 of 8) [Video].

https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla ylists.aspx?wID=273866&xtid=53576&loid=213677

The transcript for this video can be found by clicking the “Transcript” tab to the right of the video in the Films on Demand database.