Home > Articles > Security > Network Security

Like this article? We recommend

Like this article? We recommend

Hack I.T. - Security Through Penetration TestingHack I.T. - Security Through Penetration Testing

Learn More Buy

Like this article? We recommend

Like this article? We recommend

Hack I.T. - Security Through Penetration TestingHack I.T. - Security Through Penetration Testing

Learn More Buy

Plan Development

This section provides a detailed methodology for producing and testing a continuity-of-operations plan. An effective COOP must anticipate any potential scenario and respond immediately to identify and verify the safety of all personnel and to maintain the continuity of business operations.

NOTE

The following project outline is provided solely as a guide. It is only intended to be an example of a methodology for the creation of a business continuity/disaster recovery plan. It doesn't claim to be the authoritative process, but is a good place to start.

Because recovery planning is a complex and labor-intensive process, it requires the involvement of staff from across the organization. The disaster-recovery team must be aware of all the organization's key business processes, technical infrastructure, and data and personnel requirements.

The assembled team should have overall responsibility for the planning effort and should periodically report its status to senior management. The team will also have to work with senior management to gain an understanding of the existing and future technological infrastructure of the organization, as well as to ascertain the organization's most critical operations.

The team must identify all the client personnel who may be involved in the development, testing, or execution of the continuity-of-operations efforts. This requirement helps to ensure that all participants in the plan recognize and are prepared to execute their roles.

The proposed methodology consists of eight separate phases (described in the following sections):

  • Phase 1: Pre-Planning Activities (Project Kickoff)

  • Phase 2: Vulnerability Assessment

  • Phase 3: Business Impact Assessment (BIA)

  • Phase 4: Detailed Definition of Requirements

  • Phase 5: Plan Development

  • Phase 6: COOP Testing Program

  • Phase 7: Maintenance Program

  • Phase 8: Initial Plan Testing and Implementation

Phase 1: Pre-Planning Activities (Project Kickoff)

Several bits of information must be gathered before the true planning can begin. First, the organization must determine the individual business processes that are critical for the overall survival of the firm, as well as the processes that support those functions. Give the greatest consideration to maintaining these functions during and after any disaster. This decision must be reached by or in full cooperation with the senior management of the firm.

Next, establish a list of all the potential risks that may occur leading to the compromise of the firm's ability to conduct business or protect its employees. Risk is defined as anything that may lead to these problems:

  • Harm to personnel

  • Failure of business processes

  • Loss of or damage to assets:

    • Technical infrastructure

    • Physical infrastructure (buildings, planes, etc.)

  • Regulatory liability

  • Inability to perform customer service duties

  • Reputation or brand damage

In addition, review any existing contingency and business-continuity plans in this phase.

Phase 2: Vulnerability Assessment

Now that you know the risks, perform a vulnerability assessment (VA) to measure the firm's overall exposure to those risks. The VA considers the security control currently established within an organization. This formal evaluation includes the following areas, among others:

  • Network security procedures in place and enforced

  • Physical security

  • Operating procedures

  • Data backup mechanisms

  • Systems development and maintenance

  • Database security

  • Data and voice communications security

  • Systems and access-control processes

  • Insurance

  • Security planning and administration

  • Application controls

  • Technology deployment

  • Password policy

The goal of this phase is to ascertain the security posture of the firm in relation to the risks identified in Phase 1. Report observations and recommendations to senior management so that action can begin toward implementing any cost-effective recommendations for heightening the firm's security posture.

Phase 3: Business Impact Assessment (BIA)

A business impact assessment (BIA) of all business units enables the team to do the following:

  • Ascertain the impact of events (disaster, compromise) to the system or any critical function

  • Assess the maximum time that a business unit can survive loss of operation

In addition, the BIA helps to identify the critical systems and processes for each business unit. However, the true intent of the BIA is to determine the timeframes in which critical functions must be restored to operation in the wake of a disaster. This information can be used to drive the resources required to ensure that those metrics are met for all critical functions and business units.

Phase 4: Detailed Definition of Requirements

This phase focuses on developing a profile for the continuity-of-operations plan. This profile is to be used as a basis for analyzing alternative strategies for business continuity and disaster recovery. It's important to identify the resources needed to support the critical functions identified in Phase 3, such as the following:

  • Hardware: Mainframe, data and voice communications equipment, personal computers, NICs, routers, switches, firewalls, intrusion-detection systems, and so on

  • Software: Anti-virus software, application code, and so on

  • Documentation: Technology-use policy, security policy and procedures, application user manuals

  • Outside support: Utilities, transportation services, Internet/telecom service providers, and so on

  • Facilities: Office space, office equipment, and so on

  • Personnel for each business unit

COOP strategies must be based on short-term, intermediate-term, and long-term outages.

Phase 5: Plan Development

This phase defines COOP components and documents plans. It's important to document the planned changes to existing firm procedures, whether during normal operations, during a disaster, at a backup site, or afterward, when normal processing has resumed.

At this stage, identify emergency response teams and recovery teams, along with detailed descriptions of their roles and responsibilities. It's also a good idea to develop some sort or awareness or training program for members of these teams, so that they're equipped and prepared to perform these vital functions.

The same individuals may make up the two teams; however, due to the potential workload and the criticality of these job tasks, it may be wise to have different people on these teams.

Phase 6: COOP Testing Program

The goal of testing the COOP is to ensure that the plan will meet the criteria of restoring the firm's operations within the specific critical timeframes determined in Phase 3. Numerous testing strategies should be evaluated until a strategy that's tailored to the firm's specific environment stands out.

There are many kinds of tests to consider:

  • Checklist test. Essentially a proofreading of the plan by all parties involved to ensure that nothing has been missed.

  • Structured walk-through. A step-by-step analysis of how the plan works (what steps are performed, and by whom), from the objectives through to the details of recovery options. Again, representatives of all parties take part in the test.

  • Simulation test. This is similar to a wedding rehearsal. The staffs involved in the emergency response and recovery efforts go through the steps of the plan to ensure that such steps are feasible and effective.

  • Parallel test. Backup systems are tested while production systems are operational. This verifies that backup processing is functional and produces the same results as the production systems.

  • Full-interruption test. As the name suggests, this is a full-blown live test in which production systems are interrupted and the firm implements the COOP to test its ability to continue business operations.

These tests can be used individually or in combination as a part of the overall test strategy. The approach you take to test the COOP depends in large part on the continuity-of-operations strategies you selected to meet the requirements of the organization. The goal of the testing is to ensure that the strategies are comprehensive in scope and meet the organization's needs effectively.

Phase 7: Maintenance Program

Maintenance of the plan is critical to the success of an actual recovery. The plan must evolve to reflect any changes to the environment. Existing change management processes must be revised to take COOP program maintenance into account. In areas where no change management exists, developing such procedures is strongly recommended.

The plan itself should be evaluated periodically; the frequency of the evaluation should be consistent with the rate of new technology deployment, among other things.

Phase 8: Initial Plan Testing and Implementation

Once a COOP is formally developed, conduct initial tests of the plan to ensure that it will result in the continuity and eventual recovery of communications and data-processing capabilities, as well as the full resumption of normal business processes. Any necessary modifications to the plans must be made based on an analysis of the test results.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020