I need someone to assist me and verify if this is correct or if I am missing anything for my Security Risk Management Lab 8.

10.) In your Lab Report file, create an outline of the BCP sections and subtopics that apply to the Mock IT infrastructure. Include these topics in your outline:

Initiation of the BCP (introduction, definitions, relevant policy statements, BCP organizational structure, BCP declaration, BCP communications, and information sharing)

Business Impact Analysis (risk assessment and analysis prioritizing business functions and operations aligned to IT systems, applications, and resources)

Business Continuity/Disaster Readiness/Recovery (recovery time objective [RTO], recovery point objective [RPO], business continuity benchmarks, disaster recovery planning [DRP as a subset of a BCP plan], and recovery steps and procedures for mission-critical IT systems, applications, and data)

Develop and Implement the plan (the plan is a living and breathing document that requires annual updates and change control revisions; implementation and the instructions for how to engage the BCP are part of this section)

Test and update Plan (the most important part of a BCP or DRP is to test the plan with a “mock” business continuity disruption or disaster scenario; tabletop reviews of the processes and procedures can be conducted to inform all BCP and DRP team members of their roles, responsibilities, and accountabilities)

The use of the Business Continuity plan (BCP) is to plan and prepare to overcome serious incidents, disaster and/or other unforeseen events that may occur. The organization being prepared is key to overcomes the events and resume its normal operations within a reasonably short period. The objective of the BCP is to ensure the organization is prepared to recover from disaster. It is important to have a BCP in place and it is a necessity for the success of any organization. Without a BCP, the smallest incident can cause for a disastrous outcome, and can even cripple a business. The overall scope for the “mock” IT Infrastructure is to ensure the entire network stays up and running with limited to no vulnerabilities. We need to ensure the network is and stays safe by analyzing, finding, patching, monitoring all risks to this infrastructure. To create a succelful and proper BCP we need to go through the four steps involved. First is to do a Business Impact analysis, we do this to prioritize risk impacts in order to resolve at a timely manner. The next step is the recovery strategies, we use this to determine what risk strategies will be used and identify resource requirements. The third step is to plan development, this is in place to develop the plan framework, organize recovery teams, write business continuity, and assemble the plan, along with a few other objectives. Lastly, we need to do the testing and exercises step. This is the process to develop testing, exercise and maintenance requirements, conduct training and orientation, as well as to update the BCP along the way for any process changes.

“Mock” IT infrastructures policy statement (This is just for theory)

In the event of disaster, “Mock” IT will utilizes all available resources in its business recovery in order to minimize the possibility of our Faculty, Staff and Students’ business disruption.

“Mock” IT reviews the Business Continuity Plans (BCP) annually, through periodic assessment of risk factors and their likely impacts.

“Mock” IT incorporates relevant regulatory requirements, legal and contractual obligations, and interests of related parties. (Prioritizes Faculty, Staff and Students).

“Mock” IT performs periodic drills and tests based on various scenarios, as a means of mitigating risks that threaten continuity of “Mock” IT and to strengthen resilience.

“Mock” IT promotes a resilience culture throughout the company by providing continuous education and training to all personnel.

“Mock” IT maintains industry-leading Business Continuity program through periodic reviews and improvements based on international standards (ISO 2201).

“Mock” IT releases Business Continuity Policy, mission and objectives to public and conducts periodic reviews.

The Mock IT network infrastructure includes (2) LAN Cisco Catalyst_2960 Layer 3 switches, (2) WAN Cisco_2811 switches, ASA_5505, ASA_Instructor for instructors, ASA_Student switch with Internet for students to connect to the network remotely. There is a Virtualized Server Farm with Linux OS, FTP, TFTP, Microsoft, Web, e-Commerce, DHCP servers and Windows applications. All of these systems, applications and resources are impacted in critical ways. Below is a chart I included of the functions, RTO/RPO, and Qualitative business impact:

Business Functions	RTO/RPO	Qualitative Business Impact
Instructor Internet Access	1 hour	Critical
Virtualization Server Farm	1 hour	Critical
LAN Switches	1 hour	Critical
WAN Switches	1 hour	Critical
Student Workstations	1 hour	Critical
Student Remote Access	1 hour	Critical
ASA_Student	1 hour	Critical
ASA_Instructor	1 hour	Critical
ASA_5505	1 hour	Critical
Cisco_2811	1 hour	Critical
LAN Switch 1	1 hour	Critical
LAN Switch 2	1 hour	Critical
Catalyst_2960 Switches	1 hour	Critical

All areas impacted are high priority to restore. Every component of this infrastructure depends on another “works like a machine”. Therefore, the RTO is critical to complete as fast as possible.

The Business Continuity Plan (BCP) needs to be updated annually. All aspects of the network should have redundant systems to keep the network running in case connection is lost to one device it will not take down the whole system. In current state if equipment goes down, the system or service is lost. Having a redundant system in place to failover to if equipment is lost will allow for a backup component without any data loss. As well as having a redundant ISP, line so if one line is down or compromised there is a failover to switch too incase of outages. We should implement an off-site location to house data in the result of any natural disaster. Having a backup plan is important and these noted items will ensure a sound backup plan. Getting the backups should be a top priority to solve some vulnerabilities. Users should have restricted access guided by policies to prevent unapproved access or downloads.

The third stage we need to do is to develop and implement the plan (the plan is a living and breathing document that requires annual updates and change control revisions; implementation and the instructions for how to engage the BCP are part of this section). Now that we gathered all the information and risks that can occur, we need to implement the plan. The BCP is like a map to get the organization backup and running with minimal loss of data, time, and resources.

The last important part of the BCP is the testing stage. It is important to go through, test any issues, create some scenarios, and remediate them in order to maintain the effectiveness of the BCP. Testing is mission critical we cannot say this will resolve issue x if we do not put testing in place to ensure it will work. The only way to ensure your BCP is effective is to test it out. User training also falls in this category to ensure Faculty, Staff and Students are following proper processes and procedures. As long as testing occurs you know the BCP is sound and in the event of disaster the organization will be truly prepared.

The outline of a business continuity plan looks like the below structure:

Section-1 Introduction

How to use this plan

Objective

Scope

Best practices

BCP organization structure (Key personal and their responsibilities)

BCP Declaration

BCP information classification

Section -2 Business Impact analysis:

Impacted areas

Impacted applications

Service Restoration priority

Service level agreements(SLAs) to critical business processes

Final Risk Assessment

Risk Assessment score

Section -3 Business Continuity Plan

Introduction

Recovery strategy and alternate business site

Recovery plan phases

Disaster Occurrence

Disaster identification

Plan Activation

Fail over to alternate site

Alternate site activation

Recovery to primary site

Test the recovery at primary site

Fail back to recovered primary site

Primary site activation

Test the primary site for normal operations

Recovery plan checklist(backup,etc)

Recovery steps (Detailed)

RTO/RPO(Recovery Time Objective/Recovery Point Objective)

Business Continuity Benchmark

Section 4 - Implementation

Authors and reviewers

Version control

Document Signoff

Engage the DRP/BCP

Section 5 - Testing

BCP check list

BCP test scenarios

BCP test cases

Mock drill of infrastructure

Mock drill frequency

Mock drill importance

Mock drill scenarios

Test Results

Call Trace test

Testing Signoff

Declaration (DRP team, their roles and the checklist performed by them)