TASK

Read the Regional gardens case study document before attempting this assignment.

Background: You have been employed by Regional Gardens as their first Chief Information Officer (CIO). You have been tasked by the Board to conduct a review of the companys risks and start to deploy security policies to protect their data and resources.

You are concerned that the company has no existing contingency plans in case of a disaster.

The Board indicated that some of their basic requirements for contingency planning include:

- A Recovery Time Objective (RTO) of 2 hours

- A Recovery Point Objective (RPO) of 4 hours

Based on these, you now need to determine:

- The Maximum Tolerable Downtime (MTD),

- The Work Recovery Time (WRT) and

- The system and data recovery priority.

The Board expects that you will propose a Business Continuity Plan (BCP) for Regional Gardens. The Board expects you to use as much of their existing resources as possible for the BCP, but understands that some additional resources may be required. Your BCP proposal must clearly state what additional resources, in terms of hardware, software and locations, are required.

Tasks:

You are to develop a proposal for a Business Continuity Plan (BCP) for Regional Gardens in accordance with the Board's instructions above. Your proposed BCP must include:

1. An overview of the entire BCP,

2. A Business Impact Analysis

3. An Incident Response Plan

4. A Backup plan,

5. A Disaster Recovery plan,

Your proposed BCP should include the following headings:

- Executive Overview

- Business Impact

- Incident Response

- Backup

- Disaster Recovery

Regional Gardens Case Study

Regional Gardens Ltd is a company that runs a number of related gardening enterprises. It has a large display garden that it opens for public inspection a number of times a year. The company also owns the Regional Gardens Nursery which sells plants and garden supplies to the public. The company also owns Regional Garden Planners, which is a small company that provides garden advice, design and consultancy services.

The company has a small data centre at its main site in Bathurst where the companys servers and data storage is located.

The company has some 65 staff, who include management, administrative staff, nursery and Regional Garden Planners staff. The company has a range of different types of relatively old personal computers, which run mainly run Windows 7 Enterprise, to connect to the company data centre. The company also has 3 MacBook laptops running OS X.

The company does not have a clear patching and update policy. As a result most servers and desktop machine are patched on an ad-hoc basis and as time, and operations, permit.

The company has a small number of systems administration staff that are responsible for the management of the server infrastructure. But effective administration is somewhat hampered by the fact that the administrative passwords are generally well-known across the company. Company employees enjoy free, open, unrestricted access to the Internet, but realistically they only need to access certain websites on the Internet. Company management would like there to minimise the cost of accessing web resources.

The company consists of the following departments:

- Nursery staff (35 people)

- Regional Gardens Planning (15 people)

- Systems administration (3 people)

- Management (4 people)

- Human Resources & Legal (3 people)

- Finance (3 people)

- Administration (2 people)

There are no formal onboarding and offboarding processes in the organisation. There is close to no policy framework in the organisation.

Infrastructure

The company uses several servers to conduct its core business. The company has the following server infrastructure:

- 2 x Active Directory domain controllers on Windows Server 2008 R2;

- 3 x SQL Server 2003 database servers on Windows Server 2003;

- 1 x Exchange 2007 email server on Windows Server 2008 R2;

- 4 x Windows Server 2003 File and Print servers;

- 2 x Red Hat Enterprise 5 Linux servers running Apache and TomCat.

Each of these servers are independent machines with relatively vanilla installs of their respective operating systems. The servers are not running the latest operating systems nor have they been recently patched. All servers have publicly accessible addresses and hence can be accessed from the Internet.

The servers are all commodity x86 servers that have been purchased as required. There are no maintenance contracts on either the hardware or any installed software. Most of the servers and desktops are over five years old.

Services and Data

The servers store the following;

- Home directories,

- Mail,

- Database objects for various development and production environments (for various departments),

- Active Directory Meta Data Object,

- Customer garden project information directories,

- Nursery plant data directories,

- Nursery supplies data directories Corporate Finance and Personnel Data,

- Web Page Data.

- Customer data,

- Market intelligence and strategic planning data.

- Other forms of Intellectual Property

Most services are only used within the company, however the company does have a internet presence via its web pages and mail server. Despite this some of the garden planners work from home in the evenings and access some services from their home workstations, tablets or mobile devices. You can assume there is no redundancy/ fail over in the disks hence if a disk goes bad, that data is lost and the service associated with it fails.

The most important data to the company, in order of importance, is:

Corporate finance data

- Nursery product data

- Nursery supplies data

- Strategic planning data

- Customer planning data,

- Personnel data,

- Web page data,

- Email,

The integrity of this data must always be preserved.

Administration

Most of the staff in the company knows the administration passwords for the servers and desktops. It should be noted that all users have accounts on the mail, database and database servers.

The administration of the servers tends to be haphazard. There are often storage issues with storage as disks fill up regularly. There are a lot of active but unused accounts for users who have now left the company. The company is dependent on its servers for continued access to services, but there are no monitoring systems in place.

External hackers have compromised some desktop machines in the past. The administrators are reasonably confident that the servers have not been compromised. That said, when a host is compromised; the administrators merely disable the hack and continue to allow the machine to be used. Most compromises are noticed too late, i.e. well after the hack has occurred.

Security

The company does not have a firewall or any other security system in place. Currently all services offered by the servers are accessible via the Internet. All servers, and most desktops have a basic anti-virus system in place, but it has not been updated recently. There is no anti-virus on the MacBooks as the company has been told that they dont get viruses. There is no overall email virus protection in this company.

Backup and Disaster Recovery

The company does not have any backup or disaster recovery systems/ procedures.

Network and Physical Location

The servers and core network infrastructure are located in common workspace as other infrastructure and employees of the organisation. In addition to this the servers are on the same networks as user workstations and there is no network security. The company is connected to the Internet via a ADSL modem connected to a router. The router connects to a several 10mb hubs, which provide access to the staff (there is only one LAN).

Individual Workstations & Passwords

Each employee has a desktop computer. Most of the computers are running a vanilla install of Windows 7 Enterprise that, in most cases, has not been patched since install. Employees often keep corporate data on these desktops in their home directory, which is not backed up.

In addition to this everyone has administrator privileges to their workstation. As the environment is relaxed, a user can have accounts on other employee computers possibly using the same or different password.

The company has no hard and fast rules about passwords; in fact the most common password used is the persons name. These passwords are also indicative of what is used on the server machines.