Csis discussion and replies | Computer Science homework help


Write a thread containing a thoughtful answer to 1 question.  Answer should  contain at least 400 words.  If necessary, you may list within your  thread any concepts on which you need further clarification as well.   Also, you must reply to at least 2 threads below.  Each reply  should contain at least 200 words.  Additionally, all posts  (thread and replies) should reflect professional writing, current APA  standards, include at least 1 scholarly reference (e.g., peer-reviewed  journal articles), and integration of at least 1 biblical principle.

Thread Question: (in 400 words at least)

Why should the IT department not be solely responsible for business continuity?

Replies(Reply to each thread in at least 200 words EACH)

Thread #1

  Business Continuity and Disaster Recovery Goal         

                Cybersecurity revolves around the CIA triad and  protecting the information by ensuring its confidentiality, integrity  and availability. The Triad’s purpose is to guide the information  security practitioner in creating policies and controls that protect  systems against outside and inside intrusion, as well as, natural  disaster. Business Continuity planning and Disaster recovery effort’s  number one goal is to protect the availability of information in the CIA  Triad. Business Continuity Plans a as well as Disaster Recovery plans  must be defined and understood, to understand the necessity of policies  that protect the availability of information, and their importance in  the overall goals of information security.

                Business continuity planning is the process of  identifying the potential losses from external threats and consequential  losses due to the loss of key business processes from an accident,  attack, disaster, or physical damage to essential hardware and software  (Pinata, 2011). Business continuity planning would identify all the  potential impacts from a disaster and would direct the upper level  management to identify specific targets for policies that would mitigate  the damage and ensure systems are available quickly.

                Disaster Recovery Planning restores the  operability of systems that support mission-critical processes as  quickly as possible (Bahan, 2003). Disaster recover planning occurs  before a disaster occurs, and addresses the targets identified during  the business continuity process. Disasters can be anything from natural  disaster to malware attacks, such as ransomware, that encrypt all data  in servers.

A business continuity plan should  address the acceptable amount of downtime and thus the Disaster recovery  policy should attempt to recover systems in that amount of time.  Systems should be backed up regularly and the backups should be tested  to ensure the availability of information in the case of a disaster  occurring. If systems are not tested regularly the plan would only be  theoretical and would not ensure the availability of information in an  emergency.

Ransomware attacks, as the one  recently seen in Baltimore, is becoming a common attack and  organizations must take business continuity and disaster recovery  planning serious to ensure that mission-critical systems are up and  running quickly and does not prevent normal operations for a long period  of time.

Thread #2

“As organizations and information systems (IS) increasingly  commingle, any incident with organization IS may cause significant  organizational damage.” (Niemimaa, 2015). That is why the notification  procedures must be clearly documented for a number of reasons ranging  from informing stakeholders to ensuring staffing requirements during a  disaster. In the event of a disaster or emergency situation, certain  individuals on multiple levels of an organization may need to be  informed or report to work to deal with these issues. This can range  from a first-line supervisor to the CEO of the organization, but the  contingency plan should have in place a definitive notification  procedure to ensure all personnel that need to be informed are informed.  According to Gregory, all parties involved with an organization that  may be affected by the disaster should be notified, to include:  employees, suppliers, customers, regulators, authorities and  stakeholders (2015). While the who of the notification procedure makes  up the bulk of the material, how those individuals are notified can be a  pressing matter as well. Depending on the type and severity of a  disaster, the responses can range from e-mail notifications to phone  calls to in-person visits. Depending on the cost, type and severity of a  disaster, it can dictate how individuals should be contacted, or it can  dictate if they would like to be contacted at all. 

In the organization I currently work in, our contingency plan is  based off the severity of the incident, the time/day of week and how  large the incident is. All of those factors dictate whether we call  anyone at all, whether we call just the administrators to fix the  issues, or whether we call the administrators and the organization’s  leaders. The contingency plan should lay the groundwork for notification  procedures, but it should also put into place the details around  different types of problems and disasters. As I mentioned above about my  organization, different people wish to be notified at different levels  or degrees that evolve over the lifetime of a problem or disaster. For  this reason, a corresponding list of notification instructions should be  kept and updated frequently to ensure that correct means of  communication are still accurate and when one of these individuals would  like to be notified in the event of a problem or disaster. On a side  note, ways of communicating to designated personnel should be closely  adhered. Notifying personnel to little or to much can de-simplify the  issue, or it can cause the issue to seem larger than it is prompting an  inaccurate response.