Write a thread containing a thoughtful answer to 1 question. Answer should contain at least 400 words. If necessary, you may list within your thread any concepts on which you need further clarification as well. Also, you must reply to at least 2 threads below. Each reply should contain at least 200 words. Additionally, all posts (thread and replies) should reflect professional writing, current APA standards, include at least 1 scholarly reference (e.g., peer-reviewed journal articles), and integration of at least 1 biblical principle.
Thread Question: (in 400 words at least)
Why should the IT department not be solely responsible for business continuity?
Replies(Reply to each thread in at least 200 words EACH)
Business Continuity and Disaster Recovery Goal
Cybersecurity revolves around the CIA triad and protecting the information by ensuring its confidentiality, integrity and availability. The Triad’s purpose is to guide the information security practitioner in creating policies and controls that protect systems against outside and inside intrusion, as well as, natural disaster. Business Continuity planning and Disaster recovery effort’s number one goal is to protect the availability of information in the CIA Triad. Business Continuity Plans a as well as Disaster Recovery plans must be defined and understood, to understand the necessity of policies that protect the availability of information, and their importance in the overall goals of information security.
Business continuity planning is the process of identifying the potential losses from external threats and consequential losses due to the loss of key business processes from an accident, attack, disaster, or physical damage to essential hardware and software (Pinata, 2011). Business continuity planning would identify all the potential impacts from a disaster and would direct the upper level management to identify specific targets for policies that would mitigate the damage and ensure systems are available quickly.
Disaster Recovery Planning restores the operability of systems that support mission-critical processes as quickly as possible (Bahan, 2003). Disaster recover planning occurs before a disaster occurs, and addresses the targets identified during the business continuity process. Disasters can be anything from natural disaster to malware attacks, such as ransomware, that encrypt all data in servers.
A business continuity plan should address the acceptable amount of downtime and thus the Disaster recovery policy should attempt to recover systems in that amount of time. Systems should be backed up regularly and the backups should be tested to ensure the availability of information in the case of a disaster occurring. If systems are not tested regularly the plan would only be theoretical and would not ensure the availability of information in an emergency.
Ransomware attacks, as the one recently seen in Baltimore, is becoming a common attack and organizations must take business continuity and disaster recovery planning serious to ensure that mission-critical systems are up and running quickly and does not prevent normal operations for a long period of time.
“As organizations and information systems (IS) increasingly commingle, any incident with organization IS may cause significant organizational damage.” (Niemimaa, 2015). That is why the notification procedures must be clearly documented for a number of reasons ranging from informing stakeholders to ensuring staffing requirements during a disaster. In the event of a disaster or emergency situation, certain individuals on multiple levels of an organization may need to be informed or report to work to deal with these issues. This can range from a first-line supervisor to the CEO of the organization, but the contingency plan should have in place a definitive notification procedure to ensure all personnel that need to be informed are informed. According to Gregory, all parties involved with an organization that may be affected by the disaster should be notified, to include: employees, suppliers, customers, regulators, authorities and stakeholders (2015). While the who of the notification procedure makes up the bulk of the material, how those individuals are notified can be a pressing matter as well. Depending on the type and severity of a disaster, the responses can range from e-mail notifications to phone calls to in-person visits. Depending on the cost, type and severity of a disaster, it can dictate how individuals should be contacted, or it can dictate if they would like to be contacted at all.
In the organization I currently work in, our contingency plan is based off the severity of the incident, the time/day of week and how large the incident is. All of those factors dictate whether we call anyone at all, whether we call just the administrators to fix the issues, or whether we call the administrators and the organization’s leaders. The contingency plan should lay the groundwork for notification procedures, but it should also put into place the details around different types of problems and disasters. As I mentioned above about my organization, different people wish to be notified at different levels or degrees that evolve over the lifetime of a problem or disaster. For this reason, a corresponding list of notification instructions should be kept and updated frequently to ensure that correct means of communication are still accurate and when one of these individuals would like to be notified in the event of a problem or disaster. On a side note, ways of communicating to designated personnel should be closely adhered. Notifying personnel to little or to much can de-simplify the issue, or it can cause the issue to seem larger than it is prompting an inaccurate response.