StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Disaster Recovery Planning for NIST - Essay Example

Cite this document
Summary
The essay "Disaster Recovery Planning for NIST" focuses on the critical analysis of the various essential elements of disaster recovery planning and how NIST guidelines can be applied to implement a disaster recovery plan. A disaster recovery plan is a bit like car insurance…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER98.3% of users find it useful
Disaster Recovery Planning for NIST
Read Text Preview

Extract of sample "Disaster Recovery Planning for NIST"

Disaster Recovery Planning Contents of the Report Introduction Physical Risks Need for a Disaster Recovery Plan Essentials of a Disaster Recovery Plan NIST Guidelines: The 7 steps to IT Contingency Planning Contingency Policy Statement Business Impact Analysis Identification of Preventive Controls Outline of Recovery Strategies Contingency Plan Testing Methodology Ongoing Plant Maintenance Case Study Conclusion References Introduction According to Herman Mehling, "A disaster recovery plan is a bit like car insurance; you don't realize its value until you're in an accident" (Mehling, 2007). This was the common state of affairs in every organization a few years back. Most companies felt disaster recovery was an unnecessary investment because the management felt that they were safe from physical disasters. However, over the few years, the situation has changed. Management of corporations are taking this matter at a corporate level. The line managers of various departments now realize that they can never be sure about safety from disasters. Therefore organizations such as NIST have outlined several disaster recovery best practices in order to help companies implement a contingency plan. This article looks at the various essential elements of disaster recovery planning how NIST guidelines can be applied to implement a disaster recovery plan. Physical Risks Physical risks for business include and are not restricted to natural calamities like Earth Quakes, Storms, and Floods etc. Fire accidents, power failures, Use of Unsafe machinery and Equipment all come under Physical Risks. Malfunctioning of Individual units in a system, Network Cables, Cable tapping are some of the physical factors that pose risk to a Business (Cooper, 1995). Physical risks to a business also include risks to the physically existing things like buildings, the computers, related media and equipment. Few of the physical risks are mentioned below. Natural Calamities: Natural Calamities like Earth Quakes, Storms and Floods disrupt any business and their corresponding data that is stored. A single quake can destroy entire business information in no time and nullify its existence. Continuous monitoring of this information and assessing the risks that these factors cause, becomes an important issue. All business data and resources (movable and immovable) are at stake if risk due to these factors is not analyzed. Malfunctioning of Cables and Other Components: Another major risk faced by the business is due to the improper functioning of components present in a system or the Network cables that make up the backbone of any network. Hardware faults are inevitable, so nullifying them will not be possible. Their affect could be equally frustrating and annoying. Even these cause many problems to the organizations that include data loss, increased response time, network congestions, and un-timely break up of systems and temporary stagnation of work (Cooper, 1995). Managing these risks is not only necessary but also very important for the growth of an organization. Trashing: Trashing, also known as dumpster diving is a possible physical risk commonly found in the corporate sector. In this method, sensitive data is searched for in the trash and most of the times, the crackers become successful. History has proved that many industrial spies achieved remarkable success with this approach. It is common for crackers to find useful information in used tape drives, disks and discarded print outs. Crackers often find computer manuals, passwords and other information in them. All sensitive data that should not be saved will be saved and can be easily recoverable from trash. This becomes the initial point for the risks. A cracker sees a highway ahead to breach the system with this approach (Cooper, 1995). Eaves Dropping: Business data may be prone to interception with this approach, commonly known as Eaves dropping. It is a known fact that upon pressing a key on the keyboard, Electro Magnetic waves will be generated (Cooper, 1995). Many crackers use this property to capture these signals and decode them. This is more easily done than said. Intelligence personnel, media and Industrial spies have improved technical devices that facilitate this process. Pushing of unnecessary data on to the line or tapping of a message or changing the content of a message is done here. This Interception of data proves to be very costly for the Businesses. Need for a Disaster Recovery Plan The purpose of security in any Information System, Computer Network Infrastructure or Computing/Database System is to assure three essential features: Confidentiality, Integrity and Authenticity. Confidentiality: Confidentiality is ensuring that sensitive information does not fall into the hands of those who are not authorized to have it (Dhillon, 2001). Confidentiality is also known as secrecy or privacy. Integrity: Integrity means that the information is protected against unauthorized changes that are not detectable to authorized users (Kinkus, nd). Authenticity: Authentication means that the parties involved in communication first prove their identity before communication can begin (Tipton & Krause, 2007). The level of security required in a particular system will depend upon the risks associated with the system, the data held on the system and the working environment of the system. To assure these factors a disaster recovery plan is essential to ensure the business continuity in case of disasters. Essentials of a Disaster Recovery Plan Ideally, a well-conceived disaster recovery plan will include strategies for rapidly restoring any mission-critical business applications. However, the creation of (and maintenance of) a sound business continuity and disaster recovery plan, is a complex undertaking, involving a series of steps. Texas A&M University states that a sound plan generally includes but is not limited to the following (TAMU, nd): Disaster project team with a list of basic responsibilities for the team members. List of offices and programs in order of assessed critical dependence upon automated data processing (ADP) Risk assessment of types of disasters Recovery priorities and operations Requirements analysis Plan update criteria and review schedule Hardware and software inventory Support agreements with agencies and vendors NIST Guidelines: The 7 Steps to IT Contingency Planning National Institute of Standards and Technology (NIST), one of the prominent organization responsible for creating, maintaining and regularly updating standards, provides guidelines to individuals/groups responsible for preparing and maintaining IT contingency plans for companies. NIST's IT contingency planning guide identifies fundamental planning principles and practices to help personnel develop and maintain effective IT contingency plans. The NIST guidance should be considered during every stage of contingency planning, starting with the conceptualization of contingency planning efforts through plan maintenance and disposal of the contingency plan. Apart from describing the life-cycle of the contingency plan implementation, NIST has jotted down seven major steps to develop and maintain an effective IT contingency plan. They are: Develop the contingency planning policy statement Conduct the Business Impact Analysis (BIA) Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercises Plan maintenance The following sections now discuss the general steps a company which is intending to implement an IT contingency plan must undertake with respect to the seven steps outlined by NIST. Develop the contingency planning policy statement: A policy is an organizational statement that is drafted at the corporate level. A policy is important since it binds all the members affiliated to the company to follow the policy guidelines. To be effective and to ensure that personnel fully understand the agency's contingency planning requirements, the contingency plan must be based on a clearly defined policy. NIST enumerates the key elements of the policy statement: Roles and responsibilities, Scope as applies to the type(s) of platform(s) and organization functions subject to contingency planning, Resource requirements, Training requirements, Exercise and testing schedules, Plan maintenance schedule and Frequency of backups and storage of backup media. Conduct the Business Impact Analysis (BIA): According to NIST, Business Impact Analysis (BIA) is an essential step in the contingency planning process. This step mainly involves in analyzing how the IT infrastructure and the contingency plan affects the business processes. This allows the company to analyze the disruption impacts and the allowable outage times. These results are incorporated into the iterative plan development. Based on these results, priorities can be established to various processes and thereby appropriate contingency plans may be developed. For example, if the outage impacts step determines that the system must be recovered within 4 hours, the Contingency Planning Coordinator would need to adopt measures to meet that requirement. Identify Preventive Controls: As indicated in the previous section, the BIA can provide the Contingency Planning Coordinator with vital information regarding system availability and recovery requirements. In some cases, the outage impacts identified in the BIA may be mitigated or eliminated through preventive measures that deter, detect, and/or reduce impacts to the system. Some of the common examples of preventive controls include utilizing an Uninterpretable Power Supply (UPS) system for the designated number of hours as discovered from the BIA, Gasoline powered generators for long term power supply, Fine Suppression Systems, Smoke Detectors and Frequently scheduled backups. However it must be noted that these preventive controls are generally expensive and will require purchasing products from competitive vendors. Therefore the companies must perform an extensive research about the various solutions available and make the best decision based on the resource constraints. Develop recovery strategies: Whenever there is a service disruption, the recovery strategies come into picture. These strategies aim at providing quick restores in events of disasters. Once again, the strategies must be developed by keeping the BIA results in mind. Some common recovery methods include commercial contracts with cold, warm, or hot site vendors, mobile sites, mirrored sites, reciprocal agreements with internal or external organizations, and service level agreements with the equipment vendors. In addition, technologies such as Redundant Arrays of Independent Disks (RAID), automatic fail-over, interruptible power supply (UPS), and mirrored systems should be considered when developing a system recovery strategy. Develop an IT contingency plan: IT contingency plan development is a critical step in the process of implementing a comprehensive contingency planning program. The plan contains detailed roles, responsibilities, teams, and procedures associated with restoring an IT system following a disruption. This plan is particularly important since it details the responsibilities each personnel must undertake in case of contingency. This should involve the notification phase, which describes who and how should the disruption be notified. The plan must also include the recovery phase which details the sequence of recovery activities in case of contingency. Finally the plan must also include the re-constitution phase which deals with testing and termination operations. Plan testing, training, and exercises: To test the capability of a contingency plan, a plan test is crucial. Testing enables plan deficiencies to be identified and addressed. Testing also helps evaluate the ability of the recovery staff to implement the plan quickly and effectively. The important areas the must be addressed in the contingency testing are System recovery on an alternate platform from backup media, Coordination among recovery teams, Internal and external connectivity, System performance using alternate equipment, Restoration of normal operations and Notification procedures. Testing is generally carried out as a demo exercise. A testing environment is created and disasters are introduced in a controlled way and the participants walk through the procedures listed in the contingency plan. The recovery personnel are generally trained on the following procedures: Purpose of the plan, Cross-team coordination and communication, Reporting procedures, Security requirements, Team-specific processes (Notification/Activation, Recovery, and Reconstitution Phases) and Individual responsibilities (Notification/Activation, Recovery, and Reconstitution Phases). Plan Maintenance: Like any other IT system, even an IT contingency plan must be placed in a 'production' state where it can be readily applied when most necessary. An important aspect of plant maintenance is regular review and updates. The updates must be synchronous to the changes in the IT system infrastructure of the company. The essential ares which are reviewed in the plan review are Operational requirements, Security requirements, Technical procedures, Hardware, software, and other equipment (types, specifications, and amount), Names and contact information of team members, Names and contact information of vendors, including alternate and off-site vendor POCs, Alternate and offsite facility requirements and Vital records (electronic and hardcopy). Case Study Exploring the technology and business ramifications following the tragic events of September 11 in United States of America gives us a picture about the losses that could occur if appropriate contingency planning is not applied. ZDNet.co.uk, states that Approximately 8,000 Intel-based servers and approximately 5,000 UNIX servers were lost at an approximate replacement cost of $370 million (ZDNet.co.uk, 2002). The extreme scenarios that have occurred as a result of the terrorist attacks in New York City provide a good lesson in how sometimes, even the best-laid plans can fail. organizations must now learn from these types of events and adapt current disaster recovery and business continuity plans to reflect these new issues and needs. Conclusion The information resources of any company are so integral to the mission of the companies that contingency planning must be in place to allow recovery of essential functions in face of either a natural or a man-made disaster. The people at the management level and their team members must work together to prioritize and create appropriate plans and actions to assure the company can continue to function in the face of a catastrophic event. Best practices developed by reliable organizations like NIST must be followed in order to ascertain business continuity in adverse situations. References Cooper, Frederic J, Goggans, Chris,; Halvey, John K.; Hughes, Larry; Morgan, Lisa; Siyan, Karanjit; Stallings, William; Stephenson, Peter (1995), "Implementing Internet Security", Indianapolis: New Riders Publishing. Gurpreet Dhillon (2001), "Information Security Management: Global Challenges in the New Millennium", IGI Press, Chapter 1. Jane F. Kinkus, "Science and Technology Resources on the Internet: Computer Security", Purdue University, Found at: http://www.istl.org/02-fall/internet.html. Harold Tipton & Micki Krause (2007), "Information Security Management Handbook", Auerbach Publications, 6th Edition. Herman Mehling (2007), "Disaster Recovery Planning brings peace of mind", Found at: http://searchcio.techtarget.com/tip/0,289483,sid19_gci1275061,00.html [Online Source] TAMU (nd), "Disaster Recovery Plan", Found at: http://falcon.tamucc.edu/compserv/pdf/Disaster_Recovery_Plan.pdf [Online Source] ZDNet.co.uk(2002), "Disaster Recovery: Hard Lessons from September 11th", Dave Shore, Found at: http://news.zdnet.co.uk/hardware/0,1000000091,2110487,00.htm [Online Source] NIST(2001), "Contingency Planning Guide for Information Technology Systems", Recommendations of the NIST, Publication:800-34, Found at: http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf [Online Source] Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Disaster Recovery Planning Essay Example | Topics and Well Written Essays - 2000 words”, n.d.)
Retrieved from https://studentshare.org/miscellaneous/1532151-disaster-recovery-planning
(Disaster Recovery Planning Essay Example | Topics and Well Written Essays - 2000 Words)
https://studentshare.org/miscellaneous/1532151-disaster-recovery-planning.
“Disaster Recovery Planning Essay Example | Topics and Well Written Essays - 2000 Words”, n.d. https://studentshare.org/miscellaneous/1532151-disaster-recovery-planning.
  • Cited: 0 times

CHECK THESE SAMPLES OF Disaster Recovery Planning for NIST

Disaster Recovery Plan in Respect of Share Broking House

The planning for the latter one involves substantial capital investment for establishing the required facilities for continuity of the business in an alternative site.... This paper "disaster recovery Plan in Respect of Share Broking House" aims to ensure normalcy in clearing and settlement operations in the business without loss of time, accessibility to staff for disaster recovery process, financial and operational support, a survey by insurance companies, etc....
8 Pages (2000 words) Business Plan

Disaster Recovery Planning

The paper "disaster recovery planning" discusses that generally, the main responsibility of the incident response teams is to ensure that they provide quick and adequate responses to emergencies that may occur to different organizations in various situations.... typical organizational network architecture disaster recovery plan This is a well-documented set of instructions or a process used to recover and protect business information and technology infrastructures in the occurrence of a disaster....
5 Pages (1250 words) Essay

Disaster Recovery Plan

The ultimate aim of the project 'disaster recovery Plan' is to protect the principal business functions and assets, and suggest a backup strategy to successfully bail out AU in the event of disasters.... his effort at the compilation of a dynamic disaster recovery Plan is to address the pertinent issues by utilizing the famed '5 W's & H What, Where, Which, When, Who and How' approach, by providing convincing answers to the six core questions spread out in the six sections that follow!...
19 Pages (4750 words) Term Paper

Disciplines of Emergency Management

The researcher of this essay aims to analyze emergency management or disaster management, that is the term used for dealing with unforeseen risk and more precisely to avoid such risks.... This involves the preparedness for any disaster before it occurs.... The emergency management has made the government more aware of the need for national security to deal with a national and global disaster (Emergency Management Roundtable, n.... itigation - This phase deals with preparation for the future against a disaster....
15 Pages (3750 words) Research Paper

Disaster Recovery Plan in Share Broking House

The planning for the latter one involves substantial capital investment for establishing the required facilities for continuity of the business in an alternative site.... The paper "disaster recovery Plan in Share Broking House" describes that in general, when the disaster management is underway, the complete authority rests with the incident response team to avoid overlapping of authorities in the implementation of the plan.... Similarly, the movement of people to the head office or disaster recovery site should be very quick....
8 Pages (2000 words) Case Study

Risk, Crisis and Disaster Management

Simply reopening the business and serving customers is not where the recovery process ends, allowances for stock losses and damage to customer relations must be factored into the recovery process.... Financial losses will, in all likelihood, complicate the business establishment recovery process (Heller & Darling, 2012; Smith, 2005).... The paper "Risk, Crisis and disaster Management" is a great example of a report on management....
6 Pages (1500 words) Report

Post Disaster Management

The paper "Post disaster Management" is a good example of a management essay.... The paper "Post disaster Management" is a good example of a management essay.... The paper "Post disaster Management" is a good example of a management essay.... Post-disaster strategies on waste management and reconstruction after a disaster will also be discussed briefly in this paper.... umanitarian aid aims to save the lives of helpless people and protect human prestige before, during and after any disaster....
6 Pages (1500 words) Essay

Disaster Management and Recovery Plan: B&C Company

It engages in preconstruction activities, construction activities, life cycle analysis, speed to revenue activities, active campus planning, and economic inclusion services.... In addition, the company also conducts active campus planning that entails analyzing the daily activities to ensure minimum disruptions to the operations.... "Disaster Management and recovery Plan: B&C Company" paper focuses on B&C Company, a company located in Hong Kong....
12 Pages (3000 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us