-989965-1080134-990599325120PORTFOLIO
-989965-1080134-990599325120PORTFOLIO
Student Version
-990599325120-9905997259320ICTSAS526
Review and update disaster recovery and contingency plans
-9905997259320
CONTENTS
TOC h u z t "Heading 1,1,Heading 2,2,Heading 3,3,Heading 4,4,Heading 5,5,Heading 6,6,"Section 1: Review ICT system and threats and risks4
Section 2: Develop disaster recovery and contingency plan6
Student name:
Assessor:
Date:
Business this assessment is based on:
Section 1: Review ICT system and threats and risks
Business information
Summarise what the business does and its key products and services.
Additionally, describe the security environment in which the business operates, as well as statutory and commercial requirements that the business needs to abide by. Give at least three examples of statutory/commercial requirements and their link to disaster planning.
Critical functions
Identify and describe the critical business functions that would significantly threaten the business if they were to be disrupted or unavailable for a certain period of time.
Further identify and describe the critical data that the business holds, as well as software that also contributes to critical business functions.
Explain the business requirements in terms of contingencies.
Threats and risks
Identify at least five threats (both internal and external) to the business ICT systems and the associated risks this poses.
Identify and evaluate risk controls (prevention and recovery options) to mitigate or prevent threats. Evaluate these risk controls in terms of the business cost constraints and overall requirements.
Section 2: Develop disaster recovery and contingency plan
Industry standard procedures
Conduct research and then report on industry standard procedures for disaster recovery and contingency planning.
Describe these standard procedures and how you will ensure that they are reflected in your disaster recovery and contingency plan.
Disaster and recovery plan
Develop a disaster recovery and contingency plan in a format of your choice.
Your plan should include the following as a minimum:
The purpose of the plan.
Threats to ICT systems and risks this presents.
Disaster recovery and prevention strategy based on the business requirements, cost constraints, risks identified and standard industry procedures. Explain how your strategy addresses each of these.
Processes/actions to be followed, including cutover criteria plan.
Remember that your plan can be a high level plan as not all incidents can be included in the plan i.e. it can be high level actions to be taken rather than specific actions in relation to ICT incidents. Your plan will allow for these to be developed specific to the ICT incident.
Presentation
Write the title of your presentation here and attach it to your Portfolio.
Attach:618593143510 Disaster recovery and contingency plan
Presentation
Complete this section following your presentation.
Feedback
Summarise the feedback you received here and your response to the feedback.
Attach your updated disaster recovery and contingency plan based on the feedback you received.
Task sign off
Write an email here indicating your response to the feedback and requesting final task sign off.
-1015999-1092199Self-Study Guide
ICTSAS526 Review and update disaster recovery and contingency plans
-1015999-1092199
476250
About this document
This document is to be used as a self-study guide at home/in your own time to complement the formal learning you are doing as part of your classroom or online studies. It is a requirement of your course that you complete the activities in this guide.
You will need to take your notes/completed activities to class, or follow your trainers direction about how to complete activities.
If you are unsure about anything, talk to your trainer/assessor.
Self-study Guide
Unit code and title ICTSAS526 Review and update disaster recovery and contingency plans
Instructions
You are to complete each of the self-study tasks below. Each activity is a mandatory part of your study. After completing each of the tasks, tick the box below to show that you have completed the activity and bring evidence of this to class to share.
Activity Task Expected time Completed
Watch Watch the following video:
https://www.youtube.com/watch?v=c2WRVclyFcg (08:25)
Write notes for class:
What are your key takeaways from the video?
What did you find inspiring?
What did you agree with?
Is there anything you disagree with? Explain.
Has this video prompted you to think differently? How? 2 hours
Practical activity Brainstorm or research a series of potential threats to a system.
Using the identified threats, create a table to show you have evaluated the internal and external threats to a system and the contingency plan that should occur.
Consider risk identification, analysis, evaluation and management procedures. 4 hours
Research Research the common threats to ICT systems.
What are the potential business risks? How are threats identified? In what situations are disaster recovery strategies required? Take notes to share in class. 4 hours
Review Review your assessment requirements for this unit and read through your Project Portfolio so you know what you will be required to do. Make sure you review your Student Guide if you need to revisit some areas of your training. Ask your trainer any questions before you begin your assessment to ensure you understand all of the learning and are ready to be assessed. 3 hours
Reflection Reflect on the following:
Information learned during your training
Your main key takeaways from this unit
What did you learn that you didnt know already? How can you apply this in your study/work/life?
What did you find challenging or confronting? How did you overcome these challenges or barriers? 2 hours
16797380
Case Study Grow Management Consultants
Grow Management Consultants is a management consultancy company specialising in providing services to companies to assist them to improve the leadership performance of their staff. The company also offers a range of other services including professional development workshops, as well as an extensive library of e-books which are sold through an online shop. The e-books are very popular and focus on a wide range of leadership themes.
Grow Management Consultants staff all work remotely in their own homes (all located within 10 km of each other). Staff include the CEO, Paul Burns supported by three Principal Consultants who provide consulting services and write the e-books. A Customer Service Officer answers all customer enquiries and processes orders for consulting services and workshops.
eBooks are stored on the companys internal system, OneDrive and link directly to the online shop so that if changes are made, this automatically updates on the shop. The e-books are the companys main source of income so any disruption to the online shop would have an immediate impact on the companys functions.
Further any disruption to the existing software, Microsoft Office for Business hosted through OneDrive will have a significant impact as consultants will not be able to carry on with their critical consulting work which drives clients to the online shop.
For the purposes of this assessment, you are to assume you are an ICT professional contracted to prepare a disaster recovery plan.
It is noted that the business does not have any specific statutory or commercial requirements to abide by other than the usual legislative requirements for businesses.
It is also notes that the business uses Xero for its accounting system and stores staff and customer information as Microsoft Word documents. These systems are all critical.
The company is in a strong financial position and is prepared to put forward at least $20,000 per year to assist in prevention measures to assist with mitigating disaster.
Staff knowledge of cyber security threats is limited. There is no specific policy on anti-virus software or firewalls.
-990599-110489923368005811520ICTSAS526 Review and update disaster recovery and contingency plans
2336800581152016662420Review and update disaster recovery and contingency plans
16662420-3936991684020student assessment tasks
-3936991684020
17049750
Introduction
The assessment tasks for ICTSAS526 Review and update disaster recovery and contingency plans are outlined in the assessment plan below. These tasks have been designed to help you demonstrate the skills and knowledge that you have learnt during your course.
Please ensure that you read the instructions provided with these tasks carefully. You should also follow the advice provided in the IT Works Student User Guide. The Student User Guide provides important information for you relating to completing assessment successfully.
Assessment for this unit
ICTSAS526 Review and update disaster recovery and contingency plans describes the skills and knowledge required to analyse the impact of the system on the organisation and carry out risk analysis, disaster recovery and contingency planning.
For you to be assessed as competent, you must successfully complete two assessment tasks:
Assessment Task 1: Knowledge questions You must answer all questions correctly.
Assessment Task 2: Project You must work through a range of activities and complete a project portfolio.
Assessment Task 1: Knowledge Questions
Information for students
Knowledge questions are designed to help you demonstrate the knowledge which you have acquired during the learning phase of this unit. Ensure that you:
review the advice to students regarding answering knowledge questions in the IT Works Student User Guide
comply with the due date for assessment which your assessor will provide
answer all questions completely and correctly
submit work which is original and, where necessary, properly referenced
submit a completed cover sheet with your work
avoid sharing your answers with other students.
i
Assessment information
Information about how you should complete this assessment can be found in Appendix A of the IT Works Student User Guide. Refer to the appendix for information on:
where this task should be completed
the maximum time allowed for completing this assessment task
whether or not this task is open-book.
Note: You must complete and submit an assessment cover sheet with your work. A template is provided in Appendix C of the Student User Guide.
Questions
Provide answers to all of the questions below:
List two examples of methods that can be followed to back up data.
A documented disaster recovery plan is an important aspect of a business approach to planning for disaster recovery. Describe the purpose of a disaster recovery plan.
Review the following table which lists aspects that can be included in a disaster recovery plan. For each item, list a risk safeguard.
Physical security
System failure, accident or sabotage (hackers)
Denial of service
Virus attack
Cyber attack
Telecommunications failure
Contingency arrangements
WHS laws ensure that health and safety is protected at all times. Explain the link between disaster recovery planning and WHS.
Explain why the Fair Work Act needs to be considered in relation to disaster recovery.
Explain why it is important to understand existing the functionality of an ICT system when in regard to disaster recovery.
Explain how systems engineering is relevant to assessing system functionality.
Assessment Task 1: Checklist
Students name:
Did the student provide a sufficient and clear answer that addresses the suggested answer for the following? Completed successfully? Comments
Yes No
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
Question 7
Task outcome: Satisfactory Not satisfactory
Assessor signature:
Assessor name:
Date:
-990598-110489823241005798820ICTSAS526 Review and update disaster recovery and contingency plans
2324100579882016649720Review and update disaster recovery and contingency plans
16649720-3936991671320student assessment tasks
-3936991671320
17049750
Introduction
The assessment tasks for ICTSAS526 Review and update disaster recovery and contingency plans are outlined in the assessment plan below. These tasks have been designed to help you demonstrate the skills and knowledge that you have learnt during your course.
Please ensure that you read the instructions provided with these tasks carefully. You should also follow the advice provided in the IT Works Student User Guide. The Student User Guide provides important information for you relating to completing assessment successfully.
Assessment for this unit
ICTSAS526 Review and update disaster recovery and contingency plans describes the skills and knowledge required to analyse the impact of the system on the organisation and carry out risk analysis, disaster recovery and contingency planning.
For you to be assessed as competent, you must successfully complete two assessment tasks:
Assessment Task 1: Knowledge questions You must answer all questions correctly.
Assessment Task 2: Project You must work through a range of activities and complete a project portfolio.
Assessment Task 2: Project Portfolio
Information for students
In this task, you are required to demonstrate your skills and knowledge by working through a number of activities and completing and submitting a project portfolio.
You will need access to:
a suitable place to complete activities that replicates an ICT environment including a meeting space and computer and internet access
ICTSAS526 Simulation Pack or access to organisational documentation to assist with disaster recovery planning such as policies and procedures addressing information security generally including vulnerability assessment, acceptance testing, business impact analysis, security specifications
your learning resources and other information for reference
Project Portfolio template.
Ensure that you:
review the advice to students regarding responding to written tasks in the IT Works Student User Guide
comply with the due date for assessment which your assessor will provide
answer all questions completely and correctly
submit work which is original and, where necessary, properly referenced
submit a completed cover sheet with your work
avoid sharing your answers with other students.
i
Assessment information
Information about how you should complete this assessment can be found in Appendix A of the IT Works Student User Guide. Refer to the appendix for information on:
where this task should be completed
how your assessment should be submitted.
Note: You must complete and submit an assessment cover sheet with your work. A template is provided in Appendix B of the Student User Guide.
Activities
Complete the following activities:
Carefully read the following:
This project requires you to review an organisations ICT system and develop a disaster recovery and contingency plan to ensure that all threats are identified and down time is minimised for the business.
You can complete this project based on the case study organisation in the ICTSAS526 Simulation Pack or you can base it on an organisation that you are familiar with or working for. If you choose to complete the project based on a business of your choice, it is important that you can access a organisational documentation to assist with disaster recovery planning such as policies and procedures addressing information security generally including vulnerability assessment, acceptance testing, business impact analysis, security specifications. Speak to your assessor to get approval if you want to base this on an organisation of your choice.
You will be collecting evidence for this unit in a Project Portfolio. The steps you need to take are outlined below.
Preparation
Make sure you are familiar with the organisation you are basing this assessment on and have read through the necessary background information. For the case study organisation, this is all of the documents included in the ICTSAS526 Simulation Pack. If its your own organisation, its important that you have this approved by your assessor.
Complete Page 4 of your Project Portfolio for this unit.
Read through the requirements of Section 1 and 2 of your Project Portfolio which include detailed guidance relevant to all the assessment activities.
Review ICT system and threats and risks
You are now to complete Section 1 of your Project Portfolio by reviewing the ICT system and its impact on business continuity, as well as ICT system threats and risks. This involves:
Identifying the critical functions of the business and the security environment in which it operates.
Identifying critical data and software for the business.
Assessing and reporting on the impact of threats to ICT systems and the risks this poses.
Identify statutory and commercial requirements that the business needs to factor into contingency plans.
Identify existing contingency plans/requirements.
Identifying and assessing threats, as well as the risks of these threats and associated risk controls.
Complete Section 1 of your Project Portfolio.
Develop disaster recovery and contingency plan
Next complete Section 2 of your Project Portfolio by developing a disaster and recovery plan. This involves:
Reviewing potential prevention and recovery options based on the business requirements and budget.
Researching and reviewing industry standard procedures for disaster recovery and contingencies to inform the disaster and recovery plan.
Developing a disaster recovery and contingency plan.
You are also to prepare a short presentation about the work that you have completed that can be presented to a team for feedback. This will be to a small group of students organised by your assessor. If you are completing this based on your own business, it can be a presentation to your team at work or you can also present it to a small group of students.
Your presentation should be for approximately 10 minutes.
Complete Section 2 of your Portfolio.
Disaster recovery and contingency plan presentation
Provide your presentation to your team about the disaster recovery and contingency plan you have developed. Make sure you provide your team the opportunity to provide feedback. Following the presentation, you will document the feedback in your Portfolio, as well as your response.
During the presentation, you are to use oral communication and teamwork skills including:
speaking clearly and concisely
using industry language that your audience can understand
asking questions to identify required information
responding to questions as required
using active listening techniques to confirm understanding
fostering a collaborative culture using relevant techniques.
i
This can either be viewed in person by your assessor or you may like to video record the session for your assessor to watch later. Your assessor can provide you with more details at this step. Make sure you follow the instructions above and meet the timeframes allocated.
Following the presentation, include the feedback you received in Section 2 of your Portfolio and make amendments to your disaster recovery and contingency plan as required depending on the feedback provided.
Submit your completed Project Portfolio
Make sure you have completed all sections of your Project Portfolio, answered all questions, provided enough detail as indicated and proofread for spelling and grammar as necessary.
Submit to your assessor for marking.
Assessment Task 2: Checklist
Students name:
Did the student: Completed successfully? Comments
Yes No
Identify and report on the business critical functions that impact on disaster recovery and contingencies?
Identify statutory requirements and commercial requirements that apply to the business?
Identify and report on the business security environment?
Identify and report on the business contingency requirements?
Identify and report on the business critical data and software?
Identify and assess threats (internal and external) to the business, as well as associated risks and impact on the business ICT systems?
Identify, evaluate and document risk minimisation alternatives considering the business budget and requirements?
Evaluate and document prevention and recovery options considering the business budget and requirements?
Research and review industry standard operational procedures for disaster and contingency plans?
Develop and document a disaster recovery and contingency plan that includes resources and processes according to the budget and business requirements?
Use review to check required risk safeguards and contingency plans are in place?
Identify and document disaster strategy processes?
Identify and document required cut-over criteria plan?
Seek feedback on the disaster recovery and contingency plan?
Use oral communication skills including:
speaking clearly and concisely
asking questions to identify required information
responding to questions as required
using active listening techniques to confirm understanding
observational techniques to ensure that everyone is participating so that you a range of different perspectives can be gained?
Respond to feedback on the disaster recovery and contingency plan?
Obtain final task sign off?
Task outcome: Satisfactory Not satisfactory
Assessor signature:
Assessor name:
Date:
Final Results Record
Student name:
Assessor name:
Date
Final assessment results
Task Type Result
Satisfactory Unsatisfactory Did not submit
Assessment Task 1 Knowledge questions S U DNS
Assessment Task 2 Project Portfolio S U DNS
Overall unit results C NYC
Feedback
My performance in this unit has been discussed and explained to me.
I would like to appeal this assessment decision.
Student signature: Date:
I hereby certify that this student has been assessed by me and that the assessment has been carried out according to the required assessment procedures.
Assessor signature: Date:
-1016813-1081404-6730996878320student guide
-67309968783201270001366520Review and update disaster recovery and contingency plans
1270001366520
2590800261620ICTSAS526 Review and update disaster recovery and contingency plans
2590800261620
17335500
CONTENTS
TOC h u z t "Heading 1,1,Heading 2,2,Heading 3,3,Heading 4,4,Heading 5,5,Heading 6,6,"Overview3
Topic 1: Impacts on business continuity4
Topic 2: Evaluating system threats14
Topic 3: Prevention and recovery strategies18
Topic 4: Disaster recovery plans22
Overview
Application of the unit
This unit describes the skills and knowledge required to analyse the impact of the system on the organisation and carry out risk analysis, disaster recovery and contingency planning.
It applies to individuals who apply a wide range of higher-level technical skills and systematic problem-solving approaches in Information and Communications Technology (ICT) related areas.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Learning goals
Learning goals include:
evaluating system impact on business continuity
evaluating system threats
formulating prevention and recovery strategy
developing disaster recovery plan.
Topic 1: Impacts on business continuity
This topic is about evaluating system impacts on an organisations business continuity. It includes identifying business critical functions and the security environment, critical data and software and then assessing the potential impact of business risk and threats on ICT systems. Finally, the topic will end with identifying statutory, commercial and contingency requirements for an organisation.
Introduction
Contingency plans and disaster recovery plans are needed to help an organisation in the event of an unplanned event that disrupts business operations. A contingency plan is the advanced planning an organisation makes to prepare in case of a disaster, unplanned event or disruption and explains the measures needed to keep the business running (referred to as business continuity). A disaster recovery plan on the other hand is used to guides the process used to get a business back to normal after a disaster.
Business continuity
Now lets look further at what business continuity means for a business:
potential threats and disruption
prevention and recovery
business critical operations
disaster planning
Business continuity
Business continuity is the ability for an organisation to continue to maintain its critical functions during and after a disaster has occurred with as little downtime as possible. It includes planning for unpredictable events as well as natural disasters, pandemics such as Covid 19, system failure, denial of service, cyber threats, unknown disasters or external threats and failures such as telecommunications failure or hackers, or internal disruption caused by accident or sabotage.
A disaster recovery plan (DRP) is an action plan used for recovering critical business functions after a disaster. The purpose of a DRP is to recover critical business functions as soon as possible to minimise disruption to the business and subsequently downtime and loss of money.
Activity: Read
The following is an example of an IT disaster recovery plan:
https://www.microfocus.com/media/unspecified/disaster_recovery_planning_ template_revised.pdf
Take notes and keep them for further reference.
Business continuity planning therefore is a critical part of business operations and can provide a framework for building organisational resilience.
The organisational planning process can support this planning as it includes strategic tactical, operational and contingency planning. ICT business solutions should therefore align with the business goals. This could relate to governance, business systems, applications, infrastructure, technology, security and business continuity, forming part of the IT contingency plan.
Contingency planning provides a course of action to take if an unexpected event or situation occurs. It is an important part of business continuity as it helps to ensure the organisation is ready for anything.
A contingency plan can include different scenarios to plan for, when the plan should be triggered, the response strategy for an event occurring, roles and responsibilities, timelines for actions to happen.
Activity: Read
Read through the following examples for contingency planning.
A guide to creating a business contingency plan:
https://creately.com/blog/business/business-contingency-plan-templates/
Contingency plan examples and templates:
https://www.smartsheet.com/content/contingency-plan-templates
Take any notes to summarise what you have read and keep for future reference.
Furthermore, an organisations existing systems must be able to cope in the event of a disaster. The way in which these are set up and functioning will make a major contribution to the effectiveness of business continuity.
They must be able to carry on with the work intended, therefore it is important to understand the functionality provided by the system and if it will in fact be able to cope with any disaster. For example, the inputs and outputs of the system, the way in which a backup is carried out, how the infrastructure is set up to cope with disaster recovery.
A successful disaster recovery strategy includes determining the ways in which systems can fail unexpectedly and subsequently developing a plan to recover from any failure or disruption.
Therefore, the ability to keep an organisation running in the event of a disaster or disruption will rely on the way in which the system functions.
Systems engineering can support the verification that the system is functional by ensuring that all the elements are working together to perform the needs required.
It can involve conducting a business impact analysis, vulnerability assessment and conducting testing to determine how well the system can handle failures and the way in which it can be recovered.
Activity: Read
Read through the following ICT strategic plan for the Shire of Broome which provides a good example of how the planning process links to the development of ICT business solutions: ICT strategic plan
(This link will download a PDF to your drive.)
Read the following article on contingency planning:
https://www.ifrc.org/en/what-we-do/disaster-management/preparing-for-disaster/disaster-preparedness-tools/contingency-planning-and-disaster-response-planning/
Take any notes to summarise what you have read and keep for future reference.
Critical functions and security environment
The first thing in evaluating system impacts on business continuity is to understand the organisational business domain and identify the required business critical functions and security environment.
The organisational business domain is a term used to describe the environment in which the business operates and its overall operations. It is made up of different components, each which have a direct impact on the company. Some key features of business domains include:
Organisational structure
Business strategy
Policies and procedures
Financial accounts
Employees
Asset registers
Network infrastructure.
The information collected about the business domain can provide an understanding of the critical functions that may impact on business continuity.
The definition of a critical function is one that the business depends upon and would be severely impacted if it were not available.
Some examples of business-critical functions include:
Accounting and payroll systems
Customer service functions
Financial systems
Data and information
IT infrastructure.
An organisation may have already identified what functions the business relies upon, however it is important to have these documented so that a contingency plan can be put in place with any relevant recovery procedures.
It is also important to identify the required security environment. This includes:
Security policies and procedures used
Network security
Hardware and software protection.
You may be able to obtain this information from previous contingency plans, disaster recovery plans, or documentation relating to the security environment.
Part of this process will be to also identify required critical data and software that are also vital to the operation of a business: if data gets lost, corrupted, stolen or damaged; what would be the risk to the business?
For example, there could be financial loss, compliance issues, loss of reputation, data and information breaches. Therefore, you will need to identify:
which data needs protection and why
how data and information is stored and protected and what further protections are required
what authorisations, permissions and authentications are currently used or required.
Software is also important as this could have disastrous effects if not available, for example it could cause disruption to linked data, cause stoppage in work productivity or failure for systems to complete tasks such as payroll.
To gather this information, you may have to conduct consultation by talking with any key stakeholders, for example:
IT, human resources, team managers and users of the system; carrying out research on the current systems, protections, and security currently in place; reviewing statistical data or past records of incidents that have occurred, or checking compliance requirements for legislation and regulations relating to cyber security.
Activity: Research and discuss
Taking the RTO that you are studying at, or an organisation that you are working with or are familiar with, brainstorm with another person:
the organisational business domain
at least five business critical functions, and explain why these are critical
what makes up the security environment.
Your trainer/assessor will facilitate a group discussion about your findings.
Business risk and threats on ICT systems
Once you have identified the business-critical functions, security environment and critical data and software, the next step would be to assess any potential impacts of business risk and threats on ICT systems.
Image byMichael DziedziconUnsplash HYPERLINK "https://unsplash.com/s/photos/computer-failure?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"
Potential business risks can be categorised into different areas:
Strategic
Compliance
Financial
Operational
Threats on ICT systems can broadly cover general IT threats, criminal threats, natural disasters. For example:
Failure to hardware and software
Viruses, spam, scams, phishing and malicious software disrupting operations
Human error and accidents
Hackers, security breaches, denial of service and cyber attacks
Employee sabotage or espionage
Theft and fraud
Pandemics or life-threatening diseases
Fire, flood, cyclones, earthquakes.
When assessing the impact on a business, financial loss will be one of the main issues to address.
To assess business risk and threats on ICT systems, a business impact analysis can be undertaken to help determine how long an organisation can withstand a closure, disruption, downtime or survive without income being generated, as well as:
The escalation of losses over a period of time
The loss of revenue i.e., ongoing cash flow
The loss of business i.e., customers
The loss of resources
Loss of data, information and knowledge critical to the business.
Potential non-compliance to statutory or regulatory breaches, fines, penalties or litigation costs
Loss of reputation and brand image
Resources needed to continue operations
The main purpose of undertaking a business impact analysis is to identify processes, systems, and functions that are of highest priority for the survival of your business.
You also can then also identify a recovery point by determining the critical services that need to be up and running in order for business operations to continue effectively.
Identification of requirements
Organisations have an obligation and responsibility for different legislative requirements. This may change according to the industry, sector and state or territory in Australia.
Legal requirements relate to maintaining compliance such as protection against cybercrime and security, privacy and confidentiality of data and information including data breaches.
Cybercrime such as hacking, phishing, stealing data, using social engineering to disrupt business operations are covered by laws and regulations in Australia including the Privacy Act 1988, which covers the protection of personal information and complying with the Notifiable Data Breaches scheme. This means that an organisation must put in measures to protect against any possible threats as well as preparing for unplanned disasters or disruption due to cybercrime.
The workplace Health and safety Act 2012 applies where a disaster or emergency occurring at the workplace could bring risk (for example an exposure to a hazard such as a pandemic virus or a natural disaster). It also covers the obligations relating to duty of care for the health and safety of workers such as provision for safe working conditions or supporting employees through the stress of a disaster.
An organisation also has the responsibility for conducting investigations of data breaches and reporting on incidents.
As part of WHS regulations, organisations are also required to have an emergency plan to guide workers in the case of an emergency (this can include responsibilities, evacuation procedures, fire protection equipment, extreme weather conditions and first aid.
Further legislation applies to business continuity such as The Fair Work Act 2009 which includes provisions to enable employers to stand down employees, without pay, where they cannot usefully be employed during a period because of any stoppage of work for which the employer cannot reasonably be held responsible, such as a natural disaster or pandemic.
Activity: Read
Read through the following information from safe work Australia on emergency plans:
https://www.safeworkaustralia.gov.au/topic/emergency-plans-and-procedures
There is particular information for WHS for the information media and telecommunications industry which also includes support for Covid-19:
https://business.gov.au/planning/industry-information/information-media-and-telecommunications-industry
Take any notes to summarise what you have read and keep for future reference.
Activity: Read
Read further information on data breaches and the Australian Privacy Act:
https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-1-data-breaches-and-the-australian-privacy-act/
Take any notes to summarise what you have read and keep for future reference.
There will be other considerations when evaluating system impacts on business continuity such as statutory requirements, commercial requirements, and contingency requirements; all according to organisational requirements. These are outlined in the following table:
Statutory requirements
Failure to prevent, mitigate, manage or respond to an incident may result in a breach of the Corporations Act 2001 where an organisation has not exercised due care and diligence.
The Australian Federal Governments regulations relating to managing cybersecurity through the Notifiable Data Breach Scheme, legislation requires many businesses to notify customers at risk of serious harm due to unauthorised access to personal and financial information.
Cyber security good practices to ensure that cyber strategies, policies and procedures are kept up to date are covered by the Australian Securities and Investments Commission (ASIC).
Standards to help with threat evaluation such as ISO31000: the standard used for risk management, including a list of steps on how to deal with risk (includes steps for avoiding, accepting, removing, changing the likelihood and consequence, sharing the risk or retaining).
Standards for business continuity (AS/NSZ) 5050-2010; this covers the approach for managing disruption related risks.
Standards used for back-up methodologies: ISO270001/2 is widely used in the ICT sector to standardise and guide cyber security via integrity, minimising risks, information availability and controls. It includes the standards for computer system backups.
The 3-2-1 rule for backing up data (3 copies or versions, 2 different media, 1 backup off-site).
Industry standards relating to undertaking ICT business solutions: ICT strategies must reflect the business objectives and align to the overall organisational strategy. This can include addressing the following:
ICT governance
Business systemsand applications
Infrastructure and technology
ITbusinesscontinuity
Security, privacy and confidentiality
Information management
Commercial requirements
Access to systems and network
Availability of systems
Backup
Privacy and confidentiality of data and information
Encryption, firewalls
Integrity of data
Passwords, logons, authentication, permissions and authorities
Storage, protection and data recovery
Contingency requirements
Identifying weaknesses and providing a disaster prevention program
Minimising disruption to business operations
Providing a coordinated approach to the disaster recovery process
Organisational requirements
New policies and procedures
Further security protections
Training and education
Support documentation
Changing processes or systems to be compliant
Activity: Read
The Privacy Act 1988 covering data protection:
https://www.oaic.gov.au/privacy/the-privacy-act/
13 Australian Privacy Principles governing standards, rights and obligations for protecting and securing data and information:
https://www.oaic.gov.au/privacy/australian-privacy-principles/
Notifiable Data Breach (NDB) Scheme and implications for unauthorised access of data:
https://www.mailguard.com.au/partner-blog/cybersecurity-legislation-ndb-20180202
Read about the ISO standards: ISO31000:
https://www.iso.org/iso-31000-risk-management.html
Take any notes to summarise what you have read and keep for future reference.
Activity: Watch
Watch the following video on business continuity planning.
Video: https://www.youtube.com/watch?v=ZetTrqWFE_w (02:30)
Watch this video on contingency planning in business.
Video: https://www.youtube.com/watch?v=u8opWqEy4BM (10:16)
Note down your key takeaways.
Activity: Group work
Work in a small group for this activity.
Find an example of a contingency plan and review its contents. Create a template that you could use to develop your own contingency plan.
Taking the RTO that you are studying at, or an organisation that you are working for or are familiar with, brainstorm with your group:
The organisational business domain
At least five business critical functions, and explain why these are critical
What makes up the security environment
Make a list of all the critical data and software
What would be the potential risks to the business in the event of a disaster such as for example the need to shut down due to a natural disaster? What would be the impacts to the business if this occurred? What would be the potential threats on the ICT systems?
Identify the contingency requirements based on your findings.
Discuss your findings with your trainer/assessor for further feedback.
Include the information in a professionally typed document and submit to your trainer/assessor for feedback.
Topic 2: Evaluating system threats
In this topic we will be looking at identifying and documenting internal and external business environment system threats, evaluating and documenting risk minimisation alternatives against cost constraints and organisational requirements and then seeking and responding to feedback.374904039128
Business environment system threats
System threats can be both internal and external to the business environment so it is important to identify and document these so a holistic response to these can be planned.
System threats relate to the IT infrastructure, networks, data, hardware, software and also the human element.
Image byBermix StudioonUnsplash HYPERLINK "https://unsplash.com/s/photos/hacker?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"
Internal threats to the business environment External threats to the business environment
Viruses caused by users of the system. Theft of data.
Accidental deletion or corruption, loss or damage of data and or software. Hackers, malware or denial of service.
Lack of security authentication, permissions or authority for accessing system networks and data. Telecommunications failures.
Incorrect processing or errors, hardware failure or an inability to access software. Natural disasters such as fire, flood, earthquakes or pandemics.
Fraud or intentional sabotage from workers. Electrical failure, outages or spikes
This can be from users of the system not following policies and procedures, lack of training or knowledge of security risks, through unintentional or accidental error or mistakes, committing fraud or sabotage.
It can also occur from poor implementation and monitoring of policies and procedures, poor functionality with systems and processes or lack of monitoring and testing systems. This can be from external and uncontrollable forces, attacks by ex-employees, service failures or corporate espionage.
Risk minimisation
To minimise the risk of threat to an organisations business, you can conduct a risk assessment.
One of the main sources of information for disaster recovery and contingency planning will be from carrying out a risk assessment. Developing a risk assessment plan can help to identify and prioritise risks to an organisation. Broadly, a risk assessment includes:
Risk identification.
Risk analysis.
Risk evaluation.
Risk identification looks at identifying assets, threats, constructing risk scenarios of vulnerability and consequence.
Risk analysis looks at the elements making up each risk scenario to determine the likelihood and impact of each risk occurring then the impact to the business.
Risk evaluation should then provide an understanding of the significance of the risk level, prioritise them and then document the risk.
A risk matrix identifies the risks and can include a description of the risk, the cause, impact, likelihood of it occurring, the consequence, risk level and actions taken to mitigate the risk. For example, you may identify:
Threat Vulnerability Asset and consequence Risk
Malicious attack such as DDoS Configuration of network System downtime Loss of income, loss of data
LIKELIHOOD HIGH RISK LOW RISK CRITICAL MODERATE
Identification of what is high, low, critical or moderate risk should be according to the organisations risk level and tolerance. For example
CRITICAL:This risk level is unacceptable and would create an impact so severe that it would cause catastrophic damage to the company.
LOW:This level of risk can be accepted if no strategies can be implemented.
It is the unacceptable risks or amount of risk acceptable that need to be addressed, as these would relate to the organisations risk appetite.
The risk assessment plan would include the measures needed to respond to the risk. These are the risk mitigation options, based on the probability of occurrence and severity of the consequence for an identified risk (as shown in the above table). Risk mitigation can include:
Accept the risk
Control the risk
Avoid the risk
Transfer the risk
Controls must be able to either reduce the likelihood of risk or reduce the impact.
Activity: Read
Read the following article for more information on risk mitigation strategies:
https://www.indeed.com/career-advice/career-development/risk-mitigation-strategies
Take any notes to summarise what you have read and keep for future reference.
Unfortunately, the majority of organisations will not be able to afford protection against every possible disaster so you may need to evaluate and document alternatives to minimising risk, against the constraints such as costs and organisational requirements.
When planning for risk minimisation you can take into consideration different scenarios for recovery, the related costs and time it will take for business operations to be back.
For example:
Critical infrastructure failure.
Unavailability of information, data, equipment, materials or assets.
Litigation fees, non-compliance to legal obligations.
Loss of access to the building, records, communications, IT, key staff.
Denial of services.
Meeting compliances to support employees during a period of shutdown.
However, as stated, there can be many different alternatives, each requiring a budget with steps for planning, implementing and testing each scenario.
Therefore, generally, you would want to plan for disasters that are most likely to happen and that would have the highest likelihood of occurring and the biggest risk to the organisation.
Before you can go onto formulating a prevention and recovery strategy, you will need to document the risk minimisation alternatives and have this reviewed by any authority on the project such as a project manager or key decision maker. 220281548081
Any feedback received should then be considered and responded to as appropriate and relevant. You may need to re-submit the document until everyone is happy with continuing onto the next stage.
Image by Startup Stock Photos on Pexels
Activity: Group work
Divide back into your group and discuss the following:
Identify any internal and external business environment system threats and record these down.
Consider four risk minimisation alternatives keeping in mind organisational cost constraints and organisational requirements for the organisation you are using.
Record your responses in a professionally written and structured document and submit to your trainer/assessor to seek feedback.
Your trainer/assessor will respond with feedback and you must incorporate the feedback into your document.
Topic 3: Prevention and recovery strategies
This topic is formulating prevention and recovery strategies, which covers prevention and recovery options, reviewing industry standard operational procedures against any required risk safeguards and contingency plans that are in place and then submitting a disaster recovery and prevention strategy for feedback.278193513334
Image bybenjamin lehmanonUnsplash HYPERLINK "https://unsplash.com/s/photos/backup-disk?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"
Prevention and recovery options
To respond to the threat of disaster and risk to business continuity, you need to evaluate and document prevention and recovery options against the business specifications and any cost constraints.
The business specifications should be identified from the business impact analysis, the critical business functions, impacts, risks and threats.
Prevention options are the actions that you take in preparation that will mitigate the risk of threat to business operations. You want to be able to minimise the probability of a disastrous event occurring. As discussed earlier, some may not be eliminated, but their impact could be minimised.
Prevention options could include:
Off-site backup
Firewalls, virus software
Training and education
Safeguards on hardware such as physical protection
Data protection
User security such as authority and permissions
Encryption, password and access rights
Testing
Using equipment such as uninterruptable power supplies (UPS) or generators
Recovery options are put in place to support a quick and efficient system or business recovery after an event occurs. For example, if a fire has completely gutted a building then there are options in place to recover the business so it is operational, such as back up of data, availability of finances to restore resources, insurance in place to re-coup losses. These are the contingencies that an organisation will use to restore order to business operations.
Recovery options could include:
Restoring systems from back up
Using a hot site, set up and ready to go at another location.
Restoring or using online cloud services
Restoring or using virtual systems
Counselling employees for health and well-being after a disaster
The options chosen for both prevention recovery will be dependent upon the business specifications as well as any cost constraints. For example, having a hot site costs a fair amount of money and would not be suitable for a small business owner.
The loss of critical systems can have major costs for large organisations, for example financial institutions, airlines, and may have much more to lose than that of a smaller business. Therefore, they may be willing to invest more money in the prevention and recovery to keep their systems running in the event of a major disaster.
It is important therefore, to choose the most viable options such as through the implementation of policies and procedures or setting up a virtual environment.
When deciding on the best options to adopt, you will need to consider the possible cost of the disaster, against the cost of the recovery or prevention option. A simple formula can be used to calculate how much money to allocate to a recovery or prevention measure for the known value of an asset:
Loss = Single Incident Cost X Rate of Threat Occurrence
The best form of avoiding the fallout from a disaster occurring is to have a good prevention strategy in place. This includes planning for business continuity, disaster planning and contingencies.
A strategy can be formally documented to include recommendations for risk prevention and recovery so that a disaster recovery plan can be implemented. It could broadly include:
The scope of the strategy, including the systems to be covered
Which systems, data are critical
The business functions of the organisation impacted by the systems
Possible impacts of any event occurring
Current security or controls in place
Any assumptions of future developments or expected changes
Risk assessment carried out
Any cost outlay/cost benefit analysis
Preventative and recovery measures
Any recommendations
Actions to implement the strategy.
To support formulating the strategy, you can review industry standard operational procedures to determine if you have met any required risk safeguards and that the contingency plans are following industry standards.
ISO 22301 is the standard for business continuity management to minimise the impact of disruptive incidents, it includes:
Identifying and managing current and future threats
Taking a proactive approach to minimising the impact of incidents
Keeping critical functions up and running during times of crises
Minimising downtime during incidents and improving recovery time
Demonstrating resilience to customers, suppliers and for tender requests.
Risk safeguards may include:
Physical security such as locks, cameras
System failure, accident or sabotage (hackers) such as backup strategies, authorisation and permissions, firewalls, training and equipment to safeguard systems.
Denial of service using virtual environments or safeguarding using encryption and two-factor authentication.
Virus attack prevention using virus software.
Cyber-attack with safeguards that could include using a cloud service, security policies or virtual environments.
Telecommunications failure safeguards such as surge protectors.
Contingency arrangements using contingency plans to support recovery from disaster.
Submitting the strategy for feedback
Before you can continue on to developing a disaster recovery plan, you will need to submit the disaster recovery and prevention strategy to any key decision makers for feedback. It may include feedback relating to business requirements, legal compliances or approval for funding. Any feedback received should be responded to; this may include confirming and applying any changes or seeking further information. 2396311461644
You may submit the strategy via email to a group of key decision makers or develop a presentation to project managers or senior management so that you can gain feedback for specific areas or further requirements.4140200889000Image by mentatdgt on Pexels
4140200889000
Activity: Discuss
Work in pairs for this activity. Consider an organisation that has 200 staff. 150 work directly at the office and have their own computer to work on. The other 50 use laptops or their own computers at home.
Unfortunately, the office is located on a site where there are numerous power surges; this results in a number of computers being damaged or corrupted every month. Subsequently they either have to be repaired or must be replaced. In both instances the person does not have a computer to work on until it is replaced. There would be a number of options here. For example, install power surge protectors, provide a number of laptops for emergencies.
Using some rough estimations, work out how much it would cost to prevent these occurrences if a power surge protector was to be installed. You can make any reasonable assumptions.
Note down your answers. Your trainer/assessor will facilitate a discussion and provide your group with feedback.
Activity: Group work
Divide back into your group and discuss the following:
Three prevention and recovery options for the organisation that would meet any organisational cost constraints.
Develop a disaster recovery and prevention strategy based on the information you have researched and received feedback from. Seek any advice or feedback from your trainer/assessor to assist you in developing the strategy and incorporate the feedback into your document.
Submit when completed for further feedback.
Topic 4: Disaster recovery plans
Finally in topic 4, we discuss developing disaster recovery plans including identifying and documenting disaster recovery resources, disaster strategy processes, cut-over criteria plans and then documenting the disaster recovery plan and submitting for feedback land then final sign approval.
Activity: Watch
Watch the following video on ICT Disaster recovery planning.
Video: https://www.youtube.com/watch?v=rdlp7r953Nk (06:53)
Write down your key takeaways.
Resources
If you are developing a disaster recovery plan, one of the main things you will need to identify are the disaster recovery resources needed.
The resources can relate to those that must be available to use when needed so that the organisation can operate in order to recover from an event. For example:
Personnel
Assets, information and data
Plant, equipment and materials
IT environment and infrastructure
Hardware, software, devices and components
Health and safety (such as for a pandemic)
Building, facilities and supplies
Skills
Telecommunications
Access to utilities and services
Finances
Insurance
Again, the availability of resources will be dependent upon cost constraints, an organisation may be limited in its capability to cover all the resources needed at once. It would be necessary therefore to determine those resources most needed by the organisation as a priority. For example, if it is to have insurance then this must be included in the plan.
After identifying the resources required you may find that in order for the disaster recovery to be successful and effective, new resources are required.
For example, you may need to purchase updated hardware and software to ensure that the security is current for the changing needs of the organisation or where new technology has been introduced. Another resource may be to install new virtual environments to cover identified risks for attacks on software, hardware and data.
Or it could be as simple as ensuring that each floor in the office has a fire-extinguisher available and working. Any options that have been identified would need to go through a cost benefit analysis or meet any cost constraints such as budgets or available funds.
It is always important to have a number of options with clear costs and benefits so that the decision makers are fully informed and can make judgements based on what has been presented.
Activity: Group work
Divide back into your group and discuss the following:
Reflect on the disaster recovery and prevention strategy.
What resources would be needed in the event of a disaster, such as a pandemic?
List them in order and provide different options according to how much they would cost.
Develop a disaster recovery and prevention strategy based on the information you have researched and received feedback from. Seek any advice or feedback from your trainer/assessor to assist you in developing the strategy and incorporate the feedback into your document.
Submit when completed for further feedback.
Disaster strategy processes
The disaster strategy processes should guide a disaster recovery team or organisation through the recovery of a disaster, minimising the disruption of operations as best as possible. It should provide a clearly structured and easy to follow process to:
minimise the need for decision making
provide reliability and dependability for recovery and subsequently a sense of security to avoid panic
minimise downtime and disruption
include the commitment and leadership of senior management
establish any priorities
include the necessary documentation for implementing strategies (for example contracts, agreements, insurances, compliance requirements)
implement any necessary policies and procedures to support the process
include administrative responses
include detailed instructions on how to respond to events, include prevention, response and recovery strategies.
Cut-over criteria plan
It is important to understand when to trigger the disaster recovery plan. At what point do you put the plan into action? This may be a simple enough question, but actually in reality it might not be obvious. A cut-over plan is a series of steps undertaken to take the disaster recovery plan live.
Each possible incident needs to be analysed to determine the impact of the disruption to the business; for example, determining the extent of the impact to establish how long it will take for business systems to be restored, if this exceeds the maximum allowable downtime, then a disaster is declared.
Cut-over criteria can include estimating the time before a system needs to be operational, estimating any business impacts, the authorisations to implement cut-over, system downtime allowances.
Testing cut-over plans can provide an organisation with a degree of confidence that the planning works in the case of a disaster or disruptive event.
Documenting the disaster recovery plan
Finally, you will need to document the disaster recovery plan so that it is ready and accessible in the case of a disaster. The way you document the plan could be according to organisational guidelines such as using a specific template, following a disaster recovery plan framework or following a style guide and format. Broadly, it should include:
An introduction
Purpose and scope
Legal requirements, compliance to regulations and standards
Version control
A list of business operations
A description of each system
Roles and responsibilities of disaster recovery operations
Implementation of the plan including actions to detect and assess damage
Recovery procedures
A review of the process if a the plan was executed.
Activity: Watch
Watch the following video on how to write a disaster recovery plan.
Video: https://www.youtube.com/watch?v=OUzlPZn5n6E (32:20)
Note down your key takeaways.
The disaster recovery plan should be flexible, dynamic and continually monitored and reviewed to ensure that it is up-to-date, current and incorporating any business changes as well as including any new regulations, compliances, or indeed disasters.
This final document is the roadmap that will be used for returning the critical business functions after a disaster. Therefore, it should be reviewed carefully and submitted for further feedback from key decision makers and any relevant stakeholders that can provide important advice or information to support the plans success.
Any feedback should be considered and if relevant changes made until everyone is happy and the plan can be sent for final task sign off from a project manager, senior management or project authority.
Once final task sign-off has been obtained then the disaster recovery plan should be stored in a secure place and be accessible to those who will need it in the case of a disaster.
Activity: Group work
Divide back into your group and develop a disaster recovery plan that could be used for the organisation.
If the organisation is large, you may need to focus on one area or develop a plan that is only for one part of the organisation (for example a department or functional unit).
Create a cutover criteria plan that could be used to test the disaster recovery plan.
Seek any advice or feedback from your trainer/assessor to assist you in developing the strategy and incorporate the feedback into your document.
Submit when completed for further feedback and to obtain sign-off.
