Risk Management Project Part 5
yjagarlamudi
RiskManagementProjectPart4.docxRunning head: BUSINESS IMPACT ANALYSIS AND BUSINESS CONTINUITY 1
11
Project Part 4
Business Impact Analysis (BIA) and Business Continuity Plan (BCP)
Yogesh Jagarlamudi
Executive MSIT
University of the Cumberland’s
Summer 2021 - Info Security & Risk Mgmt (ISOL-533-A03)
Date:06/03/2021
Business Impact Analysis (BIA) Plan
Key Business operations and Resources are identified
The mission of Health Network Company is to provide healthcare services to its consumers. The firm has three main headquarters in Virginia, Portland, and Minnesota, all of which are close to a data collecting center where the production system is housed and operated by third-party contractors. HNetExchange, which is the principal means of income, HNetPay, which facilitates secure payments and invoicing, and HNetConnect, and this is where physicians' data is uploaded, are all used to do businesses at Health Network.
Maximum Acceptable Outage Detection and Its Impacts
As a result, Health Network Company's present business operations are in a critical state. To avoid additional losses to the organization, appropriate steps and processes must be implemented. The maximum permissible downtime will be five hours as a result of this. This is because, given the firm's important business role, maintaining the clients who profit from the services necessitates a continual functioning. Patients and facilities will lose confidence if the wait time exceeds five hours.
Identification of Recovery Objectives
As previously stated in this essay, Health Network faces a number of obstacles. To resolve the troublesome condition that is impeding the business operations of Health Network, several mitigating methods must be followed. The recovery strategy goals are to analyze and upgrade the firm's current business processes in order to drive growth. The firm's business analyst department will be employed to create new approaches to reach the recovery goal.
Business Continuity Plan (BCP)
Business Impact Analysis (BIA)
Employees from the Health Network are not able to access the Arlington headquarters in a secure and timely manner. Arlington is the place where the major departments are situated. At the Arlington headquarters, business-critical operations including financing, legal, and client services are handled. The firm's first objective is to ensure that consumers are treated properly. Tracking financial information when clients pay for the firm's services is an essential aspect that must not be neglected for a prolonged length of time. Financing and client services have a maximum acceptable downtime of 5 hours, whilst legal services have a maximum acceptable downtime of 3 months. The financing team and customer service may lead the organization to lose money during the 5 hours of business disruption. The quantity of losses will be determined by the number of clients that attempted to use the business's offerings. Extra charges would be paid to compensate actual consumers that were inconvenienced as a result of the company disruption. Furthermore, the corporation will not suffer any intangible damages.
Strategies for Business Continuity
Moderating Threats and Risks: Snow storms on the Eastern Coast put the corporation at danger of workers failing to complete important financial, legal, and client service tasks in a timely manner. By incorporating electronic support into the workplace, the danger may be reduced. There is presently no business continuity strategy in place for the firm's management. Two of its executive headquarters, on the other hand, are available via a distant VPN.
Assessment of Existing Recovery Capabilities and Development of a Plan: Because the corporation has a VPN, it'd be reasonable to expand the VPN to the financial, legal, and consumer service departments. Staff will be able to enter the workplaces remotely over the winter. Nevertheless, in comparison to the other two divisions, implementing remote virtual help in the law offices will take much longer. Because the organization currently has a VPN, the cost of establishing the updated BCP will be minimal.
Response Planning and Alternative Facilities: IT specialists in the team will help expand the VPN to additional office locations that aren't accessible electronically. Top personnel from the financial and client service departments will be in charge of overseeing the digital office's operations. The new business continuity strategy will include a backup cold site in places wherein elite financial, customer service, and legal skills are still available. This would cut down on the time people spend traveling between home and work.
Readiness Procedure
The enhanced BCP will be implemented after a brief training program for staff on how to integrate electronic aid features into the office. Staff will be examined on their ability to use virtual assistants to connect to their workplaces after orientation. The purpose of this test is to see how successful the virtual help system is in ensuring company continuity. The financial, legal, and client service divisions will all be engaged in the testing process. In addition, workers will be able to remotely link to their workplaces from their residences as part of the testing process. The testing method will be carried out on the workers' own PCs. Additionally; emails will be utilized to flag a dangerous circumstance, enabling the online support staff to remotely connect the client to his/ her workplace. The testing processes will be meticulously evaluated to guarantee that the recovery goal is being met.
Quality Assurance Methods
The new BCP is helpful in assuring that the organization's strategic operations remain operational in the event of a disaster. Despite the effectiveness of the enhanced BCP plan, additional research is needed on the temporary facilities that concentrate on the construction of a cold site. In total, the updated BCP was well-crafted to suit the company's key needs.
Disaster Recovery Plan (DPP)
Declaration of Contingency Planning
Winter storms are posing a threat to the Health Network headquarters in Arlington, which is disrupting routine company's operations. The company should develop a virtual help framework that provides employees access their workplaces offsite during snowstorms. The legal department will take 3 months to complete the procedure, while the financial and customer service offices will take 5 hours. The company must make use of this precarious circumstance to increase stakeholder confidence by assuring that business continues as usual regardless of the disasters. Due to the fact that the firm currently possesses the majority of the resources required for the strategy, the greatest extra resources available will be $10M.
Business Impact Analysis
The key business aspect of Health Network is being impacted by the snowstorms on the Eastern Coast. As a result, the major goal is to devise means for employees in Arlington corporate locations to get entrance to their workplaces and proceed with their normal business operations. The financial, legal, and consumer support capabilities, which are the major business functions of the company, are handled by the Arlington office. Furthermore, the maximum permissible outage duration for disrupting the important services stated above is 14 days.
Preventive Measures
Snowstorms are natural disasters that strike without warning. Furthermore, locations that have already undergone winters are more certain to do so again. As a result, relocating the important departments from the Arlington offices will be the best option. The expense of the restructuring procedure will be modest since the operations will mostly use existing resources; the timeframe interruption will be 14 days.
Plan of Action for Recovery
Numerous disasters, including snowstorms, technological malfunction, and data loss, are probable to appear at the company. A contingency plan and the introduction of a remote help system into the workplace are two solutions for reducing the above-mentioned events. In the event of data loss, the organization must safeguard pertinent data on many backup devices. Furthermore, extra expenses may be incurred in establishing the virtual help model if present staff decide not to work for the organization.
Plan for the Contingencies
Background and Objectives of the Operation: The plan's purpose and scope are to guarantee that major business headquarters in Arlington continue to operate normally during snowstorms. In addition, the approach attempts to minimize the incidence of data loss and software malfunction. Developing the new contingency plan and extending the VPN to additional offices are part of the strategy's functional overview. It also necessitates re-designing offices in various places to satisfy the standards of Arlington's service divisions. To transfer the present offices, the recovery team will consist of IT specialists and specialized unit movers.
Stage of Notification: When a dangerous state has been identified, the recovery team would be alerted by email and call to put the plan into action. In addition, in the event of a software error, the recovery team will be notified, and they will commence analyzing system damages and switching to backup software. The team will undertake a fallback procedure to return the systems to normalcy when the recovery plan is completed.
Phase of Recuperation
Numerous methods will be employed to assure the operation's effectiveness throughout the recuperation period. The recovery team will build a VPN in the financial, legal, and client service offices to ensure that operations at the Arlington division proceeds as normal. Under the supervision of the IT staff, a fallback plan will be developed. Furthermore, in the event of a software breakdown, the existing program will be replaced by a temporary alternative.
Preparation, assessment, training, and activities
The strategy will be tested, and staff who will be actively involved with the software glitch and risky situation will be trained. A checklist should be utilized to determine that the DRP has reached all of the goals that the team set out to achieve. In addition, the system malfunction recovery plan will be conducted in accordance with the present software to see whether the results are similar. Afterwards, the present system will be completely shut down, and the new plan will be tested to see how successful it is.
Maintenance Planning
The plan will be reviewed every half year by the recovery plan's senior management to verify that it is operating effectively. Furthermore, the strategy will be reviewed for the first time during the testing phase prior to its implementation.
Conclusion
The Health Network Organization is dealing with a number of issues that is disrupting its normal operations. The corporation is in danger of losing its data and clients. In order to ensure the firm's operations continuity, a business strategy was developed that required the firm to use a virtual help system in its company headquarters, allowing workers to do business even if the Arlington division was closed due to winter snowfall. A disaster recovery strategy was also created to maintain company continuity in the event of a disaster. Lastly, and perhaps most critically, the CIRT was founded by a group that includes senior executives, data security, IT system management, HR, legal, and financing personnel.
Computer Incident Response Team (CIRT) Plan
Constituency of the Plan
Considering the reasons for business disruption a CIRT strategy must be developed to create reporting mechanisms and deal with IT security incidents. The effort will be led by the company's Minneapolis headquarters and senior management. Contrary to popular opinion, the proposal would include Health Network clients. To do business, the company relies on its IT network; both physicians and clients use an online service that also accepts payments.
The CIRT Management: The team will be led by a senior executive from the Minneapolis headquarters. The person will take an active role in formulating strategic choices that will determine the team's performance. Furthermore, senior management will be accountable for delegating power to the group to act in an incident. The administrator will also be involved in security review methods, team selection, and reaction incident management.
Data Protection: Staff who has worked with electronic equipment before will be in charge of information security. Since they can operate on a variety of jobs, these individuals will be a valuable addition to the team. Furthermore, their capacity to deliver meaningful alternatives, as well as their importance to management and other members of the team, is critical. Information security's main responsibilities include determining the extent of harm, control, investigations, and recovery.
IT Management: The team would also include a representative of the firm's IT management. The representative will be in charge of guaranteeing the security of the firm's data. In addition, the IT specialist will instruct teammates on where and how data may be retrieved in the event of an incident. Furthermore, the IT department will support the team with technological issues.
Law Division: Employing a representative of the legal dept provides legal guidance to the team on IT confidentiality and protection is a good idea. Members of the team will be monitored by HR officials to ensure that workers' rights are not violated. As a result, the individual will be in charge of things relating to the team's well-being. Furthermore, regulatory processes will be developed by HR in the event that a staff violates the corporation's code of ethics.
A financial auditor will be a member of the group, and he/she will be in charge of business transactions. The financial auditor will assess the seriousness of the situation and calculate the cost of repair.
Protocols for Reporting Incidences
Filing out a statement with different information about the incident will be part of the routine for reporting an incident. It will include a date, time and duration of the incident, contact details of the IT security staff and the reporter, site of the incident, description and implication of the incident.
REFREENCES
Aziz, N. M. A. A., & Jambari, D. I. (2019, July). Information Management Procedures for Business Continuity Plan Maintenance. In 2019 International Conference on Electrical Engineering and Informatics (ICEEI) (pp. 489-495). IEEE.
Cervone, H. F. (2017). Disaster recovery planning and business continuity for informaticians. Digital Library Perspectives, 33(2), 78-81
Kumara, A. Business continuity plan.
Păunescu, C., Popescu, M. C., & Blid, L. (2018). Business impact analysis for business continuity: Evidence from Romanian enterprises on critical functions. Management & Marketing, 13(3), 1035-1050.
Protiviti. (2013). Guide to Business Continuity Management: Frequently Asked Questions PROTIVITI. Retrieved from http://www.protiviti.com/enUS/Documents/ResourceGuides/GuidetoBCMThirdEditionPr otiviti.pdf
Yoriki, K., & Masuda, Y. (2020). Indoor thermal environment after a disaster for business continuity plan. In 16th Conference of the International Society of Indoor Air Quality and Climate: Creative and Smart Solutions for Better Built Environments, Indoor Air 2020. International Society of Indoor Air Quality and Climate.
