project*

cp_project_final_work.doc

Home >Information Systems homework help >project*

CONTINGENCY PLAN POLICY

PURPOSE

The Contingency Plan is established to reduce the threat of theft, fraud and misuse of company resources through detailed procedures that provide guidelines for the notification, documentation, evaluation and assessment, monitoring and auditing, training, and response and recovery relating to all information security incidents that impact the confidentiality, integrity, and availability of Dream Landing Information Data and related networks.

The Contingency Plan is established to reduce the threat of theft, fraud and misuse of company resources through detailed procedures that provide guidelines for the notification, response, and recovery of incidents from all threat levels that impact the confidentiality, integrity, and availability of Dream Landing Information Data and related networks.

To ensure the protection of all shareholders and informational assets, strict adherence and enforcement of the plan is mandatory. In order to maximize effectiveness and success of normal operations, the plan will assign roles and responsibilities to both management and subordinates, set rules and regulations that govern all activities, designate resources necessary for the plan’s implementation, and outline procedural steps to ensure internal and external coordination.

ORGANIZATIONAL POSITION

Dream Landing has a legal and professional responsibility to its shareholders to protect all sensitive, personal, and private information. In order to fulfill this obligation, proactive measures, timely responses, and immediate restoration of critical business activities must be in compliance with Federal and State laws.

APPLICABILITY/SCOPE

All functions, resources, and operations of Dream Landing are subject to the guidelines and provisions of this policy. Use of the following Dream Landings information assets and networked systems subject to this policy include: Lenovo Desktop PC'S, Laser Jet Printers, Dell Servers, Easy Book Travel Booking Software, Heartland America Co Payment client-server interface, Windows Server 2008 Network Operating System, Gmail, SME Light HR Tools, and Office Pro Security. Directors, officers, and employees, including contractual employees, third party vendors and the secondary affiliates of third party vendors who use, access, handle, and maintain company software/hardware are subject and subordinate to the terms of this policy.

RESPONSIBILITY

It is the responsibility of Dream Landing, under the direction of the Information Security Officer (ISO), Mr. Chen, in conjunction with the IT Technician and Privacy Officer (PO), Matt Dudley, to define, implement, administer, enforce, and monitor all procedures outlined throughout the Contingency Plan (CP). Mr. Chen periodically reviews, evaluates, and tests the plan for updates, changes and modifications and ensures compliance within applicable Federal and State laws. The ISO, Mr. Chen directs all actions taken by staff, personnel, contractors, and vendors in response to security incidents.

All employees will comply fully and completely with the policy and procedures detailed in this document to include: reading and the learning the material outlined in the CP Handbook/Manual, thereby ensuring their ability to thoroughly carry out each articulated step in the IR plan, attend training, report incidents, perform routine safeguards, and follow the directives of the ISO/PO as instructed.

The Human Resources Department, Legal Council, and Office of Public Relations will work in coordination with the ISO/PO to ensure compliance with all Federal and State Laws, Privacy Rights Rules and Regulations, with special consideration for Public and Community Interests.

In summary, it is the responsibility of all shareholders to know, enact, and comply with all policy, procedures, rules, and regulations of the Contingency Plan, report all incidents of security threats/breaches, and to periodically attend training on all elements of the plan.

Reporting Structure

The ISO is the Primary Director of the plan, to whom all are subordinate..

The PO is Secondary to the ISO, to whom he directly reports.

All employees, contractors, vendors, and business partners are subordinate to the ISO/PO, to whom they directly report.

ASSESSMENT AND EVALUATION

The ISO and the PO are responsible for testing and validating the plan. Testing shall be administered semi-annually. The testing shall include risk assessment and a business impact analysis performed by the CPMT. The purpose of this testing is to ensure that the shareholders of the company are knowledgeable and capable of performing assigned tasks in accordance with the contingency plan. It is also to ensure that the plan effectively identifies and minimizes threats, details and characterizes the appropriate responses, and allows the restoration of all normal operations within a reasonable time.

CONTINGENCY PLAN POLICY

The CP team composed of the ISO, Mr Chen, and the PO, Matt Dudley, will define, implement, administer, enforce, monitor, develop, test, and maintain the Dream Landing Contingency Plan. The plan should contain the following:

Identity of all mission critical applications, ranked according to their priority and maximum permissible outage.

Provide an inventory of all hardware and software that comprise the network system.

Schedule frequency of all application, data, software, and databases backup.

Identify where back up are stored and who has access.

Identify the roles and responsibilities of all stakeholders.

Identify the name, contact information, and service provided by all third party vendors.

Set and establish procedural steps in the preparation, address, and remediation of identified security threats.

Detail and establish standards of appropriate use and security measures for all hardware, software, and data assets.

Detail and establish the notification, documentation, and reporting process for all security incidents.

Detail and establish testing, monitoring, and evaluation procedures for the contingency plan.

Provide for the training on all details of the Contingency Plan to all stakeholders.

Empower the necessary internal departments to make available their services and coordinate activities with the committee in the administration and facilitation of the Contingency Plan, to include the HR, Legal, and Public Relations Department.

COMPLIANCE

All stakeholders that process applications critical to the performance of Dream Landings mission are subject to the technical and operation requirements set by the PCI Security Standard Council that ensures the protection of customer/client data in the processing of credit card payments through routine inventory of IT systems and processes for credit card payments, the remediation of any known vulnerabilities in the services provided, and full compliance reporting to the respective banks and card companies of which we do business.

SUPPLEMENTAL INFORMATION

Third party vendors, who are equal stakeholders in the CP are as follows:

BUSINESS SERVICES PROVIDED

SME Light Human Resources/Payroll/Taxes C/S

Office Pro Security Upgrades (to SME Light)

Charter Communications Internet, Phone

SaaS Solutions Easy Book Travel Booking

Heartland American Co. Credit Care Payments

Google Email

ADT Building Security

POINTS OF CONTACT

Information Security Officer Mr. Chen xxx-xxx-xxxx

Privacy Officer Matt Dudley xxx-xxx-xxxx

BUSINESS IMPACT ANALYSIS

OVERVIEW

This Business Impact Analysis (BIA) is developed as part of the Dream Landing Contingency Plan.

PURPOSE

This report will identify essential business functions of Dream Landing and provide recovery objectives and service restoration priorities necessary in the event of information asset disruption, compromise or failure.

SYSTEM DESCRIPTION

Dream Landing uses 8 Lenovo desktop computers and a HP multifunction printer connected to a Dell server via a 1GB Ethernet LAN. A cable modem provides 30 Mb/sec connectivity via the company’s Internet Service Provider, Charter Communications. Dream Landing leases a comprehensive travel booking software, Easy Book, from the SaaS Solutions to conduct daily business processes. Credit payments by clients are remotely processed by the Heartland America Co. while personal checks are manually processed and deposited into a local bank. The Easy Book software is installed and runs on the Windows 7 operating system, while the main program along with the Oracle database is hosted on the Dell Server, which operates the office LAN using Windows Server 2008 Network Operating System. The email system is contracted through Google. Internet, phone, and fax, provided by Charter. SME Light client server system provides accounting, payroll, taxes, and human resources via restricted access to the administrator, Mr. Chen, and the administrative assistant. Security upgrades to SME Light provided by OfficePro.

DATA COLLECTION

Data was collected through individual/group interviews, workshops, email, questionnaires, assessments, and analysis.

PROCESSES AND SYSTEM CRITICALITY

the Mission/Business processes indicated below support the Information Systems of the business. Information was collected with input from users, managers, and internal/external points of contact.

Application/Service Provider Process Description

Easy Travel Booking SaaS process of booking travel and reservations

Dell Server process of storing data, applications, and backup

Credit Card Payments Heartland America process of making credit payments

HR/Payroll Tax SME Light process of paying salaries and taxes, & benefits

Windows Server Network OS process of managing files and applications

Internet Service Charter Comm

Gmail Service Google process of electronic mail

Phone Service Charter Comm

Equipment

Rack Mounted Removable HD

Servers

Computers

Printers

Fax

Phone

OUTAGE IMPACTS

The following impact categories represent important areas for consideration in the event of a disruption or incident:

RATING DESCRIPTION (importance/dependency) SCORE

HH business can't function w/o it, highly impacted if outage 9

MH business can't function w/o it, moderately impacted if outage 8

LH business can't function w/0 it, low impact if outage 7

HM business function impaired but will survive, highly impacted if outage 6

MM business function impaired but will survive, moderately impacted if outage 5

LM business function impaired but will survive, low impact if outage 4

HL business can function w/o it, highly impacted if outage 3

ML business can function w/o it, moderately impacted if outage 2

LL business can function w/o it, low impact if outage 1

Function Business Importance IT Dependency

Travel Booking H H

Server (storage/backup H H

Credit Payment M M

HR/Payroll/Taxes L L

Business Functions	Impact on Profitability 40 percent	Impact on Business Objectives 25 Percent	Impact on Internal Operations 25 Percent	Industry Reputation 10 Percent	Total Weights 100%
Travel Booking	9	8	8	7	7.65
SERVER Storage/ backup	9	7	8	4	6.35
Credit Card Payments	5	5	5	3	6.08
HR/Payroll/ Taxes	4	6	7	5	5.75

ESTIMATED DOWNTIME

Working directly with mission/business process owners, departmental staff, managers, and other stakeholders, these are the estimated downtime factors to be considered in the event of a disruption.

Mission/Business Process	MTD	RTO	RPO
Travel Booking	24hrs	20hrs	8hrs
Credit Card Payments	24hrs	18hrs	4hrs
Storage and Backup	24hrs	15hrs	168hrs
HR/Payroll/Taxes	48hrs	24hrs	24hrs

The mission/business processes identified each have a direct impact on profitability, business objectives, operations, and reputation.

Travel Booking is essential to the business for generating profits and growing the business so therefore it's rated a critical business function. In the event of a system failure for a prolonged period of time the disruption to the company's ability to book travel would greatly impact the company's profitability, business objectives, operations, and reputation. If the company cannot provide the primary service in which it does business it serves no purpose. This function/process is considered to be highly critical due to it impact on multiple business considerations.

Storage and backup of data/information gathered during the day to day business operations require a reliable network built upon a dependable server (Dell and Windows Server 2008). The companies network configuration of desktop computers, rack mounted removable storage, network attached firewalls, ADT building security, six digit key entry, all rely on these systems. Any failure of the servers would impact the company's ability to access business critical software and limit its ability to perform necessary storage and retrieval of data in the daily business transactions as well as the weekly backup. It's availability is highly critical to profitability, business objectives, and operations.

Although the company does accept cash payments the customers reliance on credit card payments demands a stable, reliable, and operational payment system. Any disruption in this service could mean the loss a potential clients. Booking for air, hotel, car, cruises, and all entertainment venues customarily require a credit card to even make a reservation. Without such a system travel booking would be moderately impacted affecting profitability, objectives and operations. Over time the lack of customer convenience would impact the companies reputation. However the function is administered by a third party, Heartland American Co, and because of this we don't have the means to control the availability of this function. However, because we still do accept cash payment this could offset the impact of any inability to process credit card payments and therefore this function/ process is considered to be moderately critical.

Although the HR/Payroll/Taxes function has been outsourced to SME Light this particular function is crucial to the retention of staff and personnel compliance. Any disruption in payroll or the administration of benefits would initially impact employee motivation and morale and could quickly lead to disgruntled employees who could either quit or sue. As the staff plays a primary role in generating business, the HR/Payroll/Tax function has a direct impact on profitability, meeting business objectives, and operations. However this function is outsourced to third party, SME Light, which limits our ability to control its availability and therefore its considered least critical to profitability, business objectives, and operations.

RESOURCE REQUIREMENTS

Function Primary Resource Secondary Resource Description

Providing Travel Services Booking Software Internet, Server The booking software is

Payment Software Phone, Email networked and the

credit cared payments

are processed by a third party. Personal checks

deposited at bank.

Storage/Backup Dell Server Internet, electrical power All software applications programs, op systems, and weekly backup depend on the serve

Credit Card Payments Heartland American Co. Internet, Server, Credit card information Phone, Email entered on computer is remotely processed by third party vendor.

HR/Payroll/Taxes SME Light Client Computer, Internet, Server Data entered to app

Application and process and administered by third party vendor

RECOVERY PRIORITIES

The table below lists the order of recovery for system resources. The table also identifies the expected time for recovering the resource following a “worst case” (complete rebuild/repair or replacement) disruption.

Priority	System Resource/Component	Recovery Time Objective
5	Lenovo Desktop Computers	3 Hours to re-image or replace machine
6	Internet/Phone/Fax	12 hours dependent on provider
1	Dell Server (Easy Book System)	10 hours to replace server and restore backups
2	Payment System	10 hours depends on provider
4	Email (Google)	12 hours dependent on Internet provider
3	SME Light	10 hours based on server and backups

DREAM LANDING INCIDENT RESPONSE PLAN

The Dream Landing Incident Response Plan is documented to provide a defined, consistent,

and organized approach for handling security incidents, detailing appropriate actions in response to internal and external threats to the organization. Whatever the nature of the incident the steps in the Incident Response plan are intended to address the following:

Evaluating the current state of the system, the extent of the infection, the type of the data at risk, the source or target to the attack, the resources compromised, the impact to the organization's infrastructure, the cost of recovery and the means to full system recovery and restoration.

Determine the best course of action in response to the incident.

Isolate and contain the threat.

Analyze the incident and how it occurred with special attention to any vulnerabilities.

Correct the vulnerabilities and rectify the problem the led to the incident with full restoration of services.

Inform and communicate to all relevant parties.

INCIDENT RESPONSE OFFICERS

The Information Security Office (ISO), Mr. Chen, will be the central point of contact for reporting all data security incidents. The Privacy Officer (PO), Matt Dudley, will be the secondary point of contact in the absence of the ISO.

All data security incidents must be reported to the ISO, Mr. Chen. The ISO in cooperation with PO will determine the necessary responses to all incidents and delegate to all staff.

OFFICER ROLES AND RESPONSIBILITIES

The ISO in cooperation with the PO will do the following:

Enforce the IR plan

Determine the nature and scope of an incident,

Determine the necessary responses to all incidents and delegate accordingly to all staff,

Determine need for change in policy, procedures, and practices, in address and response to perceived and actual threats

Provide proper training on incident handling,

Ensures evidence gathering and chain of custody,

Perform routine checks of all systems, logs, and hardware

Provide written documentation of the incident and after action review and assessment.

INCIDENT TYPE

The various incidents detailed below require immediate reporting to the Incident officers (ISO/PO)for appropriate response.

Any incident resulting from a phising email

Any incident resulting from hacker infiltration.

Any incident indicative of unauthorized/inappropriate use.

INCIDENT DEFINTIONS

Phishing emails is an electronic communication seeking to acquire sensitive information (username, password, credit card details) by masquerading as a trustworthy source/entity.

Hacker infiltration is the exploitation of weaknesses in a computer system or computer network to gain access to such system thereby render it unavailable, of compromised integrity, of adversely impacted confidentiality.

Unauthorized use is the use of network system resources in violation of one's authority and permission rights.

Inappropriate use is the use of network system resources in violation of company policy and procedures.

NOTIFICATION POLICY AND PROCEDURES

Notification is required in every instance of a suspected data security incident and must be both reported to the ISO and/or PO, primarily by phone, secondarily by page, followed by mandatory completion of an incident ticket that provides a narrative description to include the following information:

Name of the individual reporting/observing the breach

Name of any witnesses to breach

Suspected breach type

Department/Section

Date of breach observation/incident

Time of breach observation/incident

Affected/compromised system(s)

Device name

File name

Location

Website visited

Name of individual suspected of breach

and characterization of breach in narrative form (what were you doing, what happened, had did the device respond, etc.)

DOCUMENTATION

All SECURITY INCIDENTS require documentation by the ISO/PO to include the following:

Who, how, and when the incident was discovered

Incident category (ddos, malware -virus, worm, trojan, unauthorized/inappropriate use, internal source, hacker)

Where the attack came from (such as an IP address, email attachment, download)

How the attack spread

How the attack affected the host, the name and location of files affected, altered configuration settings, (services, ports, protocols, operating system, applications, programs attacked)

Vulnerability exploited (software flaw, misconfiguration, social engineering)

How the attack was contained

What the response plan was for the attack

What was done in response to the attack

Was the response to the attack effective

EVALUATION

When an incident occurs the ISO will determine the significance of the event based on the following criteria:

The severity of the event (system involved, extent of involvement,)

Criticality of the assets attacked

The cost of address and resolution of the problem

Overall business impact

Public relations impact

Severity Level	Description
Low	Incident where the impact is minimal. Examples are harmless e-mail SPAM, isolated Virus infections, etc.
Medium	Incident where the impact is significant. Examples are a delayed ability to provide services, meet agency’s mission, delayed delivery of critical electronic mail or internet access.
High	Incident where the impact is severe. Examples are a disruption to the services, and/or performance of our mission functions, breach of company or confidential information, a virus or worm has become wide spread..

PHISHING EMAILS

Before Incident Action:

Data Owner /User Action : To prevent against phishing threats all user/owners will do the following:

Learn the proper handling procedure for all security threats, including phishing emails.

Learn and utilize the incident notification processes in case of threat.

Be aware/utilize the internal email account for the submission of suspected phishing emails ([email protected])

Routinely change your email password as prescribed by the internal password policy.

Never open, reply to, or forward an email that is from an unknown source.

Never click on any links from an email that is from an unknown source.

Never download an email attachment from an unknown source.

Never provide sensitive information to an email inquiry from an unknown source.

Restrict email usage to business related use only.

Never use email/internet for personal banking, online shopping, iTunes, or social media.

Do not post your company email address on any social media site.

Always attempt to prove the legitimacy of every email prior to opening it.

Always look for https:// in the address bar before responding with sensitive information.

Report all suspected indications that email filtering is not activated.

Report all incidents of potential phishing emails via the internal notification process.

Pay close attention to your systems normal behavior so that you are aware of any changes.

ISO/PO Action : To prevent against Phishing threats the ISO/PO will do the following

Routinely check email configuration on all desktops to ensure the following:

the junk email filter is activated on all desk tops

simple plain text email mode is activated on all desk tops.

message preview pane is disabled on all desk tops.

Monitor all complaints and inquires from customers regarding phishing emails rec'd in co name.

Set up and monitor the internal email account where all suspected phishing emails are to be directed ([email protected])

Ensure website identified ass SSL secure.

Ensure all encryption software active.

Ensure internet browsers are up to date with latest security patches.

Perform random audits of workstations to ensure use consistent with policy and procedures.

Ensure all staff are aware of the IR policy and comply with all process and procedures.

Ensure that banners addressing the importance of security awareness are posted throughout the office, clearly and visibly.

Ensure all email and internet access displays a pop up window advising users of security policy regarding opening attachments, downloading, and phishing, requiring the passive selection of “confirm” prior to access.

Communicate suspicious websites to staff.

Educate staff on phishing providing training on what behavior is appropriate and risky.

Ensure IDPS activated.

PHISHING EMAILS

During Incident Action:

Data Owner /User Action : The individual who discovers/observes the suspected incident will do the following:

Contact and notify the ISO/PO by phone and/or page..

Complete an incident ticket documenting all required fields

Do not attempt to forward emails, open attachments, access internet, or open applications.

Turn off computer/device at the switch

Do not attempt to restart/boot your computer during suspected attack

ISO/PO Action : The ISO/PO who receives the incident ticket will do the following:

Determine severity of the threat, prioritize based on impact to company..

Determine where attack came from, whose been attacked, and how often

Attempt to track the URL of the email

Begin action to facilitate URL take down by contacting ISP, web host, or domain registrar.

Block all network traffic from the source of the offending email by configuring filters/firewall.

Post alert to network notifying users/customers of incident and identifying the characteristics of threat/email.

Check activity logs for any recent changes or modifications.

Reset passwords accounts if necessary.

Update IDPS and add URL to block list.

Notify individual customers who may have possibly been affected and educate on possible course of actions.

Determine what, if any, personal information has been captured.

Document all particulars of the phishing email (screenshots)

Facilitate an analysis of all system applications

Review and analyze all system logs.

HACKER INFULTRATION

Before Incident Action:

Data Owner /User Action : To prevent against hacking infiltration threats all user/owners will do the following:

Learn the proper handling procedure for all security threats, including phishing emails.

Learn and utilize the incident notification processes in case of threat.

Change your password regularly, within policy compliance.

Report any strange behavior in your systems functioning.

Immediately report any loss of control of your mouse or keyboard.

Report your inability to access previously accessible applications and programs.

Report any change in your password you did not personally make.

ISO/PO Action : To prevent against hacker infiltration threats the ISO/PO will do the following:

Ensure all firewalls and routers are routinely checked for proper functioning and configuration.

Routinely monitor/screen network traffic for any packets that do not originate within the network.

Perform random audits on workstations to ensure user policy compliance, system stability/strength, appropriate configuration conformity, and security efficiency. Will take corrective action when necessary.

Routinely monitor all system programs and application event logs, weekly, for unusual connections, application and program additions and deletions, failed login attempts, activity during non working hours, and file, directory, and permission changes.

Perform routine checks of hardware to ensure no foreign devices have been attached to the network.

Check and compare network system functionality with base line function levels to ensure optimal performance, on a quarterly basis.

Perform routine monitoring of bandwidth fluctuations for precursors to intrusions is required weekly.

Perform routine monitoring of hard drive storage consumption for precursors to intrusions is required weekly.

Perform routine testing of all servers for overall integrity is required quarterly.

Ensure system back up is facilitated weekly during non work hours.

Review all software licenses quarterly for status.

Routinely update virus removal tool for current signatures.

Facilitate a weekly check for unused connections and terminate if necessary.

Ensure ensure synchronization of all log clocks weekly.

Ensure all violations of network use policy are logged and recorded with repeated violations requiring a verbal warning, and any habitual violation requiring a written warning as the first step in a formal disciplinary action plan, subject to dismissal.

Ensure all violations of BYOD policy are logged and recorded with repeated violations r equiring a verbal warning, and any habitual violation requiring a written warning as the first step in a formal disciplinary action plan, subject to dismissal.

Ensure all violations of internet use policy (to include the visitation of social media sites, file sharing sites, material of adult content, pirating, and gaming) are logged and recorded with repeated violations requiring a verbal warning, and any habitual violation requiring a written warning as the first step in a formal disciplinary action plan, subject to dismissal.

Ensure all password violations are to be logged and recorded along with failed attempts for possible intrusion attempts.

HACKER INFULTRATION

During Incident Action:

Data Owner /User Action : The individual who discovers/observes the suspected incident will do the following:

Contact and notify the ISO/PO by phone and/or page.

Complete an incident ticket documenting all required fields

Do not attempt to forward emails, open attachments, access internet, or open applications during suspected attack

Turn off computer/device at the switch

Do not attempt to restart/boot your computer during suspected attack

ISO/PO Action : The ISO/PO who receives the incident ticket will do the following:

Begin full documentation of the incident to include all conversations, observations, investigation, actions taken, contacts made, etc.

Facilitate a complete system evaluation/diagnostic scan to ensure breach is legitimate and to determine the extent of damage

Immediately remove the breached computer(s) by shutting down system at the switch

Remove hard drive and create a chain of custody for potential legal action

Run virus scan to identify affected systems and risk to system and products

Determine is hacker has embedded himself in files and sytems.

Analyze compromised system for configuration errors

Identify uncharacteristic activity by reviewing IDPS, and event logs.

Configure firewall and/or router to filter and/or block traffic to prevent further system infiltration, if hacker source known.

Scan ports and block those that aren't currently being used that might further compromise network

Remove altered and/or infected application or program and perform appropriate reinstallations

Determine is system needs a complete shutdown to prevent further compromise.

If necessary, reinstall operating system and reload applications

Restore data from backup

Notify necessary parties of status

Advise staff of potential down time

Begin after action plan to include pursuit of investigative lead, coordination with law enforcement, and beginning of forensic examination.

Unauthorized/Inappropriate Use

During Incident Action

Data Owner /User Action : The individual who discovers/observes the suspected incident will do the following:

Contact and notify the ISO/PO by phone and/or page..

Complete an incident ticket documenting all required fields

Do not attempt to address or notify the perpetrator

Do not turn off the computer

ISO/PO Action : The ISO/PO who receives the incident ticket will do the following:

Begin full documentation of the incident to include all conversations, observations, investigation, actions taken, contacts made, etc.

Facilitate a complete system evaluation/diagnostic scan to ensure breach is legitimate and to Determine the extent of damage

Identify vulnerability that allowed unauthorized access

Evaluate routers, servers and domain controllers for altered infrastructure

Reset all passwords

Check permission rights for potential alteration

Analyze compromised systems for configuration errors

Review system event logs and auditing results

AFTER INCIDENT ACTION (ALL THREATS)

Save the system state by backing it up for further diagnosis

Remove any hidden malicious programs or directories added by the intruder

Update virus signatures

Restore the system with the most optimal security configuration to include firewalls, routers, and IDPS

Begin forensic examination and analysis by preserving original media and obtaining images

Pursue investigative leads and coordinate with law enforcement if appropriate

Wrap‐up: Solidify the incident’s details, and note lessons learned for team/staff discussion

Assess whether the following issues were factors in the breach and thus require further exploration to enhance and improve security:

Poor password management

Weak account management processing

Unsecured and unmanaged remote computers

Poorly configured and unpatched systems

Weak auditing and monitoring processes

Inadequately restricted access to critical/sensitive information

Poorly trained staff unknowledgeable of policy

Upon resolve of the above,

Schedule a post incident review (AAR) to advise and notify staff of any revised/changed policy and procedures.

Discuss what worked, what didn't, and what needs to be done in the future

Advise staff of resumption/availability of services

Schedule a post incident review (AAR) to advise and notify staff of any revised/changed policy and procedures, and/or need to change passwords

Determine whether a office wide multi- system/application password change is necessary

track hours and expenses associated with the incident response

Identify and document tools and techniques that would improve future incident responses

Evaluate the adequacy of resources to deal with each respective incident

If breach/incident from an internal source determine appropriate disciplinary action

Review legal issues arising from each incident and determine future course of action.

PRESENTATION OVERHEADS BELOW

PURPOSE

APPLICABILITY/SCOPE

RESPONSIBILITIES

HIGH LEVEL CONTINGENCY PLAN POLICY HIGH LEVEL

The CP team, composed of the ISO, Mr Chen, and the PO, Matt Dudley, will define, implement, administer, enforce, monitor, develop, test, and maintain the Dream Landing Contingency Plan. The plan should contain the following:

Identity of all mission critical applications, ranked according to their priority and maximum permissible outage.

Provide an inventory of all hardware and software that comprise the network system.

Schedule frequency of all application, data, software, and databases backup.

Identify where back up are stored and who has access.

Identify the roles and responsibilities of all stakeholders.

Identify the name, contact information, and service provided by all third party vendors.

Set and establish procedural steps in the preparation, address, and remediation of identified security threats.

Detail and establish standards of appropriate use and security measures for all hardware, software, and data assets.

Detail and establish the notification, documentation, and reporting process for all security incidents.

Detail and establish testing, monitoring, and evaluation procedures for the contingency plan.

Provide for the training on all details of the Contingency Plan to all stakeholders.

SUPPLEMENTAL INFORMATION

Third party vendors, who are equal stakeholders in the CP are as follows:

BUSINESS SERVICES PROVIDED

SME Light Human Resources/Payroll/Taxes C/S

Office Pro Security Upgrades (to SME Light)

Charter Communications Internet, Phone

SaaS Solutions Easy Book Travel Booking

Heartland American Co. Credit Care Payments

Google Gmail

ADT Building Security

BIA

PURPOSE

BIA

PROCESSES AND SYSTEM CRITICALITY

the Mission/Business processes indicated below support the Information Systems of the business. Information was collected with input from users, managers, and internal/external points of contact.

Application/Service Provider Process Description

Easy Travel Booking SaaS process of booking travel and reservations

Dell Server process of storing data, applications, and backup

Credit Card Payments Heartland America process of making credit payments

HR/Payroll Tax SME Light process of paying salaries and taxes, & benefits

Windows Server Network OS process of managing files and applications

Internet Service Charter Comm

Gmail Service Google process of electronic mail

Phone Service Charter Comm

Equipment

Rack Mounted Removable HD

Servers

Computers

Printers

Fax

Phone

BIA

OUTAGE IMPACTS

The following impact categories represent important areas for consideration in the event of a disruption or incident:

RATING DESCRIPTION (importance/dependency) SCORE

HH business can't function w/o it, highly impacted if outage 9

MH business can't function w/o it, moderately impacted if outage 8

LH business can't function w/0 it, low impact if outage 7

HM business function impaired but will survive, highly impacted if outage 6

MM business function impaired but will survive, moderately impacted if outage 5

LM business function impaired but will survive, low impact if outage 4

HL business can function w/o it, highly impacted if outage 3

ML business can function w/o it, moderately impacted if outage 2

LL business can function w/o it, low impact if outage 1

Function Business Importance IT Dependency

Travel Booking H H

Server (storage/backup H H

Credit Payment M M

HR/Payroll/Taxes L L

BIA

Business Functions	Impact on Profitability 40 percent	Impact on Business Objectives 25 Percent	Impact on Internal Operations 25 Percent	Industry Reputation 10 Percent	Total Weights 100%
Travel Booking	9	8	8	7	7.65
SERVER Storage/ backup	9	7	8	4	6.35
Credit Card Payments	5	5	5	3	6.08
HR/Payroll/ Taxes	4	6	7	5	5.75

NOTIFICATION REQUIREMENTS

Name of the individual reporting/observing the breach

Name of any witnesses to breach

Suspected breach type

Department/Section

Date of breach observation/incident

Time of breach observation/incident

Affected/compromised system(s)

Device name

File name

Location

Website visited

Name of individual suspected of breach

characterization of breach in narrative form (what were you doing, what happened, had did the device respond, etc.)

INCIDENT TYPE/DEFINITIONS

Phishing emails is an electronic communication seeking to acquire sensitive information (username, password, credit card details) by masquerading as a trustworthy source/entity.

Hacker infiltration is the exploitation of weaknesses in a computer system or computer network to gain access to such system thereby render it unavailable, of compromised integrity, of adversely impacted confidentiality.

Unauthorized use is the use of network system resources in violation of one's authority and permission rights.

Inappropriate use is the use of network system resources in violation of company policy and procedures.

DOCUMENTATION REQUIREMENTS

All SECURITY INCIDENTS require documentation by the ISO/PO to include the following:

Who, how, and when the incident was discovered

Incident category (hacker, phishing email, unauthorized/inappropriate use,)

Where the attack came from (such as an IP address, email attachment, download)

How the attack spread

How the attack affected the host, the name and location of files affected, altered configuration settings, (services, ports, protocols, operating system, applications, programs attacked)

Vulnerability exploited (software flaw, misconfiguration, social engineering)

How the attack was contained

What the response plan was for the attack

What was done in response to the attack

Was the response to the attack effective