project*

project1.docx

Home >Information Systems homework help >project*

Synopsis:

The purpose of this term project is to let you acquire the experience of developing a rudimentary contingency plan to safeguard the information systems supporting a small business. Contingency planning (CP) is a crucial component of information security management. While you will learn the main concepts, principles, and strategies of CP from the textbook, this term project allows you to apply them to a realistic business setting, thereby fostering your skills in developing an effective contingency plan.

You are to join a CP team of 4 members, of whom one will be the leader. The team is charged with the responsibilities of developing 1) a contingency plan policy and 2) a contingency plan for the main information systems of a small business that is described in the next section. The contingency plan shall include three modules: the business impact analysis (BIA), the incident response plan, and the disaster recovery plan. Notice that for simplicity we have left out the business continuity plan (BCP) and its associated crises management plan. A final report encompassing all the above-specified deliverables is required of each team by the end of the spring semester. And for sharing your project outcomes, all teams will present their work to the class as scheduled in the syllabus.

Description of the Business Case

The Company and It’s IT Architecture

Dream Landing is a small local travel agency located just outside Mobile, Alabama. Dream Landing has enjoyed more than 20 years of solid business. Last year, it hit $2 million in sale revenue for the first time. As the owner of this successful family establishment, Mr. Dragon Chen is getting worried about the security of the information technology that has been critically supporting his business. Currently the business IT infrastructure consists of a total of eight Lenovo desktop PCs (each with a 24” Viewsonic monitor) and a HP multifunction color Laserjet printer connected to a Dell server in the back room via a 1 Gb Ethernet LAN. Externally, a cable modem provides 30 Mb/sec connectivity to the company’s ISP, Charter Communications. Just like other travel agents, Dream Landing leases a comprehensive travel booking software, Easy Book, from the SaaS Solutions to conduct its daily business processes of helping clients plan trips, book flights, trains, and cruises, reserve hotels, rental cars, and sporting as well as entertainment events tickets. Payments by clients on credit are remotely processed by the Heartland America Co. and those with personal checks are manually processed and deposited into its local bank daily.

While the six travel agents (not including the administrative assistant) and Mr. Chen’s workstations all have the client software of Easy Book installed and run under the Windows 7 operating system, the main program along with its Oracle database are hosted in the Dell Server, which also operates the office LAN using Windows Server 2008 Network Operating System. To avoid the high overhead cost of maintaining a private e-mail service, Mr. Chen has contracted out Dream Landing’s e-mail system to Google. The current service contract with Google also covers basic security and spam filtering functions of the gmail system. As to the phone services, the 8 lines connecting all the employees plus the fax line connecting the HP printer all branch out from a switch that is plugged into the cable modem controlled by Charter. Other essential management functions including accounting, personnel, payroll, and tax reporting are handled by a purchased client-server system, SME Light, which provides restricted access from the workstations of Mr. Chen and his administrative assistant. This software requires annual security upgrades at a small cost and is supported online by its vendor, OfficePro, in Sunnyvale, California.

· Due to the small size of Dream Landing and its relatively simple IT architecture, a full time IT position has never been justified. However, to meet the need of IT support, Mr. Chen hires a part-time IT technician, Matt Dudley, who also provides 50% time service to another small business in town. Routinely, Matt spends two days (Monday and Wednesday) a week at Dream Landing’s back room to maintain the Dell server, as well as to resolve any application problems that might arise from business operations. If necessary, he will also come to work on Friday morning. In case of emergency, Matt could be called in to help in one hour as he lives about a 30-minute drive away.

· Current Security Profile

· Located in the center section of a 10-store strip shopping plaza next to a major city access road, the Dream Landing has been feeling increasing security threat in recent years due to 1) the prolonged recession that has fueled economic criminal activities such as check frauds and burglaries, 2) frequent weather related threats such as hurricanes, tornados, storm surges, and dangerous lightning, and 3) news of large scale data breaches on the Internet such as the recent Target case. Although no damaging security incidents have confronted the Dream Landing so far, Mr. Chen suspects that having stayed under hackers’ radar for its small size and good luck are the reasons. However, given the recently prevalent targeted attacks from the Internet and the unpredictable climate changes, he believes that his business cannot be immune to future business and IT risks. As he begins to address his concern, he undertakes a quick assessment of Dream landing’s IT security.

· Physically, Dream Landing’s office elevation of 20 feet above sea level is susceptible to a storm surge of 20 feet from the Gulf of Mexico that could cause moderate flooding. But a 30-foot sea wall would certainly wash away the business establishment. If a category I or II hurricane, or an EF 1 tornado hits the strip plaza, its steel stricture and the reinforced concrete wall enclosure and common walls will likely to stay intact; however, the roof will be subjected to heavy damage. In the case of a stronger storm, a total loss of the building is expected. The memory of Katrina still lingers in the mind of every southern Alabamian.

· In compliance with the Payment Card Industry Data Security Standards (PCI DSS), Dream Landing maintains tight control over accesses to its office and information systems. A six-digit key code system is protecting the agency’s front entrance during non-business hours; it also controls the back entrance to the office and the only inner entrance to the server room. Detailed operating data of this system has been recorded real-time on a hard drive in the system’s console that is also housed in the server room. For the client-server information systems other than the Easy Book, both Mr. Chen and Matt Dudley assume the role of system administrator; they have the authority to create accounts for and grant access rights to all the employees. However, the creation of accounts on the Easy book requires higher-level approval from SaaS Solutions.

· To protect sensitive customer data (including social security numbers, driver license numbers, and passport numbers in addition to demographical data) that are required for various travel booking, Dream Landing employs three technical controls on its information assets. First, a special firewall module is added to the back of Charter’s cable modem. This piece of hardware filters the incoming traffic from the Internet to prevent harmful packets from sneaking into the LAN. Second, all computers including the server are shielded by AVG’s antivirus suite. This Greek software is very effective in detecting and containing most malware. Third, a rack-mounted, removable hard drive system is used to back up the data on the Dell server. Complete data backup has been programmed to occur once every Sunday evening. Matt routinely comes in Monday morning to hot-swap the four 1 TB hard disks on the backup system. It is worth noting that the Easy Book system stores the operational data of Dream Landing locally on the Dell server; therefore, Matt must carefully follow PCI DSS protocol to maintain clients’ data and destroy sensitive information after use.

Your Charge

Sitting behind his office desk and drinking his first cup of Starbuck of the day, Mr. Chen looks through the ADT logo on the picture window in his office and can’t stop thinking about the truth of Murphy’s Law. He figures that he has done everything to protect his business information assets, except there are no contingency plans for his staff to follow in case something bad happens to his agency. With the heavy reliance on information technology to run his business, he does not believe his company can safely come out of a serious IT incident, much less survive a natural disaster. With this concern, he calls your team to help.

· Mr. Chen’s charges to you include the development of a contingency plan policy and a simple contingency plan to protect his information assets which consist of hardware, software, work-in-process, data, and personnel. Specifically, the contingency plan should contain a Business Impact Analysis, an Incident Response Plan, a Disaster Recovery Plan, and Business Continuity Plan. Since this task is Dream Landing’s first endeavor to conduct contingency planning, Mr. Chen would like you to focus on the most worrisome incident of customer data breach.

· Deliverable	· Chapter	· Page	· Reference
· 1. CP Policy	· 2	· 54-56	· Sample generic high-level policy for CP
· 2. Business Impact Analysis	· 2	· --	· Use NIST template (will be provided)
· 3. Incident Response Plan	· 4	· 153	· Figure 4-3 plus detailed responses covered from Chapter 4-8.

Project Schedule

When you submit the final work, you are encouraged to organize the three deliverables into a single document with an attractive cover page. The project outcome, when nicely presented, can be useful to your future job search or career advance.

also you will be needing yo create a visual aid (e.g. PowerPoint) to present its project content and more importantly, the rationale for incident responses and choice of recovery strategies. The following table summarizes the above information and also includes point distributions for your reference.

· Deliverable	· Due Date	· Points
· 1. CP Policy	· Thursday, March 6, 2014 at 11:59pm	· 20
· 2. Business Impact Analysis	· Thursday, March 6, 2014 at 11:59pm	· 30
· 3. Incident Response Plan	· Friday, March 28, 2014 at 11:59pm	· 40
· 4. Final Work (including all three deliverables and a separate team evaluation form)	· Friday, April 11, 2014 at 11:59 pm	·