Case Study - Disaster Recovery

profileLaurilie
case_study2.docx

Case Study #2: Integrating Disaster Recovery / IT Service Continuity with Information Technology Governance Frameworks

Case Scenario:

You have been assigned to a large, cross-functional team which is investigating adopting a new governance framework for your company’s Information Technology governance program. Your first assignment as a member of this team is to research and write a 2 to 3 page white paper which discusses one of the Chief Information Security Officer (CISO) functional areas. The purpose of this white paper is to “fill in the gaps” for team members from other areas of the company who are not familiar with the functions and responsibilities of the Office of the Chief Information Security Officer.

Your assigned CISO functional area is: Disaster Recovery / IT Service Continuity (IT Service Continuity is a subset of Business Continuity). Your white paper must address the planning, implementation, and execution aspects of this CISO functional area. Your audience will be familiar with the general requirements for business continuity planning (BCP), business impact analysis (BIA), and continuity/recovery strategies for business operations (e.g. restore in place, alternate worksite, etc.). Your readers will NOT have in-depth knowledge of the requirements / implementation strategies which are specific to restoring IT services which support the critical functions of the business (as identified in a BIA).

Note: in your Critical Analyses and Discussion for this case study you will address specific aspects of a governance framework, e.g. COBIT®, ITIL®, or ISO/IEC 27002, which apply to planning and implementation of disaster recovery / IT Service Continuity.

Research:

1. Read / Review the Week 3 readings:

0. Organizations and Their Security Programs (Course Module)

0. Information Security Governance Simplified (e-book)

0. Evolution of the CISO Role and Organizational Readiness http://www.csoonline.com/article/2838371/security-leadership/the-evolution-of-the-ciso-role-and-organizational-readiness.html

0. How Good is Your Cyber Incident Response Plan? http://www.mckinsey.com/insights/business_technology/how_good_is_your_cyberincident_response_plan

0. A Strategic Framework for IT Disaster Recovery Assessments http://www.isaca.org/Journal/archives/2012/Volume-6/Documents/jol12v6-A-Strategic.pdf

1. Find three or more additional sources which provide information about best practices for IT Service Continuity / Disaster Recovery planning, implementation, and execution. (Hint: begin by exploring http://www.ready.gov/business ) For the purposes of this assignment, implementation means the advance work necessary to implement recovery plans by acquiring or contracting for products, services, infrastructures, and facilities. Execution means activating the DR/BCP plans and overseeing the recovery operations.

Write:

Using standard terminology (see case study #1), write a two to three page summary of your research. At a minimum, your summary must include the following:

1. An introduction or overview of disaster recovery / IT Service Continuity which provides definitions and addresses the reasons why cybersecurity should be specifically addressed in the company’s DR/BCP strategies and plans. This introduction should be suitable for an executive audience.

1. A separate section which addresses disaster recovery / IT Service Continuity planning functions performed by staff members in the Office of the CISO.

1. A separate section which addresses best practices for implementing disaster recovery / IT Service Continuity.

Submit For Grading & Discussion

1. Submit your case study in MS Word format (.docx or .doc file) using the Case Study #2 Assignment in your assignment folder. (Attach the file.)

1. Post your case study for discussion with your classmates. First, create a new topic in the Case Study #2 Discussion Forum. Then, paste the contents of your Case Study #2 document directly into that message. (Do not attach the file.)

1. Last posting or no posting for discussion will be penalized heavily so it is in your best interests to post your case study before the assigned due date.

Formatting Instructions

1. Use standard APA formatting for the MS Word document that you submit to your assignment folder. Formatting requirements and examples are found under Course Resources > APA Resources.

1. Use the “Paste from Word” paste option in the LEO editor when posting your Case Study to the Case Study #2 Discussion forum.

Additional Information

1. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. These items are graded under Professionalism and constitute 20% of the assignment grade.

1. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must comply with APA 6th edition Style requirements. Failure to credit your sources will result in penalties as provided for under the university’s Academic Integrity policy.

Rubric Name: Case Study #2 Rubric

Criteria

Excellent

Outstanding

Acceptable

Needs Improvement

Needs Significant Improvement

Missing or Unacceptable

Introduction or Overview for the Case Study

20 points

Provided an excellent overview of disaster recovery / IT service continuity. The overview appropriately used information from 3 or more authoritative sources.

18 points

Provided an outstanding overview of disaster recovery / IT service continuity. The overview appropriately used information from 2 or more authoritative sources.

16 points

Provided an overview of disaster recovery / IT service continuity. The overview appropriately used information from 2 or more authoritative sources.

14 points

Provided an overview but the section lacked important details about disaster recovery and/or IT service continuity. Information from authoritative sources was cited and used in the overview.

10 points

Attempted to provide an introduction to the case study but this section lacked detail and/or was not well supported by information drawn from authoritative sources.OR, the Case Study was posted late for discussion (mandatory 10 point deduction).

0 points

The introduction and/or overview sections of the paper were off topic.OR, the Case Study was not posted for discussion or was posted more than two days late (mandatory 20 point deduction).

Identified and Explained the Reasons Why Cybersecurity Should be Addressed in DR/BCP Strategies & Plans

20 points

Provided an excellent discussion which included 5 or more reasons why cybersecurity should be specifically addressed in the company’s DR/BCP strategies and plans. Appropriately used information from 3 or more authoritative sources.

18 points

Provided an outstanding discussion of 4 or more reasons why cybersecurity should be specifically addressed in the company’s DR/BCP strategies and plans. Appropriately used information from authoritative sources.

16 points

Provided a discussion of 3 or more reasons why cybersecurity should be addressed in the company’s DR/BCP strategies and plans. Appropriately used information from authoritative sources.

14 points

Provided a discussion which included at least 2 reasons why cybersecurity should be addressed in the company’s DR/BCP strategies and plans. Appropriately used information from authoritative sources.

10 points

Provided a discussion of cybersecurity in the context of DR/BCP decision making. The discussion lacked detail and/or was not well supported by information drawn from authoritative sources.

0 points

This section was missing, off topic, or failed to provide information aboutcybersecurity considerations for DR/BCP decisions. 

CISO Roles & Responsibilities for DR/BCP Planning

10 points

Provided an excellent discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP planning. Appropriately used information from 3 or more authoritative sources.

8.5 points

Provided an outstanding discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP planning. Appropriately used information from 3 or more authoritative sources.

7 points

Provided a discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP planning. Appropriately used information from authoritative sources.

6 points

Discussion provided some information about CISO best practices, roles, and responsibilities for DR/BCP planning. Mentioned information obtained from authoritative sources.

4 points

Discussion provided some information about CISO best practices, roles, and responsibilities for DR/BCP planning but the lacked detail and/or was not supported by information from authoritative sources.

0 points

Did not address roles & responsibilities of the CISO for DR/BCP planning.

CISO Roles & Responsibilities for DR/BCP Implementation

15 points

Provided an excellent discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP implementation(i.e. acquistion & contracting). Appropriately used information from 3 or more authoritative sources.

14 points

Provided an outstanding discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP implementation(i.e. acquistion & contracting). Appropriately used information from 3 or more authoritative sources.

13 points

Provided a discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP implementation(i.e. acquistion & contracting). Appropriately used information from authoritative sources.

11 points

Discussion provided some information about CISO best practices, roles, and responsibilities for DR/BCP implementation. Mentioned information obtained from authoritative sources.

4 points

Discussion provided some information about CISO best practices, roles, and responsibilities for DR/BCP implementation but the lacked detail and/or was not supported by information from authoritative sources.

0 points

Did not address roles & responsibilities of the CISO for DR/BCP implementation.

CISO Roles & Responsibilities for DR/BCP Execution

15 points

Provided an excellent discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP execution (i.e. activating and overseeing recovery operations). Appropriately used information from 3 or more authoritative sources.

14 points

Provided an outstanding discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP execution (i.e. activating and overseeing recovery operations). Appropriately used information from 3 or more authoritative sources.

13 points

Provided a discussion of CISO roles, responsibilities, and best practices for integrating cybersecurity into DR/BCP execution (i.e. activating and overseeing recovery operations). Appropriately used information from authoritative sources.

11 points

Discussion provided some information about CISO best practices, roles, and responsibilities for DR/BCP  execution. Mentioned information obtained from authoritative sources.

4 points

Discussion provided some information about CISO best practices, roles, and responsibilities for DR/BCP execution but the lacked detail and/or was not supported by information from authoritative sources.

0 points

Did not address roles & responsibilities of the CISO for DR/BCP execution.

Addressed security issues using standard cybersecurity terminology

5 points

Demonstrated excellence in the integration of standard cybersecurity terminology into the case study.

4 points

Provided an outstanding integration of standard cybersecurity terminology into the case study.

3 points

Integrated standard cybersecurity terminology into the into the case study

2 points

Used standard cybersecurity terminology but this usage was not well integrated with the discussion.

1 point

Misused standard cybersecurity terminology.

0 points

Did not integrate standard cybersecurity terminology into the discussion.

APA Formatting for Citations and Reference List

5 points

Work contains a reference list containing entries for all cited resources. Reference list entries and in-text citations are correctly formatted using the appropriate APA style for each type of resource.

4 points

Work contains a reference list containing entries for all cited resources. One or two minor errors in APA format for in-text citations and/or reference list entries.

3 points

Work contains a reference list containing entries for all cited resources. No more than 3 minor errors in APA format for in-text citations and/or reference list entries.

2 points

Work has no more than three paragraphs with omissions of citations crediting sources for facts and information. Work contains a reference list containing entries for cited resources. Work contains no more than 5 minor errors in APA format for in-text citations and/or reference list entries.

1 point

Work attempts to credit sources but demonstrates a fundamental failure to understand and apply the APA formatting standard as defined in the Publication Manual of the American Psychological Association (6th ed.).

0 points

Reference list is missing. Work demonstrates an overall failure to incorporate and/or credit authoritative sources for information used in the paper.

Professionalism Part I: Organization & Appearance

5 points

Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.

4 points

Submitted work has minor style or formatting flaws but still presents a professional appearance. Submitted work is well organized and appropriately uses color, fonts, and section headings (per the assignment’s directions).

3 points

Organization and/or appearance of submitted work could be improved through better use of fonts, color, titles, headings, etc. OR Submitted work has multiple style or formatting errors. Professional appearance could be improved.

2 points

Submitted work has multiple style or formatting errors. Organization and professional appearance need substantial improvement.

1 point

Submitted work meets minimum requirements but has major style and formatting errors. Work is disorganized and needs to be rewritten for readability and professional appearance.

0 points

Submitted work is poorly organized and formatted. Writing and presentation are lacking in professional style and appearance. Work does not reflect college level writing skills.

Professionalism Part II: Execution

15 points

No formatting, grammar, spelling, or punctuation errors.

14 points

Work contains minor errors in formatting, grammar, spelling or punctuation which do not significantly impact professional appearance.

13 points

Errors in formatting, spelling, grammar, or punctuation which detract from professional appearance of the submitted work.

11 points

Submitted work has numerous errors in formatting, spelling, grammar, or punctuation. Work is unprofessional in appearance.

4 points

Submitted work is difficult to read / understand and has significant errors in formatting, spelling, grammar, punctuation, or word usage.

0 points

Submitted work is poorly executed OR does not reflect college level work.

Overall Score

Excellent 90 or more

Outstanding 80 or more

Acceptable 70 or more

Needs Improvement 56 or more

Needs Significant Improvement 36 or more

Missing or Unacceptable 0 or more