Throughout this program, you will be creating a Business Continuity Plan (BCP) based on an industry that is of interest to you. This assignment is a continuation of that project. Using the Business Continuity Plan (BCP) content developed in the previous courses, complete Phase 3. Note: Upon completion and submission, implement any feedback from your instructor. Then, make sure to retain a copy of this assignment for the Business Continuity Plan, which will be finalized and submitted in either CYB-690 or ITT-660, depending on your major.
Special Note: Due to the length of this assignment, it will be started in Topic 4 and completed in Topic 5. Make sure to refer to the appropriate topic Resources as specified.
Prior to beginning this assignment, view “Business Continuity Plan (BCP)” and “Business Continuity and Disaster Recovery” within the “Video Playlist: Policy Management for Security Solutions,” located in the Class Resources.
Part 1: Issue-Specific Security Policies
NIST SP 800-12 Rev 1 recommends three types of information security policies to help organizations create, maintain, and develop an effective Information Security Program, with the objective of reducing risks, complying with laws and regulations, assuring operational continuity, and applying informational confidentiality, integrity, and availability.
One type is Issue-Specific Security Policies (ISSP). For each of the following issues, use “NIST SP 800-12 Rev 1,” located in the topic Resources, to create an ISSP document. Make sure to address the following for each policy: Issue Statement, Statement of the Organization’s Position, Applicability, Roles and Responsibilities, Compliance, Points of Contact, and Supplementary Information.
- Use of personal equipment on your company’s network (BYOD)
- Internet access
- Personal use of company equipment
- Removal of organizational equipment from your company’s property
- Use of unofficial software
Part 2: Legal Standard Operating Policies and Procedures
A thorough legal standard operating policies and procedures (SOP) document is the foundation of a good business continuity plan. Standard operating procedures and policies provide the roadmap for management and staff to follow. These steps become the backbone of the business continuity plan, and they must govern every aspect of your chosen company.
Using the Business Continuity Plan (BCP) – Phase 1 content developed in CYB-515, design a 6- to 8-page manual presenting the legal standard operating policies and procedures to describe incidents including fire evacuation, ransomware attack, power outage, and pandemic situations.
Each policy or procedure must include information related to:
- Industry Compliance
- Business Operations
- Training and Awareness
- Disaster Recovery
- Incident Response
Support the BCP with a minimum of three scholarly resources.
Part 3: Incident Response
Once an adverse event that has targeted a business is confirmed, it is labeled as an incident. That is the time to activate the incident response plan. After the plan is activated, procedures are followed for incident reaction. Most of the time, the incident is contained. Then, clean-up of all the problems begins and the organization makes a full recovery, with everything back to normal. This is incident recovery.
Use the guidelines provided by “NIST SP 800-61 Rev. 2: The Computer Security Incident Handling Guide,” located in the topic Resources, to design an Incident Response Plan (IRP) for your company. Include actions to be taken if each of the following adverse events occurs:
- Ransomware attack on one PC/user
- Power failure
- ISP failure
If a disaster renders the current business location unusable for a long time, and there is no alternate site to reestablish critical business functions, what would you suggest in a situation like this? Hint: Use the 8-step model recommended by NIST to develop and maintain a viable BC program for your company.
Support the BCP with a minimum of three scholarly resources.
While APA style is not required for the body of this assignment, solid academic writing is expected, and documentation of sources should be presented using APA formatting guidelines, which can be found in the APA Style Guide, located in the Student Success Center.
This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion.
You are required to submit this assignment to LopesWrite. A link to the LopesWrite technical support articles is located in Class Resources if you need assistance.
Assessment Description Throughout this program, you will be creating a Business Continuity Plan (BCP) based on an industry that is of interest to you. This assignment is a continuation of that project
13 Business Continuity Plan Executive Overview With the development and new trends in the market, financial institutions are likely to face risks resulting from cyber-attacks, software failure, terrorist attacks, hardware failure, computer failure, and natural disasters, among other problems. It is essential to develop a business continuity plan that can be relevant in addressing possible risks and how the business can recover in case of a cyber-attack. In case of risks such as a terrorist attack or disaster within the financial institution’s location, the institution is likely to suffer direct impacts. This is because the organization will suffer direct and indirect expenses such as renovating the damaged property, and the institution might suffer losses in revenue due to reputation, depending on the type of attack. This report aims to develop an effective business continuity plan that might minimize risks to a financial institution despite a disaster. (Kumar, 2020) Document change control For changes to be implemented in an organization, they have to be discussed using a predetermined procedure that captures the primary considerations of the change. Some of the activities that might occur in an organization and lead to change include upgrading systems in the infrastructure and increasing employee wages, among other activities. When changes are to be made in the organization, it is always essential to discuss the proposed changes before implementation to ensure that all the team members are aware of them. Furthermore, discussion of the changes helps ensure the institution’s operations are not disrupted, which might waste the time and resources of the organization. The chart below illustrates documentation of a change and steps that were taken to implement the change. Project: upgrading information systems Client: Mervin INC. Project manager: Jeffery Patel Change ID Date Change Description Authorization Changes and Effects Permission Date Time Cost EQ 31894 17/07/2021 Installing new information technology devices that will enhance security Yes 25/07/2021 One month $87,000 Well-executed change control has several benefits to an organization. One of the main benefits is that it allows the workers to control themselves psychologically, thus allowing them to meet the plan’s demands. The second benefit of a well-executed plan is that it allows the resources to be equally distributed, which is crucial in the operations of the financial institution, thus making the operations of the business keep running smoothly. (Stein, 2018) With an effective change plan, it is possible to enhance the teamwork process. This is because for an effective change to occur, all the team members must collaborate, which will likely lead to enhanced efficiency as all activities will be carried out in the specified amount of time stated by the change to be made. If the team members can adapt to a change on time, the company’s productivity is likely to increase, thus allowing the company to meet its demands. Below is an outline for an effective change process. Change Proposal – Change identification is the first step toward making the change, and it should mainly come from a member inside the institution. After a person identifies the area to make changes, relevant communication channels should be used to allow the message to reach the required stakeholders. Change benefits can be documented at this stage. Impact summary – In this stage, the project manager analyzes the larger context of the change’s impact. Some variables analyzed include resources to be deployed, employees, additional costs, and the risks that might be encountered. After the manager has analyzed the change, he can accept or decline the change that has been proposed. Decision making – After the manager has fully assessed and approved the change, the manager has to discuss the change with the board of directors, depending on the organization. The board of management can schedule to discuss the change for them to make more evaluation on the impacts of the change. Implementing the change – if the change has been accepted, it moves directly to the planning stage, where effective action can be developed. Implementation might include the start date to the end date to monitor the results of the change. If there are inconsistencies associated with the change, the management team can move to the previous regression. On the other hand, if the change is successful, it can be documented in the organization’s operations. Closure – This is the final phase of the implementation as it involves wrapping up operations associated with the change. Presentations of the outcome may be documented at this stage and the people involved in implementing change. If all the organization members agree with the change, the change documentation can be signed to be used for the company’s future. Introduction Overview Mervin INC. is a financial institution that mainly provides loans to customers who are required to pay back at a particular interest for a particular time. Apart from offering loans, the company offers investors an investment opportunity and banking services where they can invest. According to the company’s policies, the minimum investment amount is $1000, and interest will emerge after six months at least 18 years of age. The policies have attracted more users, thus allowing the company to expand to other geographical locations. Scope of plan Despite the company developing effective strategies to prevent cyber threats and disasters, the business needs to develop an effective business continuity plan. Without an effective continuity plan, the company can undergo risks that might be hard to recover from, leading to the organization’s failure. After a detailed assessment of risks that might impact the business, the company developed a detailed risk assessment which covered disruption of power supply to the company, equipment failure, application failure, human error and sabotage, cyber-attacks, natural disasters like earthquakes, and also malware attacks to the systems. (Mbiru et al.., 2020) Applicability Since the company has been developed recently, it has not covered most parts of the nation; thus, it has allowed customers to register via its online platforms, where they can get services they might need depending on their credit records. Despite customers from various geographical locations accessing the organization’s services through its platform, the cyber security teams of the company have put into place various measures to ensure that the company and its customers are protected to prevent cyber-attacks. Firewall – This feature has been installed in the company’s information systems and will be used to filter the ongoing and outgoing traffic based on the users’ predefined policies. This feature will monitor the users’ activities and warn them about their sensitive information to enhance security from and to the network. Access control – this feature will be used to define privileges for the users who use the computers depending on their roles in the organization. Company employees will have different rights compared to the customers, thus allowing them to carry out their tasks efficiently. This feature will ensure that the employees are not provided with unnecessary rights that might compromise the organization’s security. Encryption – This feature has been implemented as end-to-end encryption, ensuring that data is not leaked to unauthorized parties who might try getting it using man-in-the-middle attacks. With encryption, the company’s security will be prioritized, thus ensuring the safety of the company and its employees. Physical security measures – The Company has installed a perimeter wall with an electric fence to keep unauthorized parties from getting to the organization. Furthermore, guards at the company’s main entrances are equipped with metal detectors to ensure no one enters the premises using an assault instrument, and the storage devices will be effectively evaluated upon getting to the premises. Cloud storage – The Company has opted to cloud storage to ensure that the required information is provided to whoever needs it at any particular time, depending on the user’s rights. This helps the company’s customers access the organization at any given time and access the services they would like, leaving them with a smooth experience. The company also uses cloud storage to create backups if an organization’s cyber-attack occurs. Risk Assessment Matrix Risk The risk likely to be experienced in the financial institution is a risk associated with a data breach where personal information such as passwords and usernames are stolen, making accounts compromised. If a breach occurred, sensitive information would be accessed without authority from stakeholders of the company. Likelihood This cyber threat is likely because many cyber criminals are looking to steal credit card information and conduct unauthorized transactions with the cards. Severity. The severity of such a data breach is high as the cybercriminals might have access to private information such as the customer’s Social Security Number, which would never be changed. This would put the intruder’s life at risk at all times of getting compromised. Impact The impact of most data breaches is very significant. This is because intruders would rob a customer by breaking into his bank account do unauthorized transactions leaving the bank to cover for the risks caused. Cost A significant data breach will likely cost as customers’ confidential and sensitive information can be stolen, damaging the company’s reputation. Customer prosecutions might cost a data breach up to cost up to $1,000,000 or more, depending on the impact. Risk Assessment Matrix: Using a risk analysis matrix, identify where on a 3×3 risk diagram the risk would fall. Severity Likelihood 1 2 3 1 2 3 Critical business functions Mervin INC. is a financial institution where most of its critical operations include; Money transfer – customers conducting business via bank accounts need to transfer money from one bank to another, thus achieving successful business operations. Leading – Mervin INC. leads loans as an investment strategy, and various entrepreneurs are free to apply for loans at any given time. Record keeping – With many new customers registering and transactions taking place every minute, the company is entitled to keeping the records, thus helping maintain business ethics. Keeping customers’ money safe – This is one of the primary activities that the bank carries out. If the bank does not keep customers’ money safe, it can be challenging for customers to trust it, thus making it have a low market share. Fund distribution – Banks must distribute funds to their customers depending on their needs and remain active depending on their money flow. Security – for customers to believe that the bank is safe to keep their funds, there is a need for effective security authentication, thus allowing customers to access their accounts successfully. (Kuerban et al., 2020) Enforcement focuses on suspending accounts of those who attempt to conduct illegal activities using bank transfers associated with fraud or theft. This policy allows the company to track funds associated with the fraud. Exchange rates – the company allows its customers to receive funds from all parts of the world, and it allows conversion at a fee. Sound business practices – this role is critical to the company as it allows it to safeguard the money in the bank. Sound business practices involve good business-making strategies, such as customers leading loans and those not leading. Company organization chart The organization chart plays a crucial role in Mervin INC. It allows various employees to be allocated various tasks depending on the management level, thus allowing it to serve its customers effectively. The company’s organizational chart starts from top management, where powers are effectively distributed towards the lowest level of the organization. Below is the organizational chart of the organization. Reference Kuerban, M., Maihemuti, B., Waili, Y., & Tuerhong, T. (2020). Ecological risk assessment and source identification of heavy metal pollution in Urumqi, China vegetable bases, using the positive matrix factorization (PMF) method. PloS one, 15(4), e0230191. Kumar, A. (2020). Business continuity plan. South Asian Journal of Engineering and Technology, 10(2), 1-4. Mbiru, J., Wickham, M. D., & Ayentimi, D. T. (2020). Introducing an entrepreneurial project management model. The Journal of Modern Project Management, 7(4). Stein, V., & Wiedemann, A. (2018). Risk governance: primary rationale and tentative findings from the German banking sector. In Current issues in corporate social responsibility (pp. 97-110). Springer, Cham.