Final Exam: Create Disaster Recovery Plan with a plan for system and network recovery, for a medium sized federal contractor whose main office is located in an area prone to natural disasters.
- The Essay must be 5 pages long. Double Space
- Must have an introduction with a clear thesis statement, a body discussing the three main points, an ethics section discussing the documents ethical ramifications, and a conclusion
A disaster recovery plan (DR) is a detailed document that is necessary to follow when a disaster happens that could pose a threat to the information that an organization owns (Whitman & Mattord, 2011). The disaster recovery plan has all the information about the natural disasters that can occur and the types of recovery procedures that must be taken to safeguard the organizational information. These procedures may be taken during the happening of the disaster or immediately after it. In this paper, I would like to discussion the steps that should be taken if a disaster situation is witnessed in the case of a medium sized federal contractor’s main office that is located in an area prone to natural disasters. These disasters can be of many kinds i.e. landslides, earthquakes, floods and tsunamis etc. any disaster plan must consist of three major sections i.e. Incident Response, Disaster Recovery and Business Continuity Planning (Whitman & Mattord, 2011). The purpose of this document is to prepare a disaster recovery plan with a focus on Incident Response, Disaster Recovery and Business Continuity Planning and other issues related to DR. Towards the end of the paper, I would also discuss the ethical ramifications that could be associated with a DR plan.
Precepts of incident response
Before I go deep into the major sections of the DR, I would like to state some of the precepts that are necessary.
- The first priority of this DR plan is to safeguard human life at any cost. If there is any situation that the life of any employee of the office is at stake at the same time any data or an information system is at risk, human life must be prioritized.
- The roles stated in this document must be clearly understood by the people who are given the roles. They must act accordingly in case of a disaster situation and fulfill the demands of their role.
- An employee must be assigned to alert key personnel including the fire department, the police and medical authorities. Other concerned people must also be informed as soon as possible.
- An employee must be assigned to document the happenings of the disaster. This would help in assessing the disaster, finding out its reasons and safeguarding against future incidents.
- If it is safe and not threatening any human life, some employees must be tasked to evacuate the physical assets of the office. All computers must be properly powered off if possible. Shutting down computers may save data from being completely destroyed (Neumann, 1994).
I would now like to discuss in detail the three major sections of this disaster recovery plan one by one.
Incident response is a step that starts earlier than the happening of any disaster situation in an office. There must be an identification of the vulnerabilities that could exist in the computer networking system and necessary steps and procedures must be in place to rectify these vulnerabilities on a regular basis (Whitman, Mattord & Green, 2013). Preparation is much more necessary than ending up in a disaster and trying to safeguard data resources on that exact moment. The security administrator of the organization is responsible to take necessary steps that could ensure that the information systems have been assessed and they are capable of responding to a natural disaster situation. The must be data backups so that in case of the destructions of these systems, there is a copy still available at some other place.
A team must be formed under the leadership of the security administrator to identify threats to the information systems. This group should be involved to first identifying the business critical functions that must not stop even during the disaster. Secondly, the resources that would keep the business critical functions. Thirdly, identify the resources that might be effected by the natural disaster that might happen. Fourthly, select a contingency plan. Fifthly, implement the contingency plan and lastly test the strategy and revise it to make improvements to it.
Disaster Recovery operations
Once a disaster has hit the organization, it is obvious that there is a possibility that some of the information systems may be damaged. It is now time to apply different strategies to recover access to the software, information data and any hardware that might be damaged. At this stage it is necessary to make an assessment about the status of the different hard and soft resources of the office. This assessment would let us make a decision about which soft or hard systems can be fixed and which cannot be fixed. If necessary and safe, third parties can be called to help in disaster recovery of some of the soft and hard resources.
The disaster recovery operations must be started as soon as possible. This is the first step that is taken while moving towards a full capacity in the organization. This is where we would try to reestablish the full operational capacity. As I sad that there is a chance that some of the office resource may have been completely destroyed, hence it is necessary that steps be taken to acquire new resources as a replacement. There would also be a need to recover the data that is residing on the data storage devices. This data may be of the utmost important for the organizational operations. Steps must be taken to recover this data. During retrieving this data, a special consideration must be given to the ethical issues that are related to the personal information of the customers and/other people. If we are struck by a situation where most of the resources that were necessary to run the minimum operations of the office are compromised and the viability of the organization is at stake, business continuity would be made possible with the help of the business continuity plan described in the following section.
Business Continuity Planning
Hurricane Andrew in 1992 affected many organizations of which 80% of the organization that did not have a business continuity plan could not recover (Cerullo & Cerullo, 2004). This is how important a business continuity plan is for all business. There can be different approaches to the business continuity in our case. We have a medium sized federal contractor under discussion. The data that is necessary to run the operations of the company should be stored on multiple computers within the organization but at different locations. There is also an option to store necessary data at third party storages but there are ethical ramifications with it that are discussed in the next sections. There are some approaches discussed to devising a continuity plan in the text (Whitman & Mattord, 2011) which are hot sites, warm sites and cold sites. For this case, I would go with the warm site option that would enable the storage of the information. A warm site does not come with the facility of storing the full applications of the company but that may not be a necessity in case of a medium sized business.
There are different aspects of a data recovery procedure that could let us face some ethical dilemmas when we aim at recovering data or plan business continuity that prepares us for a disastrous situation (Davison, 2007). There are different aspects of these ethical issues. Some of them are discussed here.
- Data custody and privacy: Our organization might have chosen to hire a third party to store the customer information and other government contracts related information in the continuity plan. This poses an ethical situation as we might not be able to verify that the data has not been misused by the third party that has been hired. There is a need to make clear arrangements with the third party regarding the protection of the privacy of our clients.
- Client’s expectations about their data: Our clients who might be the federal government would expect from us that their data is not shared with other organizations. It is, therefore, necessary to inform the actual data owners about the fact that their data is put on third party data storage and ask them for their suggestions and opinions.
- Accountability: Another aspect of disastrous situations at an office is the fact that data may be completely lost and no backup is available for it. If such situation happens, there is a question of who would share the responsibility and what would be the way forward. These issues must be addressed with the clients prior to such a situation happening.
In conclusion, I would like to stress that organizations must have a mechanisms to deal with natural or human disaster. Special consideration should be given to the data stored in soft form. Computer or networking hardware can be repurchased and reinstalled but data once completely lost may not be recovered at any cost. The plan devised for disaster recovery must be followed and any person who does not fulfil his/her duties must be made accountable. All the ethical issues must not be overlooked in the data recovery planning.
Cerullo, V., & Cerullo, M. J. (2004). Business continuity planning: A comprehensive approach. Information Systems Management, 21(3), 70-78.
Davison, C. B. (2007). Ethics of Business Continuity and Disaster RecoveryTechnologies: a Conceptual Orientation. Int. J. Comput. Syst. Signal, 8(1), 54.
Neumann, P. G. (1994). Computer-related risks. Addison-Wesley Professional.
Whitman, M. and Mattord, H. (2011). Principles of Information Security, 4th Edition. Independence, KY: Cengage Learning.
Whitman, M. E., Mattord, H. J., & Green, A. (2013). Principles of incident response and disaster recovery. Cengage Learning.