Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 2006 1 Information Technology Division BCP Presented By Roy Gregory IT Security Manager.

Published byJuliet Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "September 2006 1 Information Technology Division BCP Presented By Roy Gregory IT Security Manager."— Presentation transcript:

1 September 2006 1 Information Technology Division BCP Presented By Roy Gregory IT Security Manager

2 September 20062 Introduction The CQU Information Technology Division (staff and data centre) was relocated from the ground floor of the Library building into a newly established “Building 19” in 1995. The CQU Information Technology Division (staff and data centre) was relocated from the ground floor of the Library building into a newly established “Building 19” in 1995.

3 September 20063 When did we get started?  We commenced our BCP “journey” in the second half of 2002.  The driving factors were :-  Queensland Audit Office criticism of the lack of a University-wide BCP  Queensland Government Information Standard 18 Principle 9 (of 10)

4 September 20064 How did we get started?  In August 2002 key ITD technical staff brainstormed an initial Risk Assessment.  14 separate (high level) risks were identified, along with potential control measures.  Our greatest exposure was an outage of key business systems of up to 6 weeks as a result of a disaster in the Building 19 data centre.  A Risk Assessment Report was subsequently created and budget items for the following year were raised to address the most urgent control measures.

5 September 20065 Getting assistance  Having secured limited funding, we engaged a Brisbane based consultant to:-  Ensure that the BCP process we followed would meet with QAO approval  Work with us on the BCP process for Financial Services and Student Administration  The consultant provided us with a freeware MS Access project risk management tool to use for storing and reporting on our identified risks.

6 September 20066 BCP documentation With guidance and assistance from the consultant, we developed and have maintained, the following documentation:- With guidance and assistance from the consultant, we developed and have maintained, the following documentation:-  Threats and Risk Assessment  BCP project overview and scope, limitations, assumptions, deliverables, risk database  Event Response Plan  Roles and responsibilities, team membership, contact details, action checklists, escalation process  Business Continuity Plan  Risk categories, treatment strategies, B19/B87 service contingency status spreadsheet

7 September 20067 A rude awakening! (or a blessing in disguise?)  In November 2002 an incident occurred which threw a new light on the BCP issue:-

8 September 20068 Not a pretty sight!

9 September 20069 UPS meltdown  The initial incident resulted in a 10 hour outage, followed by a few weeks of running on unclean power, and another outage of a few hours to cutover to the replacement UPS (units - two of them).  This event highlighted the vulnerability of the infrastructure in the central data centre, and a commitment was made by Senior Executive to provide funding for the establishment of a second data centre.

10 September 200610 The second data centre For cost and logistical reasons, it was decided that the second data centre would be located on the CQU Rockhampton campus. For cost and logistical reasons, it was decided that the second data centre would be located on the CQU Rockhampton campus. There is 700m of fibre in the ground between the 2 data centres and at least 500m distance as the crow files. There is 700m of fibre in the ground between the 2 data centres and at least 500m distance as the crow files. Building 87, or “The Bunker”, which was designed in accordance with AS2834 (Computer Accommodation) and is capable of housing 22 racks, was handed over to ITD in the middle of 2004. Building 87, or “The Bunker”, which was designed in accordance with AS2834 (Computer Accommodation) and is capable of housing 22 racks, was handed over to ITD in the middle of 2004.

11 September 200611 Second data centre (contd..) The facility is protected by UPS, Genset, VESDA and 2 factor entry authentication (proximity card and PIN). The facility is protected by UPS, Genset, VESDA and 2 factor entry authentication (proximity card and PIN). We have over the past 2 years progressively split infrastructure between the 2 facilities, with many services now supported in “hot standby mode”. We have over the past 2 years progressively split infrastructure between the 2 facilities, with many services now supported in “hot standby mode”. Our recovery timeframe for core business systems in the event of a disaster in the B19 data centre is currently up to 72hrs. With the deployment of HP’s StorageWorks Continuous Access EVA product later this year, that timeframe will reduce to a couple of hours! Our recovery timeframe for core business systems in the event of a disaster in the B19 data centre is currently up to 72hrs. With the deployment of HP’s StorageWorks Continuous Access EVA product later this year, that timeframe will reduce to a couple of hours!

12 September 200612 “The Bunker”

13 September 200613 Risk identification and mitigation This has been an ongoing activity, with annual reviews of the ITD risk register, and determination of budget items to address further risk mitigation measures for the following year. This has been an ongoing activity, with annual reviews of the ITD risk register, and determination of budget items to address further risk mitigation measures for the following year. When built, the main data centre (in B19) only had 3 of it’s 4 perimeter walls extend to the floor above. Earlier this year the forth wall was extended, along with replacement of the entry doors, resulting in the facility now having an official 1 hour fire rating. VESDA installation is planned for early next year. When built, the main data centre (in B19) only had 3 of it’s 4 perimeter walls extend to the floor above. Earlier this year the forth wall was extended, along with replacement of the entry doors, resulting in the facility now having an official 1 hour fire rating. VESDA installation is planned for early next year.

14 September 200614 Our current risk exposure

15 September 200615 The Australian – August 29/06 The 3 biggest threats are :- The 3 biggest threats are :-  Human error  Robust change management process  Development/test environment  System failure  Removal of single points of failure  Routine testing and maintenance of supporting infrastructure (e.g. Gensets)  Malicious software  Multi-level firewalls  IDS/IPS  NAC (A/V and patch status)  User education  Admin rights

16 September 200616 Ongoing issues Lack of a University-wide Business Impact Analysis Lack of a University-wide Business Impact Analysis Tech staff not keeping the BCP spreadsheet up-to-date Tech staff not keeping the BCP spreadsheet up-to-date Lack of scheduled testing of standby generators Lack of scheduled testing of standby generators Lack of rechargeable torches in suitable locations Lack of rechargeable torches in suitable locations Staff leaving combustible material in data centres Staff leaving combustible material in data centres Commitment to drilling the BCP Commitment to drilling the BCP Availability of key staff out of hours Availability of key staff out of hours 85% of MOE staff users having local admin rights 85% of MOE staff users having local admin rights

Download ppt "September 2006 1 Information Technology Division BCP Presented By Roy Gregory IT Security Manager."

Similar presentations

A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Information Technology Disaster Recovery Awareness Program.

Information Technology Disaster Recovery Awareness Program.
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
BCP/DRP Consultancy Project- An approach

BCP/DRP Consultancy Project- An approach
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.

Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Unit Introduction and Overview

Unit Introduction and Overview

Similar presentations

Ads by Google