Contingency Management Indiana University of Pennsylvania John P. Draganosky

What is Contingency Planning? Major Components IUP Contingency Plan IUP Information & Safeguard Security Program Brief Overview

Contingency Planning The process by which the information technology and information security communities of interest position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets, both human and natural.

Major Components Incident Response Plan (IRP) Disaster Recovery Plan (DRP) Business Continuity Plan (BCP)

Major Components Incident Response Plan (IRP) Focuses on the immediate response to an incident. Any unexpected event is treated as an incident, unless and until a response team deems it to be a disaster.

Major Components Disaster Response Plan (DRP) Focuses on restoring operations at the primary site. If operations at the primary site cannot be quickly restored, then the BCP occurs concurrently enabling the business to continue at the alternate site until normal operations are restored.

Major Components Business Continuity Plan (BCP) Ensures that critical business functions can continue if a disaster occurs. BCP is activated & executed concurrently with the DRP when the disaster is major or long term & requires fuller & complex restoration of information & IT resources.

IUP Contingency Plan The Incident – IRP Some sort of facility compromise Fire and/or Water Terrorism or Bomb Threat Building Evacuation for an indefinite or unknown amount of time. Reaction Activate DRP Switch all production operations & user services to the Alternate Site.

IUP Contingency Plan The Incident – IRP User Problems (Administration, Faculty, Staff, and the Students) Virus or Worm Attack Hardware Failure User installed software problem that causes network problems (i.e., P2P & File Sharing) Reaction Help Desk services are notified by the User TSC Network Operations management suspends all network activity to that PC & notifies that user’s Help Desk.

IUP Contingency Plan The Disaster Response – DRP Once operations are running at the Alternate site, the damage assessment team takes over to get the primary site cleaned up with Recovery Operations In the case of User Problems, if the PC has been compromised, every effort will be made to save the data before rebuilding begins Data is placed on a remote secured server & is put back on the PC after the rebuild is complete

IUP Contingency Plan The Business Continuity – BCP Primary & Alternate Hot site user services are always online together When the Primary site fails, the Alternate site picks up immediately due to server replication that runs constantly The only down time there is in switching sites is getting the alternate site staffed Once the Primary site is operational, replication from the alternate site will keep information current

IUP Information & Safeguard Security Plan Information Protection Policy & Safeguard Plan Serves as the public portion of IUP’s compliance with the Gramm-Leach-Bliley Act (GLBA) defining what IUP will do & who is responsible for doing it

IUP Information & Safeguard Security Plan IUP Policy Statement “It is the policy if Indiana University of Pennsylvania that all information be used in a manner that maintains an appropriate & relevant level of confidentiality & that provides sufficient assurance of its integrity in compliance with existing laws & PASSHE & University Policies.”

IUP Information & Safeguard Security Plan Existing Laws & Policies Copyright Law US Title Code 18 Family Educational Rights & Privacy Act (FERPA) Pennsylvania Library Theft Law Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability & Accountability Act (HIPPA) Electronic Communications Privacy Act Federal Privacy Act

IUP Information & Safeguard Security Plan University related information systems “Individual users with critical information maintained locally, i.e., on a PC, on paper, or in other media, shall also take appropriate steps to ensure that valuable & confidential information not be lost, damaged, or otherwise compromised.”

IUP Information & Safeguard Security Plan University related information systems “…confidential files should be locked when not in use. Sensitive or confidential info should be destroyed when discarded. It is particularly important that passwords to PC accounts with access to restricted information not be shared.”

IUP Information & Safeguard Security Plan Information Protection Procedures All IUP PC systems are subject to the IUP Information Assurance Guidelines. Designated system administrators are responsible for full compliance with the guidelines including the provisions for the physical & logical (authentication, secured hosts, virus scanning, active monitoring, backup/recovery) security management of each computer system.

IUP Information & Safeguard Security Plan Information Protection Procedures Physical Access Controls “Organization of work areas to minimize security risks of physical exposure to personally identifiable information, including storage in locked file cabinets, rooms, or vaults.” Requirements to enter a valid UserID and Password to access PCs (log off of PCs when not in use, use password-protected screen savers).

IUP Information & Safeguard Security Plan Information Protection Procedures Physical Access Controls Organize personal information & papers Use the Clean Desk method IUP Password Requirements are to change logon/AD password every 180 days. IUP does not require passwords to be changed

Contingency Planning Major Components IRP – DRP - BCP IUP Contingency Plan IUP Information & Safeguard Security Program Information Protection Policy Information Protection Procedures Review

Questions?