September 2006 1 Information Technology Division BCP Presented By Roy Gregory IT Security Manager.

Slides:



Advertisements
Similar presentations
A Joint Code of Practice Objectives and Summary Presentation
Advertisements

Information Technology Disaster Recovery Awareness Program.
Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Service Design – Section 4.5 Service Continuity Management.
BCP/DRP Consultancy Project- An approach
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Managing the Information Technology Resource Jerry N. Luftman
Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Unit Introduction and Overview
Continuity of Operations Planning COOP Overview for Leadership (Date)
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
SEC835 Database and Web application security Information Security Architecture.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Managing Computerised Offices Operating environment
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
A Major Business Disruption A Strategy for Minimising the Downtime Anthony Hegarty Mitigating Risks.
ISA 562 Internet Security Theory & Practice
Developing a result-oriented Operational Plan Training
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
Risk Management in the Built Environment Qualitative and Quantitative Risk Management By Professor Simon Burtonshaw-Gunn – licensed under the Creative.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Project Plan. Project Plan Components Project Overview – Description and Strategy Business Case Summary Key Deliverables and Scope Critical Success Factors.
Appendix C: Designing an Operations Framework to Manage Security.
Disaster Recovery and Business Continuity Planning.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
IT 499 Bachelor Capstone Week 4. Adgenda Administrative Review UNIT Four UNIT Five Project UNIT Six Preview Project Status Summary.
Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Risk Management How To Develop a Risk Response Plan alphaPM Inc.
Unit 3: Identifying and Safeguarding Vital Records Unit Introduction and Overview Unit objective:  Describe the elements of an effective vital records.
Campus Network upgrade and Wi-Fi Rollout REVIEW AND PHASE 3 PROJECT MANAGER TASKS.
The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
Managing a functional exercise for the first time Graham Leonard, Business Continuity Manager Insights and lessons 17 June 2014.
Business Continuity Disaster Planning
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Patricia Alafaireet Patricia E. Alafaireet, PhD Director of Applied Health Informatics University of Missouri-School of Medicine Department of Health.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Business Continuity Planning 101
IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.
Information Systems Security
Interset Support Overview March 2017
Information Technology Service Management
CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.
Audit Plan Michelangelo Collura, Folake Stella Alabede, Felice Walden, Matthew Zimmerman.
IS&T Project Reviews September 9, 2004.
IS4680 Security Auditing for Compliance
Project Management Group
Developing and testing the Plan
IT OPERATIONS Session 7.
How Do I Write a Good Technology Plan?
Presentation transcript:

September Information Technology Division BCP Presented By Roy Gregory IT Security Manager

September Introduction The CQU Information Technology Division (staff and data centre) was relocated from the ground floor of the Library building into a newly established “Building 19” in The CQU Information Technology Division (staff and data centre) was relocated from the ground floor of the Library building into a newly established “Building 19” in 1995.

September When did we get started?  We commenced our BCP “journey” in the second half of  The driving factors were :-  Queensland Audit Office criticism of the lack of a University-wide BCP  Queensland Government Information Standard 18 Principle 9 (of 10)

September How did we get started?  In August 2002 key ITD technical staff brainstormed an initial Risk Assessment.  14 separate (high level) risks were identified, along with potential control measures.  Our greatest exposure was an outage of key business systems of up to 6 weeks as a result of a disaster in the Building 19 data centre.  A Risk Assessment Report was subsequently created and budget items for the following year were raised to address the most urgent control measures.

September Getting assistance  Having secured limited funding, we engaged a Brisbane based consultant to:-  Ensure that the BCP process we followed would meet with QAO approval  Work with us on the BCP process for Financial Services and Student Administration  The consultant provided us with a freeware MS Access project risk management tool to use for storing and reporting on our identified risks.

September BCP documentation With guidance and assistance from the consultant, we developed and have maintained, the following documentation:- With guidance and assistance from the consultant, we developed and have maintained, the following documentation:-  Threats and Risk Assessment  BCP project overview and scope, limitations, assumptions, deliverables, risk database  Event Response Plan  Roles and responsibilities, team membership, contact details, action checklists, escalation process  Business Continuity Plan  Risk categories, treatment strategies, B19/B87 service contingency status spreadsheet

September A rude awakening! (or a blessing in disguise?)  In November 2002 an incident occurred which threw a new light on the BCP issue:-

September Not a pretty sight!

September UPS meltdown  The initial incident resulted in a 10 hour outage, followed by a few weeks of running on unclean power, and another outage of a few hours to cutover to the replacement UPS (units - two of them).  This event highlighted the vulnerability of the infrastructure in the central data centre, and a commitment was made by Senior Executive to provide funding for the establishment of a second data centre.

September The second data centre For cost and logistical reasons, it was decided that the second data centre would be located on the CQU Rockhampton campus. For cost and logistical reasons, it was decided that the second data centre would be located on the CQU Rockhampton campus. There is 700m of fibre in the ground between the 2 data centres and at least 500m distance as the crow files. There is 700m of fibre in the ground between the 2 data centres and at least 500m distance as the crow files. Building 87, or “The Bunker”, which was designed in accordance with AS2834 (Computer Accommodation) and is capable of housing 22 racks, was handed over to ITD in the middle of Building 87, or “The Bunker”, which was designed in accordance with AS2834 (Computer Accommodation) and is capable of housing 22 racks, was handed over to ITD in the middle of 2004.

September Second data centre (contd..) The facility is protected by UPS, Genset, VESDA and 2 factor entry authentication (proximity card and PIN). The facility is protected by UPS, Genset, VESDA and 2 factor entry authentication (proximity card and PIN). We have over the past 2 years progressively split infrastructure between the 2 facilities, with many services now supported in “hot standby mode”. We have over the past 2 years progressively split infrastructure between the 2 facilities, with many services now supported in “hot standby mode”. Our recovery timeframe for core business systems in the event of a disaster in the B19 data centre is currently up to 72hrs. With the deployment of HP’s StorageWorks Continuous Access EVA product later this year, that timeframe will reduce to a couple of hours! Our recovery timeframe for core business systems in the event of a disaster in the B19 data centre is currently up to 72hrs. With the deployment of HP’s StorageWorks Continuous Access EVA product later this year, that timeframe will reduce to a couple of hours!

September “The Bunker”

September Risk identification and mitigation This has been an ongoing activity, with annual reviews of the ITD risk register, and determination of budget items to address further risk mitigation measures for the following year. This has been an ongoing activity, with annual reviews of the ITD risk register, and determination of budget items to address further risk mitigation measures for the following year. When built, the main data centre (in B19) only had 3 of it’s 4 perimeter walls extend to the floor above. Earlier this year the forth wall was extended, along with replacement of the entry doors, resulting in the facility now having an official 1 hour fire rating. VESDA installation is planned for early next year. When built, the main data centre (in B19) only had 3 of it’s 4 perimeter walls extend to the floor above. Earlier this year the forth wall was extended, along with replacement of the entry doors, resulting in the facility now having an official 1 hour fire rating. VESDA installation is planned for early next year.

September Our current risk exposure

September The Australian – August 29/06 The 3 biggest threats are :- The 3 biggest threats are :-  Human error  Robust change management process  Development/test environment  System failure  Removal of single points of failure  Routine testing and maintenance of supporting infrastructure (e.g. Gensets)  Malicious software  Multi-level firewalls  IDS/IPS  NAC (A/V and patch status)  User education  Admin rights

September Ongoing issues Lack of a University-wide Business Impact Analysis Lack of a University-wide Business Impact Analysis Tech staff not keeping the BCP spreadsheet up-to-date Tech staff not keeping the BCP spreadsheet up-to-date Lack of scheduled testing of standby generators Lack of scheduled testing of standby generators Lack of rechargeable torches in suitable locations Lack of rechargeable torches in suitable locations Staff leaving combustible material in data centres Staff leaving combustible material in data centres Commitment to drilling the BCP Commitment to drilling the BCP Availability of key staff out of hours Availability of key staff out of hours 85% of MOE staff users having local admin rights 85% of MOE staff users having local admin rights

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.