ITC596 IT Risk Management Assessment
Assessment item 4 - Contingency Planning
Word count – 2000 words
SoftArc Engineering Ltd (SEL) is a civil engineering company which works across Australia as well as in New Zealand, Fiji, Vanuatu, Indonesia, Timor Leste and Papua New Guinea.
SEL has a small data centre at its main site in Bathurst where the company’s servers and data storage is located.The company has some 70 engineering and support staff that work on different projects for clients in various locations in Australia and overseas. The support staff are mainly based in Bathurst, but engineering staff are located in different parts of Australia, New Zealand, and Papua New Guinea. Most of the support staff have access to a PC, although some support staff share a PC with other staff. The engineering staff all connect remotely to the SEL data centre from their laptops. The SEL data centre infrastructure has not been updated for some time and the SEL Board is concerned that they may be exposed to a cyber attack as they are now starting to work on various Government projects in different countries.
You have been employed by SEL as their first Chief Information Security Officer (CISO). You have been tasked by the Board to conduct a review of the company’s risks and start to deploy security policies to protect their data and resources.
You are concerned that the company has no existing contingency plans in case of a disaster.
The Board indicated that some of their basic requirements for contingency planning include:
- A Recovery Time Objective (RTO) of 4 hours
- A Recovery Point Objective (RPO) of 6 hours
Based on these, you now need to determine:
- The Maximum Tolerable Downtime (MTD),
- The Work Recovery Time (WRT) and
- The system and data recovery priority
The Board expects that you will propose a Business Continuity Plan (BCP) for SEL. The Board expects you to use as much of their existing resources as possible for the BCP, but understands that some additional resources may be required. Your BCP proposal must clearly state what additional resources, in terms of hardware, software and locations, are required.
You are to develop a proposal for a Business Continuity Plan (BCP) for SEL in accordance with the Board's instructions above. Your proposed BCP must include:
- A brief executive overview of the entire BCP,
- A Business Impact Analysis
- An Incident Response Plan
- A Backup plan,
- A Disaster Recovery plan,
Your proposed BCP should include the following headings:
- Executive Overview of the BCP
- Business Impact
- Incident Response
- Disaster Recovery
You are required to provide references in your BCP in APA 7 format.
This assessment task will assess the following learning outcome/s:
- be able to justify the goals and various key terms used in risk management and assess IT risk in business terms.
- be able to apply both quantitative and qualitative risk management approaches and to compare and contrast the advantages of each approach.
- be able to critically analyse the various approaches for mitigating security risk, including when to use insurance to transfer IT risk.
- be able to critically evaluate IT security risks in terms of vulnerabilities targeted by hackers and the benefits of using intrusion detection systems, firewalls and vulnerability scanners to reduce risk.
MARKING CRITERIA AND STANDARDS
When submitting your assignment be sure to meet the following presentation requirements:
- Assignments are required to be submitted in either Word format (.doc, or .docx), Open Office format (.odf), or Rich Text File format (.rtf) format. Each assignment must be submitted as a single document.
- Assignments should be typed using a 12 point font.
- This assignment should be referenced using the numbered IEEE style format
Assessment Item 4 should be submitted through Turnitin by midnight (AEST) according to the date mentioned in the subject outline.
All textual elements within an assessment must be submitted in a format that is readable by Turnitin. Specific exceptions, where an assessment requires the insertion of image-based evidence of workings will be outlined in the context of the assessment. Students that deliberately attempt to insert the content of assessments in a format that is not readable by Turnitin may be subject to Academic misconduct investigations.