Due Date: 30-Sep-2021

Words: 4000 words

Note: You are required to provide references in APA 7 format…list footnote. Strictly
follow the guidelines and table of contents provided in video.

TASK
Read the DMR Building Case Study before attempting this task.

DMR Building Ltd is a company that is involved in residential and commercial construction
and renovation in the NSW Central West. The company also owns the DMR Building Design
Co which provides building advice, design and consultancy services.
The company has a small data centre at its main site in Bathurst where the company’s
servers and data storage is located.
The company has some 65 staff, who include management, administrative staff, building,
construction and design staff. The company has a range of different types of relatively current
personal computers, which run Windows 10 Enterprise, to connect to the company data
centre. The company also uses about 20 iPad Air tablets for on-site quotes, job scheduling
and project management tasks.

Background:
After a successful engagement to assess the information security risks and develop security
policies for DMR Building Ltd, you have been asked to report on and recommend a
business continuity plan (BCP) to protect their data and resources. The company is
particularly concerned that it has no existing contingency plans or procedures in place in
case of a disaster.

The company has indicated during your initial discussions that some of their basic
requirements for contingency planning include:

• A Recovery Time Objective (RTO) of 4 hours

• A Recovery Point Objective (RPO) of 6 hours

Based on these, you now need to determine:

• The Maximum Tolerable Downtime (MTD),

• The Work Recovery Time (WRT) and
• The system and data recovery priority

The company expects that you will propose a Business Continuity Plan (BCP) for DMR
Building Ltd. You are expected to use as much of their existing resources as possible for
the BCP, and to recommend that only essential additional resources may be required. Your
BCP report must clearly state what additional resources, in terms of hardware,
software and locations, are required.

Tasks:

You are to report on the need for a Business Continuity Plan (BCP) for DMR Building Ltd in
accordance with the company's instructions above. Your report must include:

1. A brief discussion of the need for a BCP,

2. A Business Impact Analysis which highlights the critical areas of concern for DMR
Building
3. How DMR building should respond to security incidents
4. Backup plan for DMR Building,
5. Your reasoning and recommendations on what DMR Building should include in a
Disaster Recovery plan

Your report should include the following headings:

• Need for a BCP
• Business Impact
• Incident Response
• Backup
• Disaster Recovery
 1. Overview / Need of BCP (801 words)
a. Background :
Organizations and companies need to provide their service and continue their
workings all the time. The companies cannot afford to have a break in their
services and offerings, be it for any reason. Due to the discontinuity of the
business process the revenue of the company is hindered, the trust of the
customers or the consumers is reduced to a certain extent, and finally, the
brand value of the company diminishes. There should be a well-documented
plan for the continuity of the business process despite any unexpected and out-
of-the-box events or incidents. So, the document which basically provides the
path map of how the business operations will be carried out during an event of
disruption is referred to as the Business Continuity Plan. As the companies are
becoming more and more technology-reliant, it increases the risk of facing
such unexpected scenarios or disasters1. A well-constructed business
continuity plan needs to represent the operations based on both the internal as
well as external security complications. It is also very necessary to keep the
business continuity plan up to date2, as they need to handle real-time
emergencies based on the real-time scenarios. As in the DMR Building
Company’s case, the Business Continuity Plan is needed to prevent cyber-
attacks into its servers, data centers, etc., as well as to prevent them from
natural or artificial disaster.

b. Purpose:
The major purpose of the business continuity plan in a company is to allow the
functioning of the services and operations amidst and after the event of
disruption or disaster has occurred. BCP majorly helps in defining the process
as well as the procedures for risk management. The main goal is to restart the
functioning of the main site that was affected by the disaster as soon as
possible, and amidst that process, the business process keeps up and running.
DMR focuses on delivering its services of designing the buildings and
providing consultancies for their customers 24/7. A sustainable BCP must
meet the following purposes:
i. DMR building’s security team should be provided with the recovery
and disaster handling plans.
ii. Predefined steps and protocols to facilitate the recovery.
iii. A well-documented BCP will be handy in avoiding confusion among
the security team members.
iv. Every staff and customer too will be well aware of the methodology
via which the business process will stay up and running whatever happen.

c. Scope
The scope of a well-designed BCP can range from minor to critical disaster
handling procedures on hand. In general, one would expect to cover the
following aspects by a BCP:
i. Identification of the major business functions

1
Virginia Cerullo & Michael J. Cerullo(2006)(pages 70-78)
2
Savage, M. (2002), "Business continuity planning", Work Study, Vol. 51 No. 5, pp. 254-
261.
 ii. Proper identification of the data and processes that are highly sensitive
and critical and their dependencies in the system
iii. Precise assumption of the probable risks and disruptive events
iv. Put in place the backup and recovery steps
v. Classification of the functions, compositions, and working procedures
of the Business Continuity team.
vi. Measures of proper communication in the event of a disaster.
vii. Finally devise the proper testing and facilitate the training of the BCP
procedures

d. Main characteristics of a successful Business continuity plan

The major characteristics of a successful business plan can be understood
under the following headings:

Strategies: DMR building’s day-to-day operations and responsibilities should

be included in the business continuity plan document.

Organization: How are the staff and the associated individuals of the DMR
building are going to handle the disaster situations? Their responsibilities
should be clear.

System and the data: The system needs to allow the DMR Company to
enforce the recovery plans, and the critical data handling should be stated
clearly in the BCP.

Processes: The operational processes needed on the daily basis based on the
functioning of the IT processes must be maintained efficiently.

Regular testings: The backup strategies need to be tested in a regular interval

for their efficiency.

Involvement of all the employees: Employees from the managers, executives

to the data entry level within the DMR Company should be engaged in the
BCP to boost up its value and essence further.

e. Who is responsible for BCP : Usually is done by corporate governance

Corporate governance is majorly responsible for the creation of business
continuity management. As I am the CISO of the DMR Buildings Ltd. I will
be taking the responsibility to create the business continuity plan for the
company by considering the suggested recovery point objective and the
recovery time objective and making the utilization of the existing system and
resources as much as possible to prevent the overhead cost and resources. It
will be a good idea to form a business continuity coordinators group so that
BCP could be properly monitored and maintained in the longer run. I would be
closely working with the legal, technical, administrative, and all the critical
business units to get detailed information about their business process,
possible risks, and generate the resolutions on which the BCP will be based for
the company as a whole.
 2. Business Impact (953 words)
Business Impact Analysis (BIA) refers to the analysis of the critical business
activities, along with other resource requirements that are necessary to guarantee the
continuity of the business process whenever there arises a situation of business
disruption. The impacts that are created on the recovery point objective, recovery time
objective, and on the services and their delivery of the DMR Building Ltd., are simply
illustrated by the business impact analysis. DMR Building should look into the aspect
of Enterprise Resource Planning systems to integrate the major business management
processes. These systems help to provide the Business Impact measures to the
company3. Through Business impact analysis we can understand the impact of any
probable risks in the departments of the DMR building, like the DMR building Design
department, Management Department, Finance and administration, and so on. The
timing of disasters greatly affects the business, if the disaster occurs during the peak
customer traffic period it will impact hugely, and DMR Buildings Company can go
into a big loss.

a. Purpose of Business Impact Analysis

The DMR Business Impact Analysis is a process of identifying the impact of a
natural or artificial disaster on the different departments of the company, on
the IT infrastructures (Servers, and Network components), and on the physical
locations holding the important data and resources themselves.

b. Scope
Since there are many departments, several resources, and a small data center
located at the main site in Bathurst, the impact on these segments should be
included in the business impact analysis. The proper use of all the servers
(databases, email, file and the print, IIS, etc.), and the data center should not
be broken at the time of disaster. Business Impact Analysis provides the
amount of impact, such as how much data is lost in terms of RPO (e.g. six
hours of data in our case), and for how long the impact remains that the system
becomes down (i.e. the RTO of 4 hours). So the BIA distinguishes the
business activities as well as the resources that are needed to run the critical
services of the company in case of a disaster.

c. Object
Since the data center is located at the main site, while the employees are
working at the different locations, there should be proper training for the
employees about their responsibilities to carry out at the time of disaster to
continue the business activities. So, this has to be the ultimate objective of the
DMR BIA framework. Besides we can list the major objectives as follows:
i. Align the business continuity plans with the organization’s strategic
goals4.
ii. Priority assessment for all the resources and the operations of the DMR
Buildings Company.
iii. Identification and understanding of the maximum downtime and
maximum data loss during any disaster event.
3
Lorin M. Hitt,D.J. Wu & Xiaoge Zhou (Pages 71-98 | 23 Dec 2014)
4
 Selden, Stuart; Perks, Stephen (2007)
 d. Follow-Up
i. The techniques and methods for the evaluation of the risks factors, and
their regular monitoring should be prepared and performed.
ii. Periodic (monthly or annual) updates should be done for the service
activities offered by the DMR, and the critical data list in the data
center at Bathurst.
iii. Staff should be kept at regular check for their responsibilities
awareness.

e. Business Process and Recovery Criticality

The primitive step of the Business Impact Analysis of the DMR Buildings
Company would be to evaluate the business requirements of the company and
priorities them based upon their roles, and link with the function, goal, and
objective of the organization. The servers, firewalls, and the physical locations
of the departments of DMR buildings are evaluated and the expected
downtime is predicted upon any unexpected event. This time refers to the time
up to which the DMR Buildings can tolerate the dormant stage.
i. Estimated Downtime
Basically, downtime refers to the time period that is required for the
planning, investing, and hence finally getting all the damaged parts and
components in place as before, and have the regular operations up and
running, after some event of a disaster and unexpected incident5.
 Recovery Time Objective (RTO): RTO defines the
maximum amount of downtime. This is the time period
from a point when the system went offline to the point
when the system became fully functional or operational.
For DMR Building Ltd. RTO needs to be set at 4 hours,
as suggested by the company’s contingency plan. The
backup and recovery plans must get the disrupted
system to its functional state within 4 hours’ time of its
disruption.
 Recovery Point Objective (RPO): The disaster recovery
plans need to use the backup data no older than 6 hours,
as our RPO is 6 hours for the DMR Buildings Ltd.
 Work Recovery Time (WRT): This is the time that is
required after the RTO, for the verification of the
system and the integrity of the data. The database
administrator of the DMR is responsible to verify the
databases and the logs.
 Maximum Tolerable Downtime (MTD): We add up the
RTO and WRT to get the MTD. I will be calculating
this based on the available times.
f. Identify resource requirements
All the business equipment, systems, tools, and the application, along with the
partners, customers, suppliers, etc. who are linked with the services of the
DMR fall under the resource requirements of the BIA of DMR buildings Ltd.
A standard BIA report must be prepared that outlines all the resource
5
Mary C. Comerio (May 1, 2006, Page(s): 349-365)
 requirements. Critical areas of concern in DMR are the mail servers that can
be targeted by the malware, database servers that can be hacked, and the
hardware, software, and the location of the building's failures due to some
natural or man-created calamities.
g. Business Impacts analysis Plan
i. Maintain employee records software: All the essential and sensitive
data and records are backed up to secondary sites or the secondary
storages devices/units.
ii. Training and supporting: Each staff needs to have the proper training
to perform smoothly during the event of a disruption.

3. Incident Response (648 words)

Incident response or IR is a practice of immediate identification of an attack so as to
minimize the effects of that attack. DMR should focus on the three major components
of the IR:
i. A well-defined plan that suggests to everyone how to prevent, handle
and restores from the attacks.
ii. Proper individuals with the right duties at the time of the attack.
iii. Utility tools, which can tackle security concerns.
a. Purpose and Scope
The major purpose of the DMR IR is to prepare the company for, detect, and
restore or recover in case of a data breach or any disaster events. DMR is
highly susceptible to malware attacks, and data misuse/leakage; so an IR plan
in place would make the security team well aware of what to do? And how to
do it? At the time of crisis. So, this will help to the business process
continuity.

b. Step Incident Response Plan

I would be incorporating the following steps while planning the incident
response for the DMR Buildings Ltd.:

Getting Prepared: Initially, it would be important to identify the initiation of

the incident, then only we can recover and restore. DMR could use warning
banners, can provide notifications to its staff and customers in an event or
incident, can create checklists to handle any incident, and so on.

Identifying the incident: DMR should be aware of an event is a usual incident

or a disaster. With that answer, the security team has to check for the
platforms affected by the incident and detect its type viz., unauthorized access,
malware, DoS, Data breach, etc.

Containing the impact of the incident: Determination of the incident and its
risk level team can limit the scope of the issue.

Investigation of the attack vector: Security team of DMR needs to review the
entire system of the company like drives, servers, storage, memory, log files,
and all the supporting data.
 Eliminating the issue: Clean-up and uninstalling of the attacked
platform/software, or rebuilding the drive, etc. can be done to eliminate the
cause of the issue.

Recovery and follow-up: The system and all services of DMR, based on the
contingency plans, are recovered, and then finally the follow-up regarding the
RPO, RTO, WRT, and the total cost estimation is carried out.

c. Incident Handling Procedures

All the IR steps are included in the procedures to handle the incident.
Developing the incident identification plans, and the processes to contain the
identified incident are the primary procedures for DMR IR. The responsible
person should be informed of visa notification about the incident, its impacts,
and the platform affected by the incident. Finally, the services are recovered
and the security team of DMR validates the efforts could satisfy the recovery
estimations or not.

d. Detecting Incidents
In this phase, both the internal and external entities of the DMR Building are
checked for vulnerability and weaknesses. As any suspicious event is detected,
it should be documented and reported to the security team of DMR. How to
detect the incidents? Well, some basic steps described below can be handy:

 Observing the unusual occurrences in the system.

 Identifying if any server or data center is not functioning as it should
be.
 Any sense of information leakage or unauthorized access to the system
monitoring.
 The devices or the disks containing the data have been lost or subject
to unexpected activities (due to malware attacks or phishing).
 Malfunctioning software or hardware

e. Incident Containment Strategies

For preventing further damage from an incident DMR should focus on the
incident containment strategies like:
 System should be shut down once the attack is detected.
 If possible the data centers should be disconnected from the network.
 Uninstalling the infected software and applications.
 Strengthening the firewalls.
 Updating the passwords and security pins.
 Clean backups
f. Reaction
As all the steps are in place the staff should be aware of what they need to do
and carry out their responsibilities with calmness at the time of disaster.
4. Backup (709 words)
In simple terms, backup is primarily associated with the technical aspects and that too
related to the data, where the copy of that entity is created and stored in some other
site than its original location. Whenever some issue arises in the original data centers,
the sensitive data can be retrieved from the secondary sites. So a backup plan for the
DMR is to be created to protect the sensitive data and files from loss during an event
of a disaster.

a. Purpose and Scope

The primary purpose of the backup is to generate a copy of the existing data
and to recover it when the primary data fails. The backup can be carried out
department-wise in the case of DMR. For example, the data related to the
finance department can be stored into a new server at some site other than
Bathurst, which can be a secondary site for the DMR Building Ltd. Backups
can be done in portable storage devices, or in case of large data they can be
transferred into the hard disks and maintained somewhere on the secondary
sites’ servers.

b. Back Up Strategy
As a CISO I would be designing a backup strategy for the DMR Building in
cooperation with the security team. Three of the major practices I will be
considering for the DMR backup strategies are:
i. Having an onsite as well as an offsite backup for the DMR
ii. Developing an all-encompassing BCDR Plan
iii. Automating the backups
Having the stored at multiple sites prevents the permanent data loss scenario
and reduces the downtime in case of a disaster. All the company data of DMR
must be backed up in some other location than Bathurst. DMR backup strategy
will include a popular 3-2-1 strategy where three copies (including the original
one) of the data will be created, two distinct storage types will be used (i.e.
DMR data will be residing on the on-premise servers as now, and also will be
placed on the cloud servers by using the services of Amazon Web Services or
AWS), and at least one copy of the DMR related data will be placed offsite.
One of the storage I would recommend being a Network Attached Storage
(NAS) so that replication of the onsite data to the offsite data center is
simplified.

Another strategy to backup is to prepare a Business Continuity and Disaster

Recovery plan so that critical resources and operational data are backed up
according to the plan. We can understand the significance of having a BCDR
plan from the IBM report of 2016, which suggested that it costs a company
$7,003 of loss for every minute of downtime. And we will be using the
automatic backups as far as possible, so as to minimize human errors and
complexities. This also helps to increase the overall productivity as the staff of
DMR can be indulged in business and service-centric tasks. DMR processes
need to be updated as any new resources or platforms undergo slightest of the
changes.

c. Planning for backup

 Once we have a clear backup strategy we can easily plan for the backup
procedures. It is simply identifying the data to backup and then implementing
it. Since all the DMR staffs have access to the data and data center and servers
it might be resulting in some mishandling and resulting into data loss. So
proper planning of the backup is significant here.
i. First and foremost I and the DMR company staffs need to identify
which data are critical and needed to be backed up. So there should be
a priority-wise list of all the data and resources. Those data are
essential for the DMR Building Ltd. To keep running at any state are
prioritized highest. The main agenda is to keep the system surviving at
every time and in any situation.
ii. We need to determine the maximum allowable time period for the
backups. The backup period should be no more than that is suggested
by the RPO, which is of 6 hours in our case.
iii. As suggested by the 3-2-1 strategy, we will use new locations as
secondary storage sites, and store the data onsite as well as in the
cloud.
iv. DMR should assign the job of regularly monitoring and ensuring the
accurate working of the backup procedures in the system.

5. Disaster Recovery
Disaster recovery can be thought of as practice to make a system able to withstand
unexpected failures. For instance, if the data center at Bathurst catches fire, then all
the servers and systems will be destroyed. In such a scenario, the DR plan will help
our IT systems to survive. So, every company needs to have a well-documented DR
plan in place, and a least twice a year needs to be tested for its efficiency.
a. Purpose and Scope
DMR has other plans and procedures to handle the day-to-day operation-
related issues but lacks the plan to survive in case of catastrophic failures.
Actually, disasters are unexpected to occur throughout the lifespan of the
system. The main purpose of Disaster Recovery is to achieve an acceptable
recovery state. This defines the state or a point of data loss DMR is accepting
to lose at the time of a disaster. So basically a DR plan for DMR Building Ltd.
needs to be able to bring the compromised system into operation within the 4
hours of it getting abrupt, and by using the backed up data which age is no
older than 6 hours. Hence, the main scope of the DR plan for DMR represents
the steps to recover all the sensitive services after an extraordinary failure that
has a potential to inhibit the business process continuity of the company as a
whole.

b. DRP strategies
Starting from the business level of the DMR, we have to determine the
applications that are most significant for the company to survive. Recovery
strategies typically explain the plan of DMR Building Ltd. to respond to an
incident. DMR DR strategies must be considering the issues like:
. Budget and finance
. Staff and physical facilities and tools
. Related technologies
. Data, suppliers, and the customers
 Once we have developed the DRP strategies, it requires approval from the
management team, who check and validate the strategies for their alignment
with the company’s goals. The approved DR strategies are the ones that can be
used for DR planning.
We can consider three different strategies to recover from the disaster: Cold
Backup, Warm Backup, and Hot Backup. In our DMR DR strategy, we will go
with the warm back up as it is quicker, efficient, and economical for our
brand. DMR will maintain a reasonable amount of hardware and software
installations pre-available, such that they can be simply fed with the latest
backup. This makes the system ready every time, and DMR can recover
quickly in the event of any failure.

c. Types of DRP
DRP can be designed as per the given environment. So, we can discuss
following four types of disaster recovery plans that can be deployed in the
DMR Building Ltd.:

- Virtualized DRP: DMR can simply meet its targeted RTO through a virtual
server that is kept in reserve capacity or the cloud environment. There is no
necessity to rebuild the physical server when a failure occurs.

- Network DRP: DMR recovery team needs to detail every step of the
recovery procedure. Network DRP becomes complicated if the network used
in the company becomes complex.

- Cloud DRP: DMR can simply back up some of its files into the cloud
environment or completely replicate its on-site system to the cloud
environment. This type of DRP will reduce the cost of space, time, and budget
as a whole. The manager of DRP has to be aware of the locations of the virtual
and the physical servers.

- Data center DRP: This DRP is exclusive to the data center at the Bathurst.
Operational risk assessment is performed, and the analysis of data center
building location, power supply, office space, and security measures is carried
out.

d. Element of DRP
DMR Building relies on its technological aspects and the electronic data to
carry out the day to day operational activities. There is every chance of losing
the huge amount of data in case of disasters. One of the simpler ways to
prevent from this unexpected loss is DRP, which will comprise of the
following typical elements:
i. Establishment of a DR team: DMR should create a team of technically
sound and experienced individuals to prepare and maintain the DRP
plans, so that I, as a CSIO, could monitor. Who needs to be contacted
in which type of failures should be pre-set.
ii. Identification and assessment of the disaster and its risk: DMR DR
team needs to be capable of identifying the type of disaster and its
possible hazards to the system. In case there is a hardware or any
 software failure the team needs to shift the operations associated with
them to a new environment or infrastructure in the secondary site.
iii. Determination of the critical aspects, specification, and
implementation of the backup procedures, and regular testing are other
vital elements of the DRP to be considered by the DMR.

e. Planning the DR
Finally, we prepare a plan along with the DR team, and the management team
which will guide the DMR on how to respond in a time of any disaster.
Planning a DR includes:
- defining the scope of the activity
- collection of the network infrastructures files that are relevant
- listing the critical threats and sensitive assets of DMR
- looking into the disaster histories, and their ways of handling
- knowing and implementing the current DR strategies
- coordinating with the incident response team
- approval of the management team for the DR plan
- testing, updating, and implementing the DR plan
References