Writing Assignment: Module 02 Flashcards
List and describe three of the applicable U.S. laws that impact contingency planning.
The Computer Fraud and Abuse (CFA) Act of 1986 made it a federal crime to access a protected computer without proper authorization.
The Electronic Communications Privacy Act (ECPA) of 1986 protects wire, oral, and electronic communications even while those communications are being made and are in transit.
Health Insurance Portability and Accountability Act (HIPAA) of 1996 protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
What is the first step in beginning the contingency planning process?
To begin the process of planning for contingencies, an organization must first establish an entity that will be responsible for the policy and plans that will emerge from the process.
What are the primary responsibilities of the contingency planning management team (CPMT)?
Obtaining commitment and support from senior management
Managing and conducting the overall CP process
Writing the master CP document
Conducting the business impact analysis (BIA).
Organizing and staffing the leadership for the subordinate teams.
* Incident response
* Disaster recovery
* Business continuity
* Crisis management
Providing guidance to, and integrating the work of, the subordinate teams, including subordinate plans
Which teams may be subordinate to the CPMT in a typical organization?
Organizing and staffing the leadership for the subordinate teams, including:
Incident response planning (IRPT) and response teams
Disaster recovery planning (DRPT) and response teams
Business continuity planning (BCPT) and response teams
Crisis management planning (CMPT) and its specific response teams, if they are used
The CP process will fail without what critical element?
aligning a formal commitment of senior executive management
What are the three communities of interest, and why are they important to CP?
*Managers and practitioners in information security
*Managers and practitioners in information technology
*Managers and professionals from general management
-Information security management and professionals:
*Focus on integrity and confidentiality of systems
May lose sight of the objective of availability
-Information technology management and professionals:
*Design, build, and operate information systems
*Focus on costs of system creation and operation, ease of use, timeliness, transaction response time, etc.
-Organizational management and professionals:
*Includes executives, production management, HR, accounting, legal, etc. - the users of IT systems
What are the elements needed to begin the CP process?
*Planning methodology
*Policy environment to enable the planning process
*Business impact analysis
*Planning budget: access to resources
The elements required to begin the CP process are a (1) planning methodology; a (2) policy environment to enable the planning process; (3)an understanding of the causes and effects of core precursor activities, known as the business impact analysis (BIA); and (4) access to financial and other resources, as articulated and outlined by the planning budget.
What are the major sections in the CP policy document?
An introductory statement of philosophical perspective by senior management as to the importance of contingency planning to the strategic, long-term operations of the organizations
What is a business impact analysis (BIA), and why is it important?
Business Impact Analysis (BIA):
*An investigation and assessment of the impact of various types of attacks
*Provides detailed scenarios of the effects of each potential type of attack
-BIA assumes that risk management controls have been bypassed, have failed, or were ineffective
-BIA addresses what to do if the attack succeeds
What are the usual stages in the conduct of the BIA?
- Assessing mission/business processes and recovery criticality
- Identifying resource requirements
- Identifying recovery priorities
What is a business process?
an activity or set of activities that accomplish a specific organizational goal.
When confronted with many business functions from many parts of the organization, what tool can an organization use to determine which function is the most critical?
weighted analysis
What are the most common downtime metrics used to express recovery criticality?
- Maximum tolerable downtime (MTD) 2. Recovery time objective (RTO) 3. Recovery point objective (RPO)
What is maximum tolerable downtime (MTD)?
any amount of time until it’s disrupted without causing harm to the organization’s mission.
What is recovery time objective (RTO)?
period of time within which systems, application, or functions can be recovered
