Tuesday, June 21, 2011

Disaster Recovery Plan


Definition OF Disaster Recovery Plan

A disaster recovery plan (DRP) can be defined as “Set of documents, instructions & procedures which enable a business to respond to accidents, disasters, emergencies, and/or threats without any stoppage or hindrance in its key operations. DRP is also known as business resumption plan, business continuity plan, or recovery plan.”

(businessdictionary.com, 2011)

Explanation

A disaster recovery plan describes how an organization is deal with potential disasters that when it occurs how they can recover the data or information necessary for the continuity of the business. It is a plan consist of the precautions taken so that the effects of a disaster will be minimized & the organization will be able to maintain or quickly resume mission-critical functions. It involves the analysis of business processes & continuity needs, it may also include a significant focus on disaster prevention.

Disaster recovery is becoming an increasingly important aspect of enterprise computing. As devices, systems & networks become ever more complex, there are simply more things that can go wrong. The disaster Recovery plan includes the industry standards, best practices and international standards like hardware, redundancy, clustering, replication and data reduplication, availability, reliability, & extensibility. Some of the examples of disasters are fire, earthquakes, and many more.

(oucs.ox.ac.uk, 2011)

Example

An example of disaster recovery plan, fifteen or twenty years ago if there was a threat to systems from a fire, a disaster recovery plan might consist of powering down the mainframe & other computers before the sprinkler system came on, disassembling components, and subsequently drying circuit boards in the parking lot with a hair dryer. Current enterprise systems tend to be too large & complicated for such simple and hands-on approaches, however, and interruption of service or loss of data can have serious financial impact, whether directly or through loss of customer confidence.

(SOLUTION) What If ‘DRP’ occurs?

Disasters can or cannot be controlled depending on the condition of the disaster. But if the company have the recovery plan like they already backup the necessary data & kept in the safe place. It will be easy for them to recover the information after the disaster. Also the responsibility of the employees is the main criteria for an organization that they should implement the correct recovery plan but before that the senior employees or CEO or board of directors of the company should appoint the correct or experience staff to make a best plan for the organization and then train the junior employees to implement it.


Provisioned Disaster Recovery Servers

The Brief Explanation of Hot site, Cold site, & Warm site are given below. According to Haag, Cummings, McCubbrey, Pinsonneult, and Donovan. (2004).

Cold Sites

“A cold site is the most inexpensive type of backup site for an organization to operate. It does not include backed up copies of data and information from the original location of the organization, nor does it include hardware already set up. The lack of hardware contributes to the minimal startup costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster.” 1

Hot Sites

“A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. Real time synchronization between the two sites may be used to completely mirror the data environment of the original site using wide area network links and specialized software. Following a disruption to the original site, the hot site exists so that the organization can relocate with minimal losses to normal operations. Ideally, a hot site will be up and running within a matter of hours or even less. Personnel may still have to be moved to the hot site so it is possible that the hot site may be operational from a data processing perspective before staff has relocated. The capacity of the hot site may or may not match the capacity of the original site depending on the organization's requirements. This type of backup site is the most expensive to operate. Hot sites are popular with organizations that operate real time processes such as financial institutions, government agencies and e commerce providers” 1

Warm Sites

“A warm site is, quite logically, a compromise between hot and cold. These sites will have hardware and connectivity already established, though on a smaller scale than the original production site or even a hot site. Warm sites will have backups on hand, but they may not be complete and may be between several days and a week old. An example would be backup tapes sent to the warm site by courier.” 1

REFERENCES

Avaialable at (http://www.businessdictionary.com/definition/business-continuity-plan.html) Accessed at 21/06/2011

Avaialable at (http://www.oucs.ox.ac.uk/groupware/docs/GroupwareProjectSpecificationv1pt1.pdf) Accessd at 21/06/2011

1Haag, Cummings, McCubbrey, Pinsonneult, and Donovan. (2004). Information Management Systems, For The Information Age. McGraw-Hill Ryerson.

Tuesday, June 14, 2011

Managing Systems Security

Question no. 1

The Five information system risks are:

Ø Human Errors

Ø Environmental Hazards

Ø Computer Systems Failure

Ø International Threats

Ø Cyber Crime

Human Errors

In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness in 2008 (86 percent) by a survey, followed by technology (a distant 63 percent)," the report states. It attributes the rising risk to increased adoption of new technologies and social networking.

Human errors can happen in many ways like in the design of hardware & information systems, E.g. programming, testing, authorization.

Environmental Hazards

The forces of the natural world can cause significant risk to life, property and economies. The power of extreme weather events and geological movements can alter the status quo in sudden dramatic actions. Natural risk includes flooding and mudflow, landslides, avalanches, droughts and fires and coastal realignment.

Industrialization has created additional stresses on the capacity of natural systems to recycle and regenerate, leading to a different set of environmental risk. Aspects of this research area include understanding resilience of natural systems and modeling the uncertainties associated with risk management strategies.

Examples of environment hazards are fire, earthquakes, hurricanes, floods, lightning strikes etc

Computer Systems Failure

This problem can occur by poor design of the systems, use of defective material, lack of proper quality control or/and in adequate specification of hardware by buyer. It’s a common risk in organization, if the company don’t have experienced IT employees which knows the best for their company and can design the system according to the need of servers, documents etc.

Example of Computer Systems Failure can be like if Carrefour have applied the slow computer systems & there are bunch of people waiting in the line for the counter to pay. They can leave the shopping from Carrefour & can move towards any other mall or shopping market.

Intentional threats

Computer crimes are the best example of intentional threats, when someone purposely damages property or information. It includes Identity Theft, credit crime etc.

It may also include malicious damage including terrorist attacks, destruction from virus attack to the information system, fraud & crimes related to the use of the internet and many more.

Cyber Crime

Cyber crime is stealing the data or information via networks (computer can be an example). Crimes can be performed by Hackers, hackers are the outsides who penetrate a computer system or by insiders who are authorized to use the computer system but are misusing their authorization.

Two basic methods of attack on computer systems are:

Ø Data Tampering

o False, fabricated or fraudulent data

o Changing or deleting data

o Examples – Wages clerk and the extra employee

Ø Programming fraud

- Programming techniques used to modify a computer program

o Virus

o Worm

o Trojan Horse

o Spoofing

Question no. 2

The four possible ways to prevent or control system risks are explained below:

ACCESS CONTROL

“Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical structure, is generally seen as the second layer in the security of a physical structure.”

Access control can be an important criteria to prevent or control the system risk because giving an access control which means password or pin in common words or in real-world. Example of Access control can be “A pin on an ATM system at a bank”. It gives a control to the person to lock down the bank account with a PIN or Password. The system can also be locked by PIN or Passwords similar to the example. A senior or executive person can be given the access authority to control or prevent the system theft and many more threats.

Firewall

By implementing a firewall in the system, the system can be protected by viruses, worm and other threats which can be implemented by cyber criminals like hackers. Firewall can block the unusual activity attacking the system to steal or corrupt the data. So it can prevent or control the system risks.

Virus Protection
Anti-Virus phenomena can prevent or control the system to be corrupted by the cyber crimes which is mostly done by hackers. The hackers can apply a virus to the system which can defect the system or can delete all the data. So, virus protection can prevent or control the system risk.

Personal Control

Personal control can be a useful or advantageous factor for an organization or company to prevent or control the system risk. It means keep all the control by you. A manager or senior employee can do this for security purposes

Question No. 3

The two types of audits are:

Ø Internal Audit (and Auditors)

Ø External Audit (and Auditors)

DIFFERENCES B/W INTERNAL & EXTERNAL AUDITS

The INTERNAL AUDITORS are regular employees of the company they audit. Internal audits generally examine internal controls and the main purpose is to recommend improvements in efficiency and operational effectiveness. The materiality level for an internal audit is much lower than for an external audit.

(An external auditor will never examine unimportant cash, but an internal auditor will.)

The EXTERNAL AUDITORS are organizationally independent; they work for a completely different company than the company being audited. They also get paid more; the internal auditors receive their regular salary, regardless of their findings. The external auditors get paid based on their contract which includes expenses, overhead and profit.

The external auditors issue an opinion on the fairness of the financial or IT statements taken as a whole. The internal auditors may issue an opinion on a much smaller unit they may be auditing, but often they do not.

External auditors are required to follow generally accepted auditing standards (or international auditing standards), internal auditors do not. The internal audits may follow GAAS, they may follow IA standards, or they may not follow any special standard.”

An internal audit may cover a time period of a week, month or quarter. An external audit generally covers a year.

Tuesday, June 07, 2011

Risks, Security & Disaster Recovery Plan Of United Motors Company

The Potential/ current risks identified

Although, United motors corp. have no such strong rivals in the kingdom of Saudi Arabia (in competition of dodge, Chrysler, & jeep Cars). But if an organization is a part of the society, so the society have crackers, hackers, & many more internet criminals to break the system and steal the data which can be a harmful action for an organization.

So far, from my point of view, the company have security problems. United Motors Company is using the Circuit-levels firewall type which is not good for their company’s security. As from its explanation “(Circuit-Level Firewalls) applications represent the technology of next to first generation .Firewall technology supervise TCP handshaking among packets to confirm a session is genuine. Firewall traffic is clean based on particular session rules and may be controlled to acknowledged computers only. Circuit-level firewalls conceal the network itself from the external, which is helpful for contradicting access to impostors. But Circuit-Level Firewalls don't clean entity packets.

(freewimaxinfo.com, 2011)

So if an internet criminal (hackers, cracker etc.) try to attack the company’s information system through entity packets, the firewall cannot help to overcome the cracking or hacking of the system.

Consequences of current/potential risks identified

The company can face many consequences due to their weak firewall system, if rivals can attack their system & delete or steal all the records. The company can be in a big problem because there is no strong disaster recovery plan in the organization so far. The company have weak disaster recovery plan like the IT department have the recovery material, & if the hacker attacks the security of the main head office (of United Motors corp.). The organization can lose all the data because head office contains all the information or data necessary for the company.

This can be a major potential risk for the company as this risk cannot be neglected.

RECOMMENDATIONS TO SOLVE THE RISKS

The company should focus on following points which can be a big disaster for the information system of the company.

· The United Motors Company should change their firewall security type from the circuit-levels firewall to Network-levels Firewall which is strong firewall type. The Network-levels Firewall has the main objective “to examine sachet headers and clean traffic based on the IP address of the starting place and the target. Some of these primitive safety applications could also sort out packets based on protocols. Network-Level Firewalls are very fast and upcoming technologies you will find them built in network appliances specially routers. Firewall has no aware of any language such as HTML, XML therefore Firewall capable of decoding SSL encrypted packets to inspect their data or text.”

So this can be a plus point for the security of the company.

· Another security, they can implement to their company is the FIRECALL to the information system which is “A call of fire alarm to a fire station.” The firecall can be defined as “Any method established to provide emergency access to a secure information system. In the event of a critical error or abnormal end, unprivileged users can gain access to key systems to correct the problem. When a firecall is used, there is usually a review process to ensure that the access was used properly to correct a problem. These methods generally either provide a one-time use User ID or one-time password.”

(wordnik.com, 2011)

· The company can make a disaster recovery plan like they can build a small building near the Head office which contains all the data or information similar to the head office, so if anything happens to the main building. The data can be easily recovered by the other building. E.g. the Maybank information system recovery plan.

These can be main recommendations for the company to implement in their information system, which can be an advantage for the company’s security, risks & disaster recovery plan.

References

Available at (http://www.freewimaxinfo.com/firewall-types.html) Accessed at June 07, 2011

Available at (http://www.wordnik.com/words/firecall) Accessed at June 07, 2011

Wednesday, May 04, 2011

Pre-Planning of the Final Assignmnet


26/04/2011 Search & Confirm the company which will be the topic of the assignment, collect the basic introduction and background of the company.

09/05/2011 Interview and collect information on the current system they are using and how they are running the company with the system.

11/05/2011 Find the necessary information needed for the assignment, collect all the information & write the final report.

20/05/2011 Finalize Everything and finish up the document with the last touch up.