BCP-DR Project Scenario The following is the scenario you are to use for your in
ID: 348649 • Letter: B
Question
BCP-DR Project Scenario
The following is the scenario you are to use for your individual analysis assignment and your team project.
Anita Diamond was hurriedly leaving the office of John Newman, the Chairman and CEO of OptiPress Corporation. As the newly hired CIO she had not expected her second meeting with Mr. Newman would be so soon or under such disturbing circumstances. Mr. Newman had been waiting for her arrival in this morning with the news of the fire at Host Point, Inc. last week. Host Point provides web hosting services for a number of companies in the Philadelphia area including the local Philadelphia Eagle’s Arena Football Team to which Mr. Newman has an ownership stake. The fire had been devastating, turning the 75 servers in the web hosting data center into a mass of melted plastic and metal. “It has been seven days and the Eagle’s website is still down and so are our opening day ticket sales.” Mr. Newman had stated in the call that brought Anita to the 8:00 am meeting. “What would we do if something like that happened here?” he asked.
Anita asked her Executive Assistant to grab a copy of the company’s Business Recovery Plan so she could bring it to her meeting with Mr. Newman. It only took about two minutes for Mr. Newman to realize that the plan was written before the merger with Bright Mail Marketing three years ago, which had more than doubled the size of OptiPress. Not only did it fail to cover the company in full but the changes to the business practices and support systems, in particular the move to the Internet and World Wide Web, were not even discussed. Further, while the plan was strong on Disaster Recovery for situations such as that at Host Point, it was almost silent on Business Continuity. The one advantage to being on the job for four weeks was she was not the focus of Mr. Newman’s ire. On the other hand she quickly realized that she was not knowledgeable enough of the company’s operations to update this plan without significant involvement from the various departments in the company.
OptiPress Corporation is a mail marketing /web advertising company operating seven different facilities in three states. The company has over 2000 clients of varying sizes and portfolios. Mail marketing involves mailing and distribution of advertising as well as promotional products ordered through the mail, television or Internet. Net income last year exceeded 100 million dollars for the first time in spite of the economic situation. There are currently about 6200 employees, with 800 headquartered in Philadelphia, Pennsylvania. Its largest operations are in Cleveland, Ohio and Annapolis, Maryland with 3100 and 1800 employees in each area respectively. The merger with Bright Mail occurred 27 months ago. Although financial data has been directed to the headquarters datacenter, operational data is still retained at three locations in Philadelphia, Annapolis, and Cleveland. Each facility is supported by the geographically closest data center with three in Pennsylvania, two in Maryland and two in Ohio.
Over the past two years the major focus of the IT department has been to standardize the IT infrastructure and software across the company. Human Resources, Accounting and Payroll have been centralized in Philadelphia as have been all of the web server operations. Marketing and Operations have been standardized but data are unique at each hub location where data centers reside. Select data for the Corporate MIS is automatically fed from the hubs. Although there were a few hurdles in implementing the current environment, for the past three months things have been working quite smoothly which probably in part resulted in Anita’s predecessor’s decision to retire. Anita had been looking to further consolidate Marketing and Operations before this latest discussion with Mr. Newman who highlighted a much more pressing issue, the disaster recovery planning.
At the 2 PM Executive Council Meeting, this became the number one issue on Mr. Newman’s agenda. Anita was asked what she needed to make this happen. She would assign her sharpest project manager to lead a focus group to update the Company’s Disaster Recovery Plan and to develop an effective Business Continuity Plan given the current and projected future operational environment and needs. She highlighted the need for the executives of each department to assign a knowledgeable expert to assist in this effort. She made it clear that these individuals will need to be empowered to obtain the support necessary from their counterparts anywhere in the organization. Mr. Newman endorsed Anita’s initiative and informed the Council that next month’s key agenda item would be to review the completed plan for implementation costs and schedule.
IFSM 432 Individual Risk Assessment Assignment
Assignment Instructions
This is the first individual assignment that will start to inform your phased group activity. Using the business scenario information provided by your instructor, each member of the group will identify and prioritize four critical business processes for each business area and perform a risk assessment following the Risk Assessment Form provided by the instructor and as identified by further research.
1. Your business areas should be well defined and appropriate to the case studies. The four critical processes per business area should be clearly explained and correctly relates to the case study.
2. You should conduct a risk assessment for the business area and four critical processes, ensuring that these are well defined and appropriate to the business scenario provided in your content area.
3. The risk assessment categories (columns) should be complete and measures clearly defined.
4. The mitigation strategy, additional measures, and contingency plan for the risk should be well defined and mapped to the business area and four critical processes.
Additional Guidance for Completing the Spreadsheet:
This assignment should focus on man-made or natural disasters as you identify risks. Let me provide you with an example.
IMPORTANT!
If you have “Accounting” as your business area and have “Collecting customer payments” as a process, you then must identify risks that could impact continuity and/or disaster recovery looking at man-made or natural disasters. A mistake commonly made is to take this example given here and say that the risk is “customer isn’t making a payment”. I want you to tell me “why” – was it because of a cyber intrusion or flood or fire? Just telling me that the customer has financial problems isn’t the intent of this assignment. It is important to read the BCP/DR Business Scenario provided in your content area for OptiPress. There was a fire at Host Point (web hosting service) in Philadelphia. This prompted the CEO to ask what would happen if it occurred at OptiPress or any of the other hubs. So please make this the focus of your assignment. You can have more than one risk associated with a process.
Here is guidance on populating the spreadsheet:
What is a business area in this scenario? Marketing, Human Resources, Payroll, etc. You are to list these (and you can use your own names or labels), then identify four critical business processes for each area. For example:
Accounting:
• Creating billing invoices
• Management company financial assets
• Producing financial reports
• Collecting customer payments
After laying out those 4 processes (these are just examples), you will then work through the matrix. Without this, it is hard to just take a generalized business area and provide mitigation steps. So, on your risk assessment spreadsheet, please ensure that you state the business areas and then provide 4 processes for each of these areas. You will then assess the risk for each of the four processes (man-made or natural) as you traverse across the matrix.
Probability of Occurrence:
Very Likely: 91-100%
Likely to occur: 61-90%
May occur about half of the time: 41-60%
Unlikely: 11-40%
Very unlikely to occur: 0-10%
The next column asks you to justify your selected probability of occurrence.
Impact Intensity:
The impact intensity of the risk can be categorized as High, Medium and Low depending on how critical the risk and its effects can be.
The next column asks you to justify your selected impact intensity.
Existing Measures:
The policies, procedures, and resources which are already available to prevent or reduce the impact of the risk.
Mitigation Strategies:
After analyzing all the aspects of the risks and the existing preventive measures that can be used, the project team needs to decide on the mitigation strategy to deal with the risk. There can be four different mitigation strategies. Please note that various risk management guides will provide other flavors of mitigation strategies, but for purposes of this assignment, let’s go with the following:
Risk Avoidance:
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
Risk Transference:
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.
Risk Limitation:
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk Acceptance:
Risk acceptance does not reduce any effects, however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy. Mitigation strategies taken from:
https://www.mha-it.com/2013/05/four-types-of-risk-mitigation/
The next column asks you to justify your selected mitigation strategy.
Additional Measures:
This field needs to be filled in only for those risks for which control mitigation strategies are decided.
Contingency Plan:
A contingency plan can also be added for high impact risks with a high probability of occurrence, just in case the basic measures fail to perform.
Explanation / Answer
In terms of personnel and financial resources, the information tasks and procedures detailed in this plan represent the BCP-DR Project management’s demonstrated commitment to response, resumption, recovery, and restoration planning. Therefore, it is essential that the information and action plans in this plan remain viable and be maintained in a state of currency in order to ensure the accuracy of its contents. To that end, this introduction is intended to introduce and familiarize its readers with the organization of the plan.
It is incumbent upon every individual who is in receipt of the BCP-DR Project Contingency Plan, or any parts thereof, or who has a role and/or responsibility for any information or materials contained in the document, to ensure that adequate and sufficient attention and resources are committed to the maintenance and security of the document and its contents.
The BCP-DR Project management has recognized the potential financial and operational losses associated with service interruptions and the importance of maintaining viable emergency response, resumption, recovery and restoration strategies.
The BCP-DR Project Contingency Plan is intended to provide a framework for constructing plans to ensure the safety of employees and the resumption of time-sensitive operations and services in the event of an emergency (fire, power or communications blackout, tornado, hurricane, flood, earthquake, civil disturbance, etc.)
Although the BCP-DR ProjectContingency Plan provides guidance and documentation upon which to base emergency response, resumption, and recovery planning efforts, it is not intended as a substitute for informed decision-making. Business process managers and accountable executives must identify services for which disruption will result in significant financial and/or operational losses. Plans should include detailed responsibilities and specific tasks for emergency response activities and business resumption operations based upon pre-defined time frames.
A Contingency Plan is not a one-time commitment and is not a project with an established start and end date. Instead, a Contingency Plan is an on-going, funded business activity budgeted to provide resources required to:
Developing a Contingency Plan that encompasses activities required to maintain a viable continuity capability ensures that a consistent planning methodology is applied to all of the Contingency Plan elements necessary to create a viable, repeatable and verifiable continuity capability include:
2.3Plan Information
The Contingency Plan contains information in two parts related to the frequency of updates required. The first part contains the plan’s static information (i.e. the information that will remain constant and will not be subject to frequent revisions). The second part contains the plan’s dynamic information (i.e. the information that must be maintained regularly to ensure that the plan remains viable and in a constant state of readiness). This dynamic information is viewed as the action plan. The action plan should be considered a living document and will always require continuing review and modification in order to keep up with the changing BCP-DR Project environment.
The static information part of the Contingency Plan is contained in a MS-Word file and printed as part of this document. This static information should be read and understood by all employees, users, and administrators or at least by those individuals who are involved in any phase of business response, resumption, recovery, or restoration.
The dynamic information resides in the database of the <System Name> and will be printed as output for the appendixes of this document. By using the database, dynamic information that is vital to the survival of the BCP-DR Project will be easy to manage and update. The web-enabled database is designed for maintenance of personnel contact lists, emergency procedures, and technical components. It is already in operation for <Name> agencies.
For ease of use and reference, the static and dynamic information is maintained separately. While it is necessary to be familiar with the static information during resumption, it should not be necessary to read that information at the time of the event. The completed action plan of dynamic information provides all of the necessary lists, tasks, and reports used for response, resumption, or recovery.
Applicable Provisions and Directives
The development of the BCP-DR Project Contingency Plan is required by executive decisions and to meet regulatory mandates. The BCP-DR Project management must maintain an information assurance infrastructure that will ensure that its information resources maintain availability, confidentiality, integrity, and non-repudiation of its data. Furthermore, BCP-DR Projectmanagement must ensure their strategic information resources management capabilities. Therefore, the BCP-DR Project Contingency Plan is being developed in accordance with the following executive decisions, regulatory mandates, provisions, and directives:
DOJ Order 2640.2D, Information Technology Security, July 12, 2001
The BCP-DR Project contingency organization’s primary duties are:
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.