Running head: FINAL PROJECT

Final Project
Trisha Rose
University of Advancing Technology
Business Continuity/Disaster Recovery
NTW 440
Kevin McLaughlin
November 09, 2012

FINAL PROJECT

Table of Contents
Risk Assessment..................................................................................................... 3
Program Process or Business Practice: Servers...............................................3
Program Process or Business Practice: Server Room......................................3
Program Process or Business Practice: Internet Access..................................4
Program Process or Business Practice: Email Access......................................4
Program Process or Business Practice: Firewall + anti-virus...........................5
Program Process or Business Practice: Router................................................5
Program Process or Business Practice: Guest access......................................6
Program Process or Business Practice: backup...............................................6
Business Impact Analysis...................................................................................... 7
Unit: Registration Services..................................................................................... 7
Unit: Financial Services.......................................................................................... 7
Unit: Human Resources.......................................................................................... 8
System Data & Sensitivity Classification............................................................8
Process ID: RS-01.................................................................................................. 8
Process ID: FS-02.................................................................................................. 9
Process ID: HR-03................................................................................................. 9
IT System Inventory & Definition.......................................................................10
Process ID: FS-02...................................................................................................... 10
Emergency Response Teams............................................................................................. 11
Data Recovery Team This team is put together to manage all data recovery for Rose University....11
Physical Damage Crisis Team........................................................................................ 11
People Management Team............................................................................................. 11
Financial Management Team.......................................................................................... 12

FINAL PROJECT

3
Final Project

Risk Assessment
Program Process or Business Practice: Servers
Information Type/Sensitivity Level: Information is stored digitally on TB Towers. Various
types of information are stored from student and faculty information to financial information.
Associated Risks: The servers could get backed up or shut down. The impact would slow down
or stop workflow. The servers are vulnerable through the firewall.
Examples of Current Controls: A firewall and restricted user access are in place to help
mitigate potential risks
Determination of the Effectiveness of this control currently in place: Yes
Regulation or Standard Referred to: none
Next Action; require by whom and when: controls for all unused ports to be closed by the
network administrators to be completed by the end of the week.

Program Process or Business Practice: Server Room

Information Type/Sensitivity Level: This room contains all physical servers. Only the network
administrator has access to this room.
Associated Risks: the room could be breached by someone and control of the whole network
could be seized. There is no protection on the door.
Examples of Current Controls: none
Determination of the Effectiveness of this control currently in place: No
Regulation or Standard Referred to: none
Next Action; require by whom and when: a security system for key card access is to be
installed by security and the key card that allows access is to only be given to those who need
access to perform their job.

FINAL PROJECT

Program Process or Business Practice: Internet Access

Information Type/Sensitivity Level: allows employees to access the internet.
Associated Risks: an employee could go to a bad website or download an infected file or
program. Information could be stolen, and data could be lost. The reputation of the college could
be ruined.
Examples of Current Controls: none
Determination of the Effectiveness of this control currently in place: no
Regulation or Standard Referred to: none
Next Action; require by whom and when: internet access will be configured by the network
administrator on a user to user basis and employees will only be able access certain websites that
pertain to their jobs. Everything else will be blocked. Effective immediately.

Program Process or Business Practice: Email Access

Information Type/Sensitivity Level: allows employees to communicate with each other in a
quick manner.
Associated Risks: an employee could download an infected file or program or click a bad link in
a spam email. Information could be stolen, and data could be lost. The reputation of the college
could be ruined.
Examples of Current Controls: none
Determination of the Effectiveness of this control currently in place: no
Regulation or Standard Referred to: none
Next Action; require by whom and when: the network administrator will put into efect spam
controls along with constant monitoring and disabling attachments unless it is pertenant to their
job.

FINAL PROJECT

Program Process or Business Practice: Firewall + anti-virus

Information Type/Sensitivity Level: helps to protect the network from the internet and external
threats.
Associated Risks: it could let through a virus that infects the network. Information could be
stolen, and data could be lost. The reputation of the college could be ruined.
Examples of Current Controls: the firewall is set to update automatically during off hours.
After the update, it is set to automatically scan for viruses and send an alert the to the network
administrator if something is found.
Determination of the Effectiveness of this control currently in place: Yes
Regulation or Standard Referred to: None
Next Action; require by whom and when: None

Program Process or Business Practice: Router

Information Type/Sensitivity Level: directs data packets across the network to where it should
be.
Associated Risks: data could get scrambled or lost or intercepted. Work flow would be
interupted until the flow of data was returned to normal.
Examples of Current Controls: the router is encrypted and monitored for unauthorized access
by the network administrator. If something outside the usual pattern of data exchange happens,
an alert is created.
Determination of the Effectiveness of this control currently in place: Yes
Regulation or Standard Referred to: None
Next Action; require by whom and when: None

FINAL PROJECT
Program Process or Business Practice: Guest access
Information Type/Sensitivity Level: allows anyone to access a computer or internet on the
network with guest privileges.
Associated Risks: someone could use that privilege to hack the system. Student and faculty
information could be stolen and the reputation of the school would be ruined.
Examples of Current Controls: guest access is disabled. A username and password is required
for access and provided to every faculty member and student.
Determination of the Effectiveness of this control currently in place: Yes
Regulation or Standard Referred to: None
Next Action; require by whom and when: None

Program Process or Business Practice: backup

Information Type/Sensitivity Level: backs up all files on all computers, servers and external
hard drives.
Associated Risks: the data could be old or corrupt. This could cause the company to be unable
to restore lost files.
Examples of Current Controls: all files are backed up onsite and offsite through another
company to provide double the protection.
Determination of the Effectiveness of this control currently in place: Yes
Regulation or Standard Referred to: None
Next Action; require by whom and when: None

Business Impact Analysis

Unit: Registration Services
Process ID: RS-01

FINAL PROJECT
Activity (Type of Data): Registration for new students
Activity Owner: Tiffany George
Degree of Impact: 2
Political or Sensitivity: 1
Financial Cost: 2
Probability of Loss: 3
Overall Weight: 2

Unit: Financial Services

Process ID: FS-02
Activity (Type of Data): manages finances for all students and payroll for faculty
Activity Owner: Kyle Rose
Degree of Impact: 1
Political or Sensitivity: 1
Financial Cost: 1
Probability of Loss: 2
Overall Weight: 1.25

Unit: Human Resources

Process ID: HR-03
Activity (Type of Data): manages all problems among students and faculty
Activity Owner: Amy Keyser
Degree of Impact: 3
Political or Sensitivity: 1
Financial Cost: 2

FINAL PROJECT
Probability of Loss: 3
Overall Weight: 2.25

System Data & Sensitivity Classification

Process ID: RS-01
Overall Weight: 2
Application/Manual Resource: HR-03, FS-02
Activity Owner: Tiffany George
Acceptable Down Time: 1 Day
Data Owner: Trisha Rose
Confidentiality: Moderate
Integrity: Low
Availability: Low
Other Regulatory Requirements: Privacy act of 1974

Process ID: FS-02

Overall Weight: 1.25
Application/Manual Resource: HR-03, RS-01
Activity Owner: Kyle Rose
Acceptable Down Time: 2 Hours
Data Owner: Trisha Rose
Confidentiality: High
Integrity: High
Availability: High
Other Regulatory Requirements: Privacy act of 1974

FINAL PROJECT

Process ID: HR-03

Overall Weight: 2.25
Application/Manual Resource: FS-02, RS-01
Activity Owner: Amy Keyser
Acceptable Down Time: 3 Days
Data Owner: Trisha Rose
Confidentiality: High
Integrity: Moderate
Availability: Moderate
Other Regulatory Requirements: Privacy act of 1974

IT System Inventory & Definition

Process ID: FS-02
System Name: Financial Services
Inventory Information: n/a
System Owner: Kyle Rose, Rose University, 1-800-555-5555 ext.5502
Data Owner: Trisha Rose, Rose University, 1-800-555-5555 ext.5500
System Administrator: Umbrion Rose, Rose University, 1-800-555-5555 ext.5512
Data Custodian: Espion Rose, Rose University, 1-800-555-5555 ext.5522
External Contact Information: Bank of America
Primary Users: Kyle Rose, Trisha Rose
Required Recovery Time: 2 Hours
System Description: 1 server labeled as FS-02, router connecting to core server, firewall
protecting it from internet and outside sources.

FINAL PROJECT

10

Network Access: LAN

System Interface and Boundary: n/a
If the IT system connects to other IT systems, is an Interoperability Security Agreement (ISA) in
place? n/a
Authentication Mechanism: Firewall, Password
Change Management Description: n/a

Emergency Response Teams

Data Recovery Team This team is put together to manage all data recovery for Rose
University

Trisha Rose (Team leader) - 1-800-555-5555 ext.5500, PO Box 5500 Rose

City, RE 00000

Bella Rose - 1-800-555-5555 ext.5510, PO Box 5510 Rose City, RE 00000

Donna Rose - 1-800-555-5555 ext.5520, PO Box 5520 Rose City, RE

00000

Physical Damage Crisis Team This team is in charge of managing all physical damage done
and ensuring that all damage is repaired and taken care of.

Tiffany George (Team Leader) - 1-800-555-5555 ext.5501, PO Box 5501 Rose

City, RE 00000

Katie Lore - 1-800-555-5555 ext.5511, PO Box 5511 Rose City, RE 00000

Pika Chu - 1-800-555-5555 ext.5521, PO Box 5521 Rose City, RE 00000

FINAL PROJECT

11

People Management Team This team is in place to make sure everyone that may have been
affected by the crisis is taken care whether it is someone who needs someone to talk to or
someone who needs medical attention.

Amy Keyser (Team Leader) - 1-800-555-5555 ext.5503, PO Box 5503 Rose

City, RE 00000

Raisa Ana - 1-800-555-5555 ext.5513, PO Box 5513 Rose City, RE 00000

Marianna Wolf - 1-800-555-5555 ext.5523, PO Box 5523 Rose City, RE

00000

Financial Management Team This team is meant to take care of all finances surrounding the
crisis and ensure the other teams have the money needed to perform their team duties.

Kyle Rose (Team Leader) - 1-800-555-5555 ext.5502, PO Box 5502 Rose

City, RE 00000

Umbrion Rose - 1-800-555-5555 ext.5512, PO Box 5512 Rose City, RE

00000

Espion Rose - 1-800-555-5555 ext.5522, PO Box 5522 Rose City, RE 00000