Assessment 01 – Written Report - ICTSAS505

Company Profile - Provide a brief overview of the organisation – eg.

how many employees, organisational structure, buildings occupied,
core business

1. The DVD Shop is a small business with a vast selection of the latest videos and DVD’s, a great
assortment of snacks and light beverages. This organisation has 3 stores along NSW, the head
office is located in Parramatta which also has a shop and 2 other shops in Liverpool and
Hurstville.

The Head Office at the Parramatta store contains a “Shop Area”, “Storage Area” for inventory,
“Store Manager’s Office” which the secretary also utilises, “Finance Manager’s Office” and the
“Business Owner’s Office”.

The DVD shop employs 12 people. Each store has two retail sales assistants and a store manager,
additionally a secretary, the Finance Manager and Business Owner work from head office in
Parramatta.

There are no other IT or technical staff employed by “The DVD shop”. If part of the computing
infrastructure needs major maintenance or upgrades beyond the ability of the Parramatta store
manager, “The DVD shop” contacts a technical support service provider Big Boss Computing.

Objectives and Overview - Describe what the plan is aiming to

achieve.What does it contain?
2. The following are the main objectives to aim the company goals for the security system:

>minimize interruptions to the normal operations.

>limit the extent of disruption and damage.
>minimize the economic impact of the interruption.
>establish alternative means of operation in advance.
>train personnel with emergency procedures.
>to provide for smooth and rapid restoration of service.
What is the scope of Plan? What does the plan cover?

3. It is the intention of the owner to continue service to its customers in spite of any
unplanned and extended interruption of primary business functions. The purpose is to
designate who will be responsible for making critical decisions during an emergency situation
and to provide guidelines to be followed in an emergency. Plan assumptions are defined
below:

3.1 The Plan seeks to minimize the financial exposure and vulnerability of the
Organization.

3.2 The level of recovery for any specific function is determined by the critical nature of
the various business functions as well as the need to maintain public confidence and
credibility.

3.3 The Plan will be amended as changes in the business environment occur.

The Plan will be reviewed my management, internal and external auditors and regulatory
examiners as requested.

Business Processes - Identify major business processes and associated

hardware, software and data, criticality rating for processes and data

4. Critical Functions
The following areas have been identified as those critical to the overall operation of the
company and contingency or recovery plans must be maintained for these areas:

Core business processing (Shop Area for every location)

>Inventory

>Data Centre (or servers room)

>Internet Services including External Website

Essential Functions
The following areas have been identified as those essential to the operation of the company
and recovery plans may be maintained for these areas:

>Email

>Operations, Administration and Accounting - Accounts Payable and Payroll

>Network (Communication between shops)

Recovery Priorities
Efforts will be devoted restoring Critical functions first. Once Critical functions have been
restored, efforts will be devoted to re-establishing Essential functions.
Risks - Describe relevant risks to hardware, software and data

5. Natural Causes

such as floods, storms, bushfires and drought

Human Threats & Malicious Activity

such as:
>damage from robbery, vandalism, human error
>malware malicious software designed to disrupt computer operation
>viruses - computer code that can copy itself and spread from one computer to another, often
disrupting computer operations

Technical threats

such as computer network failures and problems associated with using outdated equipment or
power loss or data corruption

Prioritisation of risks & rationale - List which risks are acceptable.List which risks should be
mitigated.Explain why the risks which have a high impact but low likelihood of occurring have a
low priority for mitigations.

Fire
In the event of a fire that is not an immediate danger, the following steps should be taken:

>Notify Management immediately.

>Set off the nearest fire alarm to alert others.

>If the fire has not advanced too far, attempt to control it with a fire extinguisher.

>If the fire is in the computer room and the manager is not present at the time of the
emergency, immediately notify him if possible.

>If the fire is located in the computer room and equipment is not in immediate danger and
accessible. Shut down equipment.

>Exit the building, closing doors and windows behind you when leaving your work area.

>When exiting the facility, check all closed doors for extreme heat before opening any doors.
Lightly touch the door to feel for extreme heat. If the door is not extremely hot, cautiously
open the door, and when deemed safe, enter the corridor and close the door behind you. If
the door is extremely hot, do not open the door, but retreat as far away from the door and
adjoining wall as possible and signal for help from a window.

Notify the fire department.

If the fire is determined to be an immediate threat to personal safety, personnel are instructed
to implement the best practices for evacuation procedures.

Flood
The following procedures should be followed in the event of a flood or water leakage.

Notify Management immediately.

Shut down all electrical equipment, by turning off the appropriate circuit breakers
after a normal shutdown.
Cover equipment with protective plastic sheets, if available.
Move all data stored on removable media to a safe place.
Move critical workstations and servers to a safe place if time permits. At a minimum,
any workstations located on the floor should be moved from the floor to the desk.
Depending upon the severity and location of the flood, a staff member, the
Department Head or Remote Location Manager will contact the appropriate persons
to stop water entry if possible and/or to remove water.
Judgment is to be used to determine the severity of the situation, which will dictate
further actions to be taken.

Natural Disaster
In case of a natural disaster such as a cyclone or earthquake, the Organization will allow
employees to return home within a reasonable time to secure themselves and their families.
Employees are to make every effort as soon as possible to notify Management of the
Organization if he/she is a victim of such a disaster, procedures for recovering business will be
followed according to Disaster prevention.

Power Failure
A loss of electrical power can prove to be a serious situation for all institutions. Not only does it
pose a security threat and loss of communication, but also physical threat with the loss of air
or heat.

As soon as a power failure has occurred, a staff will contact the power company to report the
outage and determine if there is an expected time for restoration of power. Based upon the
information obtained, a decision will be made as to the next steps to be taken.

In cases of extended loss of power, staff member may declare an emergency and the premises
vacated. If the building is to be vacated, employees should follow the basic emergency
evacuation procedures described above. A sign stating that the Organization has been closed
will be posted. The local police will be contacted to alert them of the power failure and the
evacuation of the building.

The remaining remote locations also will be notified regarding the status of the outage for
customer inquiries.

Systems that are on UPS battery backup should be monitored. If the outage is over 30 minutes,
plans should be made to shut down servers according to the best practices.
Disaster Prevention - List the strategies & procedures for disaster
prevention

Data Storage and Backup - The Backup strategy includes full the clouding backup with a
software in order to relocate and make the data immediately available to allow the company
to be efficient on all operations.

Physical Security - The entire system will be improve by new surveillance security cameras to
avoid thieving. Also servers location will be secure implementing a Data Centre procedures
adding a proper security lock.

Antivirus and Firewall - The actual antivirus is free version, the strategy is to install a server
antivirus which allow to get the information of the latest databases.

Also a firewall which will detect intrusions and keep the information safe.

Internal security and confidentiality - Strong password policy and user education

Review security for filing cabinets and confidential documents

Hot Site - Key business processes will be in a fully mirrored recovery site outside the office in
Parramatta, this hot site will be in Perth. This strategy entails the maintenance of a fully
mirrored duplicate site which will enable instantaneous switching between the live site and
the backup site.

Disaster Response - List the strategies & procedures for disaster

response

- Identification and reporting of a disaster situation - Keeping alert for incidents and report
the nature of disaster to all staff if is necessary.

If fire is involve working with the fire service to establish how much damage has been done
and how the fire broke out

- Salvage strategy - One person, preferably the manager or a person with expertise in the
field, should be appointed to oversee the disaster response programme, them will be train
to response in any type of disaster to maintain the people and critical information on
salve.
- The activities for all the staff should be co-ordinated by a team leader. Persons should be
nominated to fill these roles. The teams should be responsible for the following broad
areas:

 Set up operations headquarters

 Secure building

Assess damage

- Technology strategy - Backup and Hot site strategies will be run, in this case if the system
fails for any reason, the full backup of the information will be restored by the proper staff.

On the other hand if is a major disaster, the hot site strategy starts, in this case, the personal in
Perth will continue with the operations for the critical processes before determined.

Disaster Recovery - List the strategies & procedures for disaster

recovery

In the event of a disaster, different groups will be required to assist the IT department in their
effort to restore normal functionality to the employees of DVD SHOP, different groups and
their responsibilities are as follows:

Management Team
Network Team
Server Team
Data Storage and Backup Systems team
Security and insurant
Management Team
Disaster Management Team that will lead the entire disaster recovery process. They will be the
first team that will need to take action in the event of a disaster. This team will evaluate the
disaster and will determine what steps need to be taken to get the organization back to
business as usual.

Role & Responsibilities

Communicate the disaster to the other disaster recovery teams
Keep the disaster recovery teams on track with pre-determined expectations and goals
Ensure that the secondary site is fully functional and secure
Create a detailed report of all the steps undertaken in the disaster recovery process
Notify the relevant parties once the disaster is over and normal business functionality
has been restored
After the DVD Shop is back to business as usual, this team will be required to
summarize any and all costs and will provide a report to the Disaster Recovery Lead
summarizing their activities during the disaster
Network Team

Network Team will be responsible for assessing damage specific to any network infrastructure
and for provisioning data and voice network connectivity including WAN, LAN and data
connections with outside world
Role & Responsibilities
If multiple network services are impacted, the team will prioritize the recovery of
services in the manner and order that has the least business impact.
If network services are provided by third parties, the team will communicate and co-
ordinate with these third parties to ensure recovery of connectivity.
In the event of a disaster that does require migration to standby facilities the team will
ensure that all network services are brought online at the secondary facility
Install and implement any tools, hardware, software and systems required in the
standby facility
Install and implement any tools, hardware, software and systems required in the
primary facility
Server Team
If multiple servers are impacted, the team will prioritize the recovery of servers in the manner
and order that has the least business impact. Recovery will include the following tasks:

Role & Responsibilities

Assess the damage to any servers
Restart and refresh servers if necessary
Ensure that secondary servers located in standby facilities are kept up-to-date with
system patches
Ensure that secondary servers located in standby facilities are kept up-to-date with
data copies
Install and implement any tools, hardware, and systems required in the standby facility

Data Storage and Backup Systems team

In the event of a disaster that does not require migration to standby facilities, the team will
determine which applications are not functioning at the primary facility

If multiple applications are impacted, the team will prioritize the recovery of applications in
the manner and order that has the least business impact. Recovery will include the following
tasks:

Role & Responsibilities

Assess the impact to application processes
Restart applications as required
Patch, recode or rewrite applications as required
Ensure that secondary servers located in standby facilities are kept up-to-date
withapplication patches
Ensure that secondary servers located in standby facilities are kept up-to-date with
data copies

Security and Insurance Team

Ensure that the standby facility is maintained in working order
 Ensure that transportation is provided for all employees working out of the standby
facility
Ensure that sufficient food, drink, and other supplies are provided for all employees
working out of the standby facility
Assess, or participate in the assessment of, any physical damage to the primary facility
Ensure that measures are taken to prevent further damage to the primary facility
Work with insurance company in the event of damage, destruction or losses to any
assets owned by DVD Shop
Ensure that appropriate resources are provisioned to rebuild or repair the main
facilities in the event that they are destroyed or damaged
After the DVD Shop is back to business as usual, this team will be required to
summarize any and all costs and will provide a report to the Disaster Recovery Lead
summarizing their activities during the disaster

Declaring a Disaster - List the criteria and procedures for

declaring a disaster and determine the people involved

The Disaster Recovery Co-ordinator, with input from upper management, is responsible for
deciding when to activate the disaster recovery plan. If the co-ordinator is not available,
responsibility flows down the chain of command. This is why it is important for roles and
responsibilities to be clearly defined in the Disaster Recovery Plan. A contact list should be
created and maintained containing details of all employees with afterhours phone numbers. The
organisation’s internal directory listing, it can be modified accordingly.

Disaster Plan Update - State how often the plan should be updated
and by whom

The DRP will be reviewed ones a year and it could be updated at any time if a major system
update or upgrade is performed, any whichever is more often.

The Disaster Recovery Manager will be responsible for updating the entire document, and so is
permitted to request information and updates from other employees and departments within
the organization in order to complete this task.

Maintenance of the plan will include (but is not limited to) the following:
Ensuring that call trees are up to date
Ensuring that all team lists are up to date
Reviewing the plan to ensure that all of the instructions are still relevant to the
organization
 Making any major changes and revisions in the plan to reflect organizational shifts,
changes and goals
Ensuring that the plan meets any requirements specified in new laws
Other organizational specific maintenance goals

During the Maintenance periods, any changes to the Disaster Recovery Teams must be
accounted for. If any member of a Disaster Recovery Team no longer works with the company,
it is the responsibility of the Disaster Recovery Lead to appoint a new team member.

Disaster Plan Testing – State how often the plan will be tested, how
the plan will be tested and who will be responsible for testing?

The DVD Shop is committed to ensuring that this DRP is functional. The DRP should be tested
every six months in order to ensure that it is still effective. Testing the plan will be carried out
as follows:

1) Walkthroughs- Team members verbally go through the specific steps as documented

in the plan to confirm effectiveness, identify gaps, bottlenecks or other weaknesses.
This test provides the opportunity to review a plan with a larger subset of people,
allowing the DRP project manager to draw upon a correspondingly increased pool of
knowledge and experiences. Staff should be familiar with procedures, equipment, and
offsite facilities (if required).
2) Simulations- A disaster is simulated so normal operations will not be interrupted.
Hardware, software, personnel, communications, procedures, supplies and forms,
documentation, transportation, utilities, and alternate site processing should be
thoroughly tested in a simulation test. However, validated checklists can provide a
reasonable level of assurance for many of these scenarios. Analyze the output of the
previous tests carefully before the proposed simulation to ensure the lessons learned
during the previous phases of the cycle have been applied.
3) Parallel Testing- A parallel test can be performed in conjunction with the checklist test
or simulation test. Under this scenario, historical transactions, such as the prior
business day's transactions are processed against preceding day's backup files at the
contingency processing site or hot site. All reports produced at the alternate site for
the current business date should agree with those reports produced at the alternate
processing site.
4) Full-Interruption Testing- A full-interruption test activates the total DRP. The test is
likely to be costly and could disrupt normal operations, and therefore should be
approached with caution. The importance of due diligence with respect to previous
DRP phases cannot be overstated.