Case Study #2: Integrating Disaster Recovery / IT Service Continuity with Information Technology Governance FrameworksCase Scenario:

You have been assigned to a large, cross-functional team which is investigating adopting a new governance framework for your company’s Information Technology governance program. Your first assignment as a member of this team is to research and discusses one of the Chief Information Security Officer (CISO) functional areas. The purpose of this white paper is to “fill in the gaps” for team members from other areas of the company who are not familiar with the functions and responsibilities of the Office of the Chief Information Security Officer.

Your assigned CISO functional area is: Disaster Recovery / IT Service Continuity (IT Service Continuity is a subset of Business Continuity). Your white paper must address the planning, implementation, and execution aspects of this CISO functional area. Your audience will be familiar with the general requirements for business continuity planning (BCP), business impact analysis (BIA), and continuity/recovery strategies for business operations (e.g. restore in place, alternate worksite, etc.). Your readers will NOT have in-depth knowledge of the requirements / implementation strategies which are specific to restoring IT services which support the critical functions of the business (as identified in a BIA).

Note: in your Critical Analyses and Discussion and address specific aspects of a governance framework, e.g. COBIT®, ITIL®, or ISO/IEC 27002, which apply to planning and implementation of disaster recovery / IT Service Continuity.

Research:

1.      Read / Review the Week 3 readings:

2.      Find three or more additional sources which provide information about best practices for IT Service Continuity / Disaster Recovery planning, implementation, and execution.  (Hint: begin by exploring http://www.ready.gov/business ) For the purposes of this assignment, implementation means the advance work necessary to implement recovery plans by acquiring or contracting for products, services, infrastructures, and facilities. Execution means activating the DR/BCP plans and overseeing the recovery operations.

Write:

Using standard terminology (see case study #1), two to three page summary of your research. At a minimum, your summary must include the following:

1.      An introduction or overview of disaster recovery / IT Service Continuity which provides definitions and addresses the reasons why cybersecurity should be specifically addressed in the company’s DR/BCP strategies and plans. This introduction should be suitable for an executive audience.

2.      A separate section which addresses the CISO & CISO staff roles and responsibilities during the planning phase of DR/BCP and IT Service Continuity. This section should include identification and discussion of best practices for addressing cybersecurity objectives in the planning process.

3.      A separate section which addresses the CISO & CISO staff roles and responsibilities during the implementation phase of DR/BCP and IT Service Continuity. This section should include identification and discussion of best practices for ensuring that cybersecurity objectives are met during the implementation phase. The implementation phase includes such activities as acquisition and contracting.

4.      A separate section which addresses the CISO & CISO staff roles and responsibilities during the execution phase of DR/BCP and IT Service Continuity. This section should include identification and discussion of best practices for ensuring cybersecurity objectives are met during the execution phase. The execution phase includes such activities as activating the DR/BCP or IT Service Continuity plan(s) and overseeing recovery operations.

5.      A closing section that provides a summary of the issues and recommendations regarding inclusion of Cybersecurity considerations in the company’s DR/BCP strategies and plans.