Chat with us, powered by LiveChat Using the Omega Case Study, complete the Information System | Writedemy

Using the Omega Case Study, complete the Information System

Using the Omega Case Study, complete the Information System

Question

Using the Omega Case Study, complete the Information System Contingency Plan template for their SAP system. Note, the ISCP template is appendix A.3 of the NIST SP 800-34 rev 1 document

SAP
Security Categorization: High
Omega Research Inc.
Information System Contingency Plan (ISCP)
Version 1

December 16, 2012
Prepared by:

Plan Approval
As the designated authority for SAP, I hereby certify that the information system contingency
plan (ISCP) is complete and that the information contained in this ISCP provides an
accurate representation of the application, its hardware, software, and telecommunication
components. I further more certify that this document identifies the criticality of the system
as it relates to the mission of Omega Research, Inc., and that the recovery strategies
identified will provide the ability to recover the system functionality in the most expedient
and cost-beneficial method in keeping with its level of criticality.
I further attest that this ISCP for SAP will be tested at least annually. This plan was last
tested on December 16, 2012; the test, training, and exercise (TT&E) material associated with
this test can be found Appendix D – System Validation Test Plan & Appendix H – Test and
Maintenance Schedule. This document will be modified as changes occur and will remain
under version control, in accordance with Omega Research, Inc. contingency planning
policy.

Tiffany Sabers
CIO, Information Technology

Date

1.

Introduction

Information systems are vital to Omega Research, Inc.’s mission / business processes; therefore,
it is critical that services provided by SAP are able to operate effectively without excessive
interruption. This Information System Contingency Plan (ISCP) establishes comprehensive
procedures to recover SAP quickly and effectively following a service disruption.

1.1

Background

This SAP ISCP establishes procedures to recover SAP following a disruption. The
following recovery plan objectives have been established:
•Maximize the effectiveness of contingency operations through an established plan that
consists of the following phases:
Activation and Notification phase to activate the plan and determine the extent
of damage;
Recovery phase to restore SAP operations; and
Reconstitution phase: to ensure that SAP is validated through testing and that normal
operations are resumed.
• Identify the activities, resources, and procedures to carry out SAP processing
requirements during prolonged interruptions to normal operations.
• Assign responsibilities to designated Omega Research, Inc. personnel and provide
guidance for recovering SAP during prolonged periods of interruption to normal
operations.
• Ensure coordination with other personnel responsible for Omega Research, Inc.
contingency planning strategies. Ensure coordination with external points of contact and
vendors associated with SAP and execution of this plan.

1.2

Scope

This ISCP has been developed for SAP, which is classified as a High-Impact system, in
accordance with Federal Information Processing Standards (FIPS) 199 – Standards for
Security Categorization of Federal Information and Information Systems. Procedures in this
ISCP are for High- Impact systems and designed to recover SAP within 8 hours. This plan does
not address replacement or purchase of new equipment, short-term disruptions lasting less
than 8 hours, or loss of data at the onsite facility or at the user-desktop levels.

1.3

Assumptions

The following assumptions were used when developing this ISCP:

SAP has been established as a High-Impact System, in accordance with FIPS 199.
Alternate processing sites and offsite storage are required and have been established for this
system.




Current backups of the system software and data are intact and available at the offsite
storage facility in Reston, VA.
Alternate facilities have been established at Richardson, TX and are available if
needed for relocation of SAP.
The SAP is inoperable at the Omega Research, Inc. computer center and cannot be
recovered within 12 hours.
Key SAP personnel have been identified and trained in their emergency response and
recovery roles; they are available to activate the SAP Contingency Plan.

The SAP Contingency Plan does not apply to the following situations:

2.

Overall recovery and continuity of mission / business operations. The Business
Continuity Plan (BCP) and Continuity of Operations Plan (COOP) address continuity
of business operations.
Emergency evacuation of personnel. The Occupant Emergency Plan (OEP) addresses
employee evacuation.

Concept of Operations

The Concept of Operations section provides details about SAP, an overview of the three phases
of the ISCP (Activation and Notification, Recovery, and Reconstitution), and a description
of roles and responsibilities of Omega Research, Inc. personnel during a contingency activation.

2.1

System Description

The systems of Omega Research Inc. are separated by 3 locations. The main office is
located in Reston, VA with approximately 170 users and the three smaller branch offices are
located in San Diego, CA with approximately 50 users, Salem, OR with approximately 30
users, and Kansas City, MO with approximately 45 users. Each location runs independently
from the main office and utilizes different systems and servers.
The SAP system is Omega Research Inc. main financial software and is centrally located in
the main office of Reston, VA serving the entire organization both internal and external
employees. The operating system that is currently hosting the SAP software is installed on
IBM servers that installed with an operating system of Microsoft Windows 2000 Server.
The backup process for the SAP software is done via tapes that exceeds a terabyte of
production data and can take an estimated 3 to 4 days for recovery.

2.1.A. Local Area Architecture

Local Area Architecture (Reston Office)

AIX Environment

Perimeter protection provided by screening router. Configured for dynamic packet

filtering using reflexive Access Control Lists (ACL’s).

Remote access is provided to employees while at home or on travel through PPTP

VPN, and, dial-up RAS offered by a Microsoft Windows NT 4.0 Server ®.


o

All servers in the Reston office have been centrally located to a data center.
The Reston data center supports a 5-keypunch combination lock that is required to

have access to the room. That combination is shared with all IT personnel and is infrequently
rotated.

o

The data center is controlled for humidity through HVAC purification.

o

The data center is controlled for temperature with isolated HVAC services.

o

The data center is not on a raised floor to control static electricity.

o

The data center does not have a site-wide UPS. Each server and network

equipment supports their own mini-UPS.

Internal Omega E-mail is supported by a Microsoft Exchange ® 2000 mail server

running on a Microsoft Windows ® 2000 Server. Omega has installed an SMTP mail gateway
to support Internet mail exchange.

Omega is the registered owner of omegaresearch.com and maintains a DNS

Server at the Reston facility for name resolution supporting Omega users and to allow Internet
access to publicly accessible information (web and e-mail).

Web hosting services are provided on a Microsoft Windows ® 2000 Server

running Internet Information Services (IIS).
•X.500 directory services are available through Active Directory although their
implementation is relatively immature – they are operating in a mixed environment.
•Server and client o/s environments have not been routinely patched.
•Reston office printers are all network connected.

The IT Department is responsible for management of the networks and networked resources
at the Reston facility. They manage more than 170 workstations and 6 servers performing the
functions previously described.

Client machines consist of Microsoft Windows ® 95, 98, NT Workstation 4.0, 2000, and XP.
Mac operating systems include OS/8 and OS-X, Panther.

Productivity applications have not been standardized. Some user communities enjoy Corel
OfficeSuite ® while others appreciate Microsoft Office ®. There are various editions of these
packages installed on client machines.

BASELINE ARCHITECTURE
Local Area Architecture (San Diego Office)

•The San Diego is essentially a mirror of the network architecture provided at the Reston facility.
•Differences:
o San Diego does not host a web server.
o San Diego does not support VPN or RAS connections.
o There are fewer employees working out of the west coast office. The local IT staff
consists of one engineer who manages all networks and networked resources within
the San Diego office.
o There are less than 50 client machines in San Diego with similar configurations as the
main office.
o All servers have been located in a spare office in San Diego.
•There is not a controlled access restriction like in the main center.
•The office is not controlled for temperature, humidity, or static.
•There are no redundant power supplies.

BASELINE ARCHITECTURE
Local Area Architecture (Salem Office)

Salem is a small site with only 30 workstations configured in much the same way as the

rest of the company.

Sale supports a single combined shared file and print server hosted on a Microsoft

Windows ® NT 4.0 Server.
•Mail services are obtained through the San Diego office, using mailboxes set up on the San Diego
Exchange Server.
•There are no publicly available networked resources at the Salem office.
•Remote access to Salem’s infrastructure is provided to mobile and home employees using VPN
client to gateway connectivity.
•Salem has an IT staff of one engineer that manages all networks and networked resources at
this site.
•All servers have been located in a spare office in San Diego.
•There is not a controlled access restriction like in the main center.
•The office is not controlled for temperature, humidity, or static.
•There are no redundant power supplies.

BASELINE ARCHITECTUREARCH

Local Area Architecture (Kansas City Office)

•Kansas City is very similar in size to the Salem office with the exception that Kansas City runs a
Microsoft Exchange ® 2000 server for mail services.
•Kansas City has a local system administrator for support.
•All servers have been located in a spare office in Kansas City.
•There is not a controlled access restriction like in the main center.
•The office is not controlled for temperature, humidity, or static.
•There are no redundant power supplies.

Since we have reviewed each individual location and the systems we will have a better
understand of these locations and how they function with each other. Omega Research, Inc.’s
biggest downfalls are that each location is independently controlled and separated from each
other, with very few exceptions.

2.2

Overview of Three Phases

This ISCP has been developed to recover the SAP using a three-phased approach. This
approach ensures that system recovery efforts are performed in a methodical sequence to

maximize the effectiveness of the recovery effort and minimize system outage time due to
errors and omissions.
The three system recovery phases are:
Activation and Notification Phase – Activation of the ISCP occurs after a disruption or outage
that may reasonably extend beyond the RTO established for a system. The outage event may
result in severe damage to the facility that houses the system, severe damage or loss of
equipment, or other damage that typically results in long-term loss.
Once the ISCP is activated, system owners and users are notified of a possible long-term outage,
and a thorough outage assessment is performed for the system. Information from the outage
assessment is presented to system owners and may be used to modify recovery procedures
specific to the cause of the outage.
Recovery Phase – The Recovery phase details the activities and procedures for recovery of the
affected system. Activities and procedures are written at a level that an appropriately skilled
technician can recover the system without intimate system knowledge. This phase includes
notification and awareness escalation procedures for communication of recovery status to system
owners and users.
Reconstitution Phase – The Reconstitution phase defines the actions taken to test and
validate system capability and functionality. This phase consists of two major activities:
validating successful recovery and deactivation of the plan.
During validation, the system is tested and validated as operational prior to returning operation
to its normal state. Validation procedures may include functionality or regression testing,
concurrent processing, and/or data validation. The system is declared recovered and operational
by system owners upon successful completion of validation testing.
Deactivation includes activities to notify users of system operational status. This phase also
addresses recovery effort documentation, activity log finalization, incorporation of lessons
learned into plan updates, and readying resources for any future recovery events.
2.3

Roles and Responsibilities

The ISCP establishes several roles for SAP recovery and/or recovery support. Persons or
teams assigned ISCP roles have been trained to respond to a contingency event affecting SAP.
2.3.1

Damage Assessment Team

The Damage Assessment Team is a technical group responsible for assessing damage to the
Facility/System and its components. It is composed of personnel with a thorough understanding
of hardware and equipment and the authority to make decisions regarding the procurement and
disposition of hardware and other assets. This team is primarily responsible for initial damage
assessment, accounting of damage assessment, loss minimization, salvage and procurement of

necessary replacement equipment and interfaces. This team should include vendor
representatives.
The Damage Assessment Team will enter the facility as soon as they have received per-mission
to do so from emergency services. A written detailed account should be made of the general
status of the work area, with specific attention to the condition of hardware, software,
furnishings, and fixtures. Recommendations should be made that all damaged equipment, media,
and documentation be routed immediately to disaster recovery and restoration experts for a
determination as to its ability to be salvaged or restored.
2.3.2

Operations Team

The Operations Team consists of operators responsible for running emergency production for
critical systems, coordinating with Backup Team to ensure that applications sys-tem data and
operating instructions are correct, and with the Liaison Team to advise of the production status
and any unusual problems requiring assistance. Data In-put/Control Teams could be separate
groups or subgroups of the Operations Team. Also, the PC Support Team under the Operations
Recovery Team is responsible for re-establishing microcomputer operations at the backup site or
remote sites and for assisting with reinstating PC applications.
2.3.3

Communications Team

The Communications Team is composed of Facility/System’s communications specialists
responsible for restoring voice, data, and video communications links between users and the
computers, regardless of location in the event of a loss or outage. Communication vendor
(carrier) input in designing and implementing the recovery plan is very important. Influential
factors in developing recovery procedures for this team include: the type of network, the time
requirement for restoration, percentage of the network to be recovered, and budget
considerations.
2.3.4

Data Entry and Control Team

The Data Entry and Control Team is responsible for entering data as it is restored. They ensure
that the data is the best available backup and meets validation for the system.
2.3.5

Off-site Storage Team

The Off-site Storage Team is responsible for retrieving backup copies of operating systems
applications, systems, applications data, and ensuring security of the data, backup facilities, and
original facilities. The team is composed of members of Facility/System familiar with vital
records archival and retrieval.

2.3.6

Administrative Management Team

The Administrative Management Team coordinates Primary and Alternate Site security and
specialized clerical and administrative support for the Contingency Plan Coordinator and all
other teams during disaster contingency proceedings. The Administrative Team may also assist
groups outside the information resources area as needed. The Administrative Team is
responsible for reassembling all documentation for standards, procedures, applications,
programs, systems, and forms, as required at the backup site. The Administrative Team is
responsible for arranging for transportation of staff, equipment, supplies, and other necessary
items between sites.
2.3.7

Procurement Team

The Procurement Team consists of persons knowledgeable of the information resources and
supplies inventory and the budgetary, funding, and acquisition processes responsible for
expediting acquisition of necessary resources.
2.3.8

Configuration Management Team

The Configuration Management Team is composed of individuals with teleprocessing skills.
They work closely with the Communications Teams in establishing voice and data
communication capabilities.
2.3.9

Facilities Team

The Facilities Team is responsible for arranging for the primary and backup facilities and all
components.
2.3.10 System Software Team
The System Software Team consists of system software programmers responsible for pro-viding
the system software support necessary for production of critical applications systems during
recovery.
2.3.11 Internal Audit Team
The Internal Audit Team is responsible for observation and oversight participation in the
recovery effort.
2.3.12 User Assistance Team

The User Assistance team is composed of individuals with application use knowledge. The team
is made up of major user area managers, production control, and applications lead analysts
responsible for coordination and liaison, with the information resources staff for applications
recovery and restoration of data files and databases. Under the general leadership of the User
Assistance Team, technical applications specialist and database administration sub-teams
perform necessary application restoration activities. Setting priorities for applications recovery
is a primary influence on procedures for this team and its subgroups.

3.

Activation and Notification

The Activation and Notification Phase defines initial actions taken once a SAP disruption has
been detected or appears to be imminent. This phase includes activities to notify recovery
personnel, conduct an outage assessment, and activate the ISCP. At the completion of the
Activation and Notification Phase, SAP ISCP staff will be prepared to perform recovery
measures to restore system functions.

3.1

Activation Criteria and Procedure

The SAP ISCP may be activated if one or more of the following criteria are met:
1. The type of outage indicates SAP will be down for more than 8 hours, which has been
identified as the shortest RTO defined by the BIA.
2. The facility housing Omega Research is damaged and may not be available within 12
hours;
The following persons or roles (Senior Management, Contingency Planning Officer, or
Contingency Planning Committee) may activate the ISCP if one or more of these criteria are
met:

3.2

Notification

The first step upon activation of the SAP ISCP is notification of appropriate business and
system support personnel. Contact information for appropriate POCs is included in APPENDIX
A, PERSONNEL CONTACT LIST
For SAP, the following method and procedure for notifications are used:
3.2.1 Incident Notification
The facilities managers for the locations where the critical components of the Omega
Research Inc. systems are located should be provided with the telephone numbers of SAP
Emergency Response Team members. Upon notification, the team will meet in (TBD) for
the purpose of conducting initial incident assessment and issuing advisory reports of status

to the SAP and Senior Management. If the facilities manager, emergency response
personnel, or Omega Research Inc. Emergency Response Team Leader has determined that
the building cannot be entered, the alternate meeting place will be the (TBD).
3.2.2 Internal Personnel Notification
The Omega Research Inc. “Emergency Notification” procedure, or a modified version
thereof, should be developed and used for notification of the Crisis Management Team and
other Disaster Recovery Teams regarding specific response actions taken during response
operations. Within the “personal contact” database, a single source personal information
table should readily available that includes home addresses, contact telephone phone
numbers, and emergency contact information. In the event of a disaster, a lack of specific
personal data, including home addresses, cell phone numbers, pager numbers, and alternate
contact information, could result in the inability to locate and contact key personnel and
team members. This automated personnel database should be maintained and updated
continuously. This database may be maintained internally or somewhere else within the
department, as long as the information contained therein remains current and accessible.
3.2.3

External Notification

The Omega Research Inc. “Emergency Notification” procedure, or a modified version
thereof, should be developed and used for notification of its Contingency Plan service
providers, agencies, external contacts, vendors, suppliers, etc.
3.2.4 Media Release
All incident related information (printed or spoken), concerning SAP will be coordinated
and issued through the Department or Component Office of Public Affairs (OPA).

3.3

Outage Assessment

Following notification, a thorough outage assessment is necessary to determine the extent of
the disruption, any damage, and expected recovery time. This outage assessment is
conducted by the Operations Team. Assessment results are provided to the ISCP Coordinator
to assist in the coordination of the recovery of SAP.
The Operation Team will be implemented following an IT emergency event based. It is
imperative that the nature of the emergency and the extent of the damage be assessed as
quickly as possible and when conditions allow. The plan will work closely with the DAT
Lead and BCP Coordinator during the damage assessment. Damage Assessment Logs are
included in the plan.

After the plan has completed their assessment of the damage, the DAT Lead will notify the
BCP Coordinator to relay the results. The BCP Coordinator will notify the EMT Lead, who
in turn will notify the EMT. Based on available information the BCP Coordinator and EMT
will determine the level of the contingency event. There are three designated levels; Level
1, 2 or 3. The level of the contingency event will determine if relocation is necessary and
which alternate site will be used. Based on damage assessment results, the EMT will notify
civil emergency personnel (e.g., fire, police) assessments results, as appropriate. The
following table explains the three levels.

LEVEL

INCIDENT CATEGORY

IMPACT

RELOCATE

Level 1

Environmental/system related (e.g.,
power failure, equipment failure)

Facility is unaffected

Possibly, depending on the
duration of system failure

Level 2

Human (e.g., bomb threat, biological or
chemical threat)

Facility is affected

To alternate processing site

Level 3

Natural/Human (e.g., tornado, flood,
fire, bomb)

Facility is uninhabitable

To alternate processing site

4.

Recovery

The Recovery Phase provides formal recovery operations that begin after the ISCP has been
activated, outage assessments have been completed (if possible), personnel have been
notified, and appropriate teams have been mobilized. Recovery Phase activities focus on
implementing recovery strategies to restore system capabilities, repair damage, and resume
operational capabilities at the original or new permanent location. At the completion of the
Recovery Phase, SAP will be functional and capable of performing the functions identified
in the plan.

4.1

Sequence of Recovery Activities

The following activities occur during recovery of SAP:
1.
2.
3.
4.
5.

Identify recovery location (if not at original location);
Identify required resources to perform recovery procedures;
Retrieve backup and system installation media;
Recover hardware and operating system (if required); and
Recover system from backup and system installation media.

4.2 Recovery Procedures
The following procedures are provided for recovery of SAP at the original or established
alternate location. Recovery procedures are outlined per team and should be executed in the
sequence presented to maintain an efficient recovery effort.
In the event of data or system loss, first determine the possible cause of the problem. If data loss
or corruption of data occurred, repair the problem prior to performing any data restore. If the

client has suffered a disaster or…

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

About Writedemy

We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.

How It Works

To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Are there Discounts?

All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Hire a tutor today CLICK HERE to make your first order