Files attached below
TASK back to top Read the Regional gardens case study document before attempting this assignment. Background: You have been employed by Regional Gardens as their first Chief Information Officer (CIO). You have been tasked by the Board to conduct a review of the company’s risks and start to deploy security policies to protect their data and resources. You are concerned that the company has no existing contingency plans in case of a disaster. The Board indicated that some of their basic requirements for contingency planning include: · A Recovery Time Objective (RTO) of 2 hours · A Recovery Point Objective (RPO) of 4 hours Based on these, you now need to determine: · The Maximum Tolerable Downtime (MTD), · The Work Recovery Time (WRT) and · The system and data recovery priority The Board expects that you will propose a Business Continuity Plan (BCP) for Regional Gardens. The Board expects you to use as much of their existing resources as possible for the BCP, but understands that some additional resources may be required. Your BCP proposal must clearly state what additional resources, in terms of hardware, software and locations, are required. Tasks: You are to develop a proposal for a Business Continuity Plan (BCP) for Regional Gardens in accordance with the Board's instructions above. Your proposed BCP must include: 1. An overview of the entire BCP, 2. A Business Impact Analysis 3. An Incident Response Plan 4. A Backup plan, 5. A Disaster Recovery plan, Your proposed BCP should include the following headings: · Executive Overview · Business Impact · Incident Response · Backup · Disaster Recovery RATIONALE back to top This assessment task will assess the following learning outcome/s: · be able to justify the goals and various key terms used in risk management and assess IT risk in business terms. · be able to apply both quantitative and qualitative risk management approaches and to compare and contrast the advantages of each approach. · be able to critically analyse the various approaches for mitigating security risk, including when to use insurance to transfer IT risk. · be able to critically evaluate IT security risks in terms of vulnerabilities targeted by hackers and the benefits of using intrusion detection systems, firewalls and vulnerability scanners to reduce risk. MARKING CRITERIA AND STANDARDS back to top Task HD DI CR PS FL Marks Overview Comprehensive overview of purpose and scope of BCP Broad overview of purpose and scope of BCP Good overview of purpose and scope of BCP Adequate overview of purpose and scope of BCP Poor or inadequate overview of purpose and scope of BCP 10 Business Impact Excellent analysis of business process and data and their priority for business impact Very good analysis of business process and data and their priority for business impact Good analysis of business process and data and their priority for business impact Adequate analysis of business process and data and their priority for business impact Inadequate or incomplete analysis of business process and data and their priority for business impact 15 Incident Response Comprehensive incident response plan to satisfy case study problem Very good incident response plan to satisfy case study problem Good incident response plan to satisfy case study problem Adequate incident response plan to satisfy case study problem Inadequate or incomplete incident response plan to satisfy case study problem 25 Backup policy Comprehensive backup policy to satisfy case study problem Very good backup policy to satisfy case study problem Good backup policy to satisfy case study problem Adequate backup policy to satisfy case study problem Inadequate or backup policy to satisfy case study problem 25 Disaster Recovery Comprehensive disaster recovery plan to satisfy case study problem Very good disaster recovery plan to satisfy case study problem Good disaster recovery plan to satisfy case study problem Adequate disaster recovery plan to satisfy case study problem Inadequate or incomplete disaster recovery plan that fails to satisfy case study problem 25 Referencing and Presentation Up to 5 marks may be deducted for incorrect or incomplete referencing in numbered IEEE format Up to 5 marks may be deducted for poor presentation, spelling and grammar PRESENTATION back to top When submitting your assignment be sure to meet the following presentation requirements: · Assignments are required to be submitted in a Word format (.doc, or .docx) only. Each assignment must be submitted as a single document. · Assignments should be typed using a 12 Point Font, Times New Roman/Arial and 1.5 Spacing. · This assignment should be referenced using the numbered IEEE style format. Regional Gardens Case Study Regional Gardens Case Study Regional Gardens Ltd is a company that runs a number of related gardening enterprises. It has a large display garden that it opens for public inspection a number of times a year. The company also owns the Regional Gardens Nursery which sells plants and garden supplies to the public. The company also owns Regional Garden Planners, which is a small company that provides garden advice, design and consultancy services. The company has a small data centre at its main site in Bathurst where the company’s servers and data storage is located. The company has some 65 staff, who include management, administrative staff, nursery and Regional Garden Planners staff. The company has a range of different types of relatively old personal computers, which run mainly run Windows 7 Enterprise, to connect to the company data centre. The company also has 3 MacBook laptops running OS X. The company does not have a clear patching and update policy. As a result most servers and desktop machine are patched on an ad-hoc basis and as time, and operations, permit. The company has a small number of systems administration staff that are responsible for the management of the server infrastructure. But effective administration is somewhat hampered by the fact that the administrative passwords are generally well-known across the company. Company employees enjoy free, open, unrestricted access to the Internet, but realistically they only need to access certain websites on the Internet. Company management would like there to minimise the cost of accessing web resources. The company consists of the following departments: · Nursery staff (35 people) · Regional Gardens Planning (15 people) · Systems administration (3 people) · Management (4 people) · Human Resources & Legal (3 people) · Finance (3 people) · Administration (2 people) There are no formal onboarding and offboarding processes in the organisation. There is close to no policy framework in the organisation. Infrastructure The company uses several servers to conduct its core business. The company has the following server infrastructure: · 2 x Active Directory domain controllers on Windows Server 2008 R2; · 3 x SQL Server 2003 database servers on Windows Server 2003; · 1 x Exchange 2007 email server on Windows Server 2008 R2; · 4 x Windows Server 2003 File and Print servers; · 2 x Red Hat Enterprise 5 Linux servers running Apache and TomCat. Each of these servers are independent machines with relatively vanilla installs of their respective operating systems. The servers are not running the latest operating systems nor have they been recently patched. All servers have publicly accessible addresses and hence can be accessed from the Internet. The servers are all commodity x86 servers that have been purchased as required. There are no maintenance contracts on either the hardware or any installed software. Most of the servers and desktops are over five years old. Services and Data The servers store the following; · Home directories, · Mail, · Database objects for various development and production environments (for various departments), · Active Directory Meta Data Object, · Customer garden project information directories, · Nursery plant data directories, · Nursery supplies data directories · Corporate Finance and Personnel Data, · Web Page Data. · Customer data, · Market intelligence and strategic planning data. · Other forms of Intellectual Property Most services are only used within the company, however the company does have a internet presence via its web pages and mail server. Despite this some of the garden planners work from home in the evenings and access some services from their home workstations, tablets or mobile devices. You can assume there is no redundancy/ fail over in the disks hence if a disk goes bad, that data is lost and the service associated with it fails. The most important data to the company, in order of importance, is: Corporate finance data . Nursery product data . Nursery supplies data . Strategic planning data . Customer planning data, . Personnel data, . Web page data, . Email, The integrity of this data must always be preserved. Administration Most of the staff in the company knows the administration passwords for the servers and desktops. It should be noted that all users have accounts on the mail, database and database servers. The administration of the servers tends to be haphazard. There are often storage issues with storage as disks fill up regularly. There are a lot of active but unused accounts for users who have now left the company. The company is dependent on its servers for continued access to services, but there are no monitoring systems in place. External hackers have compromised some desktop machines in the past. The administrators are reasonably confident that the servers have not been compromised. That said, when a host is compromised; the administrators merely disable the hack and continue to allow the machine to be used. Most compromises are noticed too late, i.e. well after the hack has occurred. Security The company does not have a firewall or any other security system in place. Currently all services offered by the servers are accessible via the Internet. All servers, and most desktops have a basic anti-virus system in place, but it has not been updated recently. There is no anti-virus on the MacBooks as the company has been told that they “don’t get viruses”. There is no overall email virus protection in this company. Backup and Disaster Recovery The company does not have any backup or disaster recovery systems/ procedures. Network and Physical Location The servers and core network infrastructure are located in common workspace as other infrastructure and employees of the organisation. In addition to this the servers are on the same networks as user workstations and there is no network security. The company is connected to the Internet via a ADSL modem connected to a router. The router connects to a several 10mb hubs, which provide access to the staff (there is only one LAN). Individual Workstations & Passwords Each employee has a desktop computer. Most of the computers are running a vanilla install of Windows 7 Enterprise that, in most cases, has not been patched since install. Employees often keep corporate data on these desktops in their home directory, which is not backed up. In addition to this everyone has administrator privileges to their workstation. As the environment is relaxed, a user can have accounts on other employee computers possibly using the same or different password. The company has no hard and fast rules about passwords; in fact the most common password used is the person’s name. These