Can someone help me with creating a 
Business Continuity IT Security PolicyAssignment:Prepare a Business Continuity IT Security Policy.docxReferences from other projects:Project 1 :20160123180748enterprise_it_security_policy-3.docxProject 2 : 20160131203407local_it_policy-2.docxRunning Head: Enterprise IT Security Policy
Enterprise IT Security Policy
You’re Name
Professors Name
Course Title
Submission Date
Enterprise IT Security Policy
Enterprise IT Security Policy Development: Access Controls
Recent news coverage has shown that many enterprise systems are perpetrated
by trusting individuals from within. This policy framework will address accessing controls
to reduce information vulnerabilities and internal threats. Through industry standards
and known enterprise accessing control, this policy is devise to reduce information
threats, vulnerabilities, and risk associated with internal access controls.
I. Access Controls: Accessing information on an enterprise networking infrastructure
that is unauthenticated and unauthorized by internal employees should be restricted by
need to know access.
The purpose of controlling accessing information is to ensure that untheorized
and unauthenticated users are able to view, manipulate, and/or transmit proprietary
information from front facing servers. Additionally, accessing controls shall also be
implemented within the local area network domain intranet servers (NIST, 2016).
A. Accessing Network Information stored within the application/systems domain
B. Accessing information stored within the Local Area Network domain
Administrative, technical, and physical controls have failed the NSA as we have
noticed with Edward Snowmen’s case, therefore, protect information from an internal
threat is the polices target. Recent news coverage is outlining the need to control
accessing privilege within enterprise systems as the leak of data has become a
prevalent and relevant concern for all networking resources within the enterprise
system. Internal employees accessed information that was proprietary in nature through
their job positions allowing levels of accessing privileges.
Enterprise IT Security Policy
I. Access Control
Users from internal and external originating sources shall become aware of the UAP
regarding the accessing of the networking resources. For example, the policy shall
outline the framework initiated and produced by the National Institute of Standards and
Technology’s publications Executive Order 13636 (EO) (NIST, 2016) which solidifies the
operational framework for the business environments.
A. Separation of Duties:
a. All access shall be delivered based upon the user position within the
organization. Separation of duties can be controlled through administrative
policies. NIST publication 800-14 will provide the framework for this
B. Control the Use of Administrative Privileges:
a. No elevated levels of privileges will be granted useless the request is
overlooked and approved by the chief information officer and the
information security manager. In addition to policy direction, administrative
privileges in the form of technical controls shall be implemented. The NIST
publication 800-53 shall be incorporated within this section (NIST,
Information Security, 2016).
C. Need-to-know and Least Privilege
a. Only employees with a legitimate need should have access to information.
All granted accessing privileges will be granted based upon job function,
title, and operational involvement once approved by administrative agents.
Enterprise IT Security Policy
NIST. (2016, January 23rd). Executive Order 13636 . Retrieved from National Institute
of Standards and Technology:
NIST. (2016, January 23rd). Information Security. Retrieved from National Institute of
Standards and Technology:
NIST. (2016, January 23rd). NIST SP 800-53 Revision 4: Implementing Essential
Security Controls with CyberArk® Solutions. Retrieved from CyberArk:
Local IT Policies
Institution Affiliation
Table of Contents
Identification ………………………………………………………………………………………………………………….. 3
Purpose………………………………………………………………………………………………………………………….. 4
Scope …………………………………………………………………………………………………………………………….. 5
Compliance ……………………………………………………………………………………………………………………. 5
Terms & Definitions ……………………………………………………………………………………………………….. 6
Risk Identification and Management …………………………………………………………………………………. 7
Policies ………………………………………………………………………………………………………………………….. 8
User Access Management …………………………………………………………………………………………….. 8
User Registration …………………………………………………………………………………………………………. 8
Network Access…………………………………………………………………………………………………………… 9
Sanstech Data Center
Title of Policy
Systems Access Policy
Chris Luke
Chief Information Officer
Local Systems Access Policies
Review Date
Distribution List
Revision History
January 31, 2016
All Sanstech Data Center Workers
January 29, 2015 ; January 17, 2016
Data Center Manager
Systems security is a must have feature for every organization that is spearheading the use of
technological systems in their environment. This involves the control of access and use of
technology in an organization. Information security mostly aims at protecting an organization’s
data. It aims the three pillars of security of information assets. These include confidentiality,
integrity and authentication. Confidentiality is usually designed to prevent wrong entities from
accessing a particular classified information (Pfleeger, 1997). Integrity on the other hand means
that the other hand means that the information received is unaltered and trustworthy (Dowland,
2005). This aims to particularly prevent manipulation of information by unwanted or
unauthorized parties. Availability being the final facet regarding information security ensures
that the information can be assessed by entities when needed (Andress, 2011). This helps in
ensuring that information sharing is efficient and that information resources serve their purpose.
For this to be achieved, the appropriate information security technologies should be applied
together with the necessary policies. Policies are rules governing an organization’s protection of
its information and hardware resources. This purpose of this document is to state how
information and hardware technological resources shall be protected. Information is quite a
useful resource for Sanstech Data Center and it should be secured from all vulnerable
possibilities. This will be done by establishment of access control mechanisms and through
procedures that will guide what information should be accessed by who.
Information security covers different facets. This includes the communication networks,
computer hardware and software systems. These access control procedures and rules are usually
needed to regulate resource access through set user privileges. Policies are usually set to be
applied and complied with all times.
Information systems have occasionally been accessed accidentally, unlawfully or prematurely by
unintended personnel without the correct procedures. This is one of the major information
security breaches since it involves the disclosure of information to unauthorized people and
hence corrupting the CIA triad security stability.
The policies will cover the level of access allowed to the organization administrators, the branch
managers, the technical team, the general workers and visitors.
Policies should be adhered to with strictness (Kagami, Tsuji & Giovannetti, 2004). This is to
protect database resources which usually carry most of an organization’s information (Garson &
Garson, 2003). If any member of Sanstech Data Center will be found violating the company’s
policies, this shall be termed as an offence and is the violator is liable to company penalties. If
the users will comply to the policies, then IT effectiveness will be observed(Odedra & Madon,
If the case is termed as a criminal offence, then the violator shall be prosecuted under the
governing laws.
The violators’ rights that are not necessary can be grabbed if it is suspected that a violation can
occur as a result of him or her having that right.
A user shall bear the expenses brought about by his or her violation of the policies.
A user can be liable to both a jail term and a fine if the policy violation is termed as offensive
and malicious.
Terms & Definitions
Violation – this acting contrary to what a policy has stated.
Policy – a principle that directs a decision to achieve a certain outcome.
Liable- holding someone accountable.
Violator – this is someone who has acted contrary to what has been stated in the policies.
Offence – an illegal act towards the set policies.
Rights – legal and socially acceptable societal principles.
Prosecute – the act of holding trial against someone.
Malicious – with an intention to do harm.
Criminal – someone conducting a crime.
Offensive – against what has been stated in the policies.
Risk Identification and Management
Since risk cannot be eliminated totally, organizations usually lay out strategies to assist them in
the case of an unexpected outcome (Tipton & Nozaki, 2005). Security need to be employed in
the inside and outside of an organization.
One vulnerability that needs to be addressed is the use of login credentials. Users usually have a
tendency to share their passwords with other users. This can cause a serious problem if the
information accidentally falls under the wrong person. If log in credential are accessed by
malicious people, the information integrity will have been compromised and that forms a big part
of the organizations risk.
Since the organization has a data store, it is more important to employ preventive mechanisms to
avoid data loss. Information stored in the database needs to be kept from intruders or
unauthorized access. Mechanisms need to be employed that can detect any suspicious system
access attempt. The systems should be able to raise an alarm or offer protection through their
own defensive mechanisms.
All the above risks remain a bottleneck to an organization if they are not addressed properly. One
way is to establish strong policies that prohibit login credentials sharing (Tipton, 2012). The
other risk management strategy can be achieved through the use of Intrusion Detection Systems.
These systems usually detect unauthorized network access and prevent the attack through their
own mechanisms or by raising an alarm to the concerned parties (Di Pietro & Mancini, 2008).
User Access Management
A user shall not be allowed to share his or her password with any other person unless allowed
otherwise by the relevant powers.
Login credentials should not be stored or recorded in any manner be it mechanically or
Users shall only be allowed to access what pertains their level of information access and duties
unless otherwise authorized by the relevant powers.
Modification of information by a particular system users can only be done if the department in
charge of the information makes a formal authentication.
The submission of information to the system shall require an approval before being universally
accepted for general use and view.
A user must always close his or her session before leaving a computer system
User Registration
A user shall only be registered if a formal request is made with a reason for the system use.
Registration shall only be done by the allowed top privileged administrator.
Registration details shall only be provided by the system users when registering.
A system user shall be removed from the system by the top most privileged administrator when
his or her system use tasks cease.
Network Access
When an external network access is required it shall be done through the main company’s
Sharing of information outside the network is prohibited unless reasons supporting the act are
Individuals will not be allowed to use the own computing devices to connect to the internet since
this can compromise systems security.
Internet connection can only be made through the organizations main network.
Outside visitors shall not be allowed to connect to the network unless the user has stated the
reason to do so.
Andress, J. (2011). The basics of information security. Waltham, MA: Syngress.
Dawland, P. (2015). Security Management, Integrity, and Internal Control in Information
Systems: Publisher: Springer.
Di Pietro, R., & Mancini, L. (2008). Intrusion detection systems. New York: Springer.
Garson, G., & Garson, G. (2003). Public information technology. Hershey, PA: Idea Group Pub.
Kagami, M., Tsuji, M., & Giovannetti, E. (2004). Information technology policy and the digital
divide. Cheltenham, UK: Edward Elgar.
Odedra, M., & Madon, S. (2003). Information technology policies and applications in the
Commonwealth developing countries. London: Management and Training Services
Division, Commonwealth Secretariat.
Pfleeger, C. (1997). Security in computing. Upper Saddle River, NJ: Prentice Hall PTR.
Tipton, H. (2012). Information Security Management Handbook, Volume 6. Hoboken: CRC
Tipton, H., & Nozaki, M. (2005). Information security management handbook. Boca Raton, FL:
Project #4: Prepare a Business Continuity IT Security Policy
In Project 2, you developed an IT security policy for a specific facility – a data center. In this project, you
will develop a business continuity security policy for that facility. Your policy must be written for a
specific organization (the same one you used for Projects #1 and #2). You should reuse applicable
sections of your earlier projects for this project (e.g. your organization overview and/or a specific section
of your outline).
If you wish to change to a different organization for project #4, you must first obtain your
instructor’s permission.
Every organization needs a Disaster Recovery / Business Continuity Plan (DR/BCP) to ensure that it can
continue operations in the event of a disaster (whether natural or man-made). Sometimes, these events
are so severe that it is impossible for the business to continue operating from its normal locations. This
requires a business continuity plan which, when activated, will enable the business to restore critical
operations at other locations and within an acceptable time frame.
Organizations use policies, plans, and procedures to implement an effective DR/BCP program and
ensure that DR/BCP plans are current and reflect the actual recovery needs (which may change over
time). The larger the organization, the more important it is that policies exist which will guide DR/BCP
planners through the planning and implementation processes. For this assignment, you will be writing
one such policy – guidance for DR/BCP planning for a particular data center.
DR/BCP policies for the enterprise (the entire organization) establish what must be done by the
organization in order to develop its DR/BCP strategies, plans, and procedures. Table 4-1 provides a
simplified list of phases and required activities for the planning process. Depending upon the level of
detail covered by the policy, this information could be in the policy itself or covered in another
document which the policy refers to. The required content for the DR/BCP plan may also be presented
in the policy or, more likely, it will be provided in an appendix or separate document. A typical outline
for the plan is presented in Table 4-2.
Sometimes, it is necessary to create supplementary policies which address specific circumstances or
needs which must be accounted for in the DR/BCP planning process and throughout the management of
the DR/BCP program. For this assignment, you will be developing one such policy – the Business
Continuity IT Security Policy. The “Tasks” section of this assignment explains the content requirements
for your policy.
Table 4-1. Disaster Recovery / Business Continuity Planning Phases (adapted from )
Phase 1: Business
Impact Analysis

Phase 2: Develop
Recovery Strategies

Phase 3: Develop
Business Continuity
Phase 4: Testing &
Readiness Exercises

Survey business units to determine which business processes,
resources, and capital assets (facilities, IT systems) are critical
to survival of business
Conduct follow-up interviews to validate responses to survey
& obtain additional info
Identify resource requirements based on BIAs
Perform gap analysis (recovery requirements vs current
Investigate recovery strategies (e.g. IaaS, PaaS, Alternate Sites)
Document & Implement recovery strategies (acquire / contract
for products & services)
Develop plan framework (follow policy)
Identify personnel for DR/BCP teams
Develop Recovery and/or Relocation Plans
Write DR/BCP Procedures
Obtain approvals for plans & procedures
Develop testing, exercise and maintenance requirements
Conduct training for DR/BCP teams
Conduct orientation exercises for staff
Conduct testing and document test results
Update BCP to incorporate lessons learned from testing and
Table 4-2. Outline for a Business Continuity Plan
Purpose: to allow company personnel to quickly and effectively restore critical business
operations after a disruption.
Objective: to identify the processes or steps involved in resuming normal business
Scope: work locations or departments addressed.
Scenarios: (a) loss of a primary work area, (b) loss of IT services for a prolonged period of
time, (c) temporary or extended loss of workforce, etc.
Issues, Assumptions, and Constraints: (a) restore in place vs. transfer operations to
alternate site, (b) availability of key personnel, (c) vendor or utility service availability, (d)
communications, (e) safety of life issues, etc.
Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies
to be followed in each of the scenarios identified in the plan Introduction section. As an
example, if “loss of work area” is identified as a possible failure scenario, a potential
recovery strategy could be to relocate to a previously agreed-upon or contracted alternate
work location, such as a SunGard work area recovery center.
Recovery Tasks: This section of the plan will usually provide a list of the specific recovery
activities and sub-activities that will be required to support each of the strategies outlined in
the previous section. For example, if the strategy is to relocate to an alternate work
location, the tasks necessary to support that relocation effort could include identifying any
equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of
disaster, and so on.
Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in
the business continuity efforts, for example, naming a team lead and an alternate team
lead, as well as the team members associated with any recovery efforts. This section of the
plan will also include their contact information, including work phone, cellphone, and email
addresses. Obviously, because of any potential changes in personnel, the plan will need to
be a “living” document that is updated as personnel/workforce changes are made.
Plan Timeline: Many plans also include a section in the main body that lays out the steps for
activating a plan (usually in the form of a flow chart). For example, a typical plan timeline
might start from the incident detection, then flow into the activation of the response team,
the establishment of an incident command center, and notification of the recovery team,
followed by a decision point around whether or not to declare a disaster. A plan timeline
may also assign the recovery durations or recovery time objectives required by the business
for each activity in the timeline.
Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to
day-to-day operations and recovery strategies, as well as any required recovery time
objectives that the vendors must meet in order for the plan to be successful.
Critical Equipment/Resource Requirements: A plan may also detail the quantity
requirements for resources that must be in place within specified timeframes after plan
activation. Examples of resources listed might include workstations, laptops (both with and
without VPN access), phones, conference rooms, etc.
The Business Continuity Security Policy is being written by you as the data center facility manager. This
supplementary DR/BCP policy will be used to ensure that needed security controls are restored and
functioning as designed in the event that the business continuity plan is activated. These controls must
ensure that information, information systems, and information infrastructure (e.g. networks,
communications technologies, etc.) are protected to the same level as required during normal business
operations. Your policy must ensure that security requirements are adequately addressed during all
four phases of the Business Continuity Planning process (see Table 4-1). Your policy must also address
required content (sections) for the DR/BCP plan (see Table 4-2) even if that means requiring
modifications to standard sections of the document or even adding sections.
Your policy must also address the roles and responsibilities for data center recovery operations. During
recovery operations, the data center manager and recovery team personnel (including system
administrators and network engineers) must ensure that IT systems and services, including required IT
security controls, are operational within the required Recovery Time Objectives and Recovery Point
Objectives. These metrics are established using the results of the BIA and are included in the DR/BCP
plans. These metrics are used to determine the restoral order for systems and services and guide the
selection and implementation of recovery strategies. The metrics also provide performance criteria for
outside vendors and service providers from whom your organization purchases or will purchase IT
services and products to implement its recovery strategies.
Recovery Time Objective: the maximum time allowed to restore critical operations and
services after activation of the business continuity plan. Different RTO’s may be set for
different IT systems and services.
Recovery Point Objective: the point in time to which you must restore data during startup
operations for DR/BCP (used to determine backup frequency for data during normal
operating periods and the maximum allowable amount of “lost data” which can be
Your Business Continuity Security Policy must address the requirement to set appropriate RTO and RPO
metrics for hardware and software which provide IT security controls. For example, if the data center
relies upon an Active Directory server to implement role based access controls, that server should have
both an RTO and an RPO and be listed in the business continuity plan.
The primary audience for your policy will be the CIO and CISO staff members who are responsible for
developing IT business continuity plans. Your policy will be communicated to other personnel and to the
senior managers who are ultimately responsible for the security of the organization and its IT assets.
These managers include: CEO, CIO/CISO, and CSO. The policy must be approved and signed by the CEO
and CIO of the organization.
1. Review the Contingency Planning control family and individual controls as listed in NIST SP 80053. (See Table 4-3). Identify policy statements which can be used to ensure that the required
controls are in place before, during, and after business continuity operations. (For example, for
CP-6 your policy statement should require that IT security requirements be included in plans /
contracts involving alternate storage sites for critical business data.) You must address at least 5
controls within the CP control family.
Table 4-3. Contingency Planning Control Family (from NIST SP 800-53)
2. Review the phases in the Business Continuity Planning Process (see Table 4-1). Identify policy
statements which can be used to ensure that IT security requirements are addressed during
each phase. These statements should include ensuring that RTO/RPO objectives for security
services will be addressed during the planning process. (You may wish to include these as part of
your policies for implementing CP-1, CP-2, CP-3, and CP4).
3. Review the outline for a Business Continuity Plan (Table 4-2). Analyze the outline to determine
specific policy statements required to ensure that the required CP controls and any additional or
alternative IT security measures (e.g. controls required to implement CP-13) are set forth in a
business continuity plan. (Your policy statements will tell Business Continuity Planners where
and how to “build security in.”)
4. Write your Business Continuity Security Policy using the outline in Table 4-4. You must tailor
your policy to the subject of IT Security Requirements for the Business Continuity program and
address the required controls and actions identified during steps 1-3.
Table 4-4. Outline for an IT Security Policy
a. Organization: [name]
b. Title of Policy: Data Center Business Continuity Policy
c. Author: [your name]
d. Owner: [role, e.g. Data Center Manager]
e. Subject: Business Continuity for [data center name]
f. Review Date: [date submitted for grading]
g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager]
h. Distribution List
i. Revision History
a. Provide a high level summary statement as to the policy requirements which are set
forth in this document.
a. Summarize the business continuity activities and operations that this policy will
apply to.
b. Identify who is required to comply with this policy.
a. Identify the measures which will be taken to ensure compliance with this policy (e.g.
audits, compliance reporting, exception reporting, etc.)
b. Identify the sanctions which will be implemented for compliance failures or other
violations of this policy.
c. Include information about how to obtain guidance in understanding or interpreting
this policy (e.g. HR, corporate legal counsel, etc.)
Terms and Definitions
Risk Identification and Assessment
a. Identify the risks which could arise if IT security requirements are not included in
business continuity planning and subsequent operations.
b. Identify and describe the impacts of such risks (include an assessment of the
possible severity for each impact).
a. Present policies which will ensure that IT security is addressed
i. In all phases of DR/BCP planning
ii. In all relevant sections of the DR/BCP plan
iii. By requiring implementation of relevant NIST guidance, e.g. controls from
the CP family
iv. By specifying roles and responsibilities for IT security during data center
recovery operations
v. Using RTO/RPO metrics for restoral of IT security services and functions
b. Include an explanatory paragraph for each policy statement.
5. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your
name, the name of the assignment, and the date. Your Table of Contents must include at least
the first level headings from the outline (I, II, III, etc.).
6. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography
and place that at the end of your file. (See Item #3 under Formatting.) Double check your
document to make sure that you have cited sources appropriately.
1. Submit your policy as an MS Word document using your assignment folder.
2. Format your policy such that it presents a professional appearance. Use headings and outline
formatting to organize information for clarity.
3. Cite sources using a consistent and professional style. You may use APA formatting for citations
and references. Or, you may use another citation style including use of footnotes or end notes.
(Citation requirements for policy documents are less stringent than those applied to research
papers. But, you should still acknowledge your sources and be careful not to plagiarize by
copying text verbatim.)
4. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.

Purchase answer to see full

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.