Disaster Recovery and User Authentication Policy in an Organization

Quesiton: Discussion on following points? 1.Disaster Recovery 2. User Authentication Answer: Introduction The aim of this report is to develop and present two procedure and policies on disaster recovery and user authentication in an organization. The focus is kept of an Information Technology Consultancy and how they develop a disaster recovery and a user authentication policy for their organization. For the user authentication policy, the focus will be on password based user authentication policy. 1. Disaster Recovery Policy Name of the Organization: ABC Information Technology Consultancy Disclaimer: This policy has been created for ABC Information Technology Consultancy. All or part of this policy is owned by the organization. No part of it is reproducible in any form. Last Update: 9th March 2015 Overview Disasters can happen anytime. But it is likely that disaster happens rarely. Sometimes management ignores considerations about disasters while managing their core business processes. But this should not be the case. A disaster recovery plan should be developed as early as possible, and the organization needs to follow the same. A disaster can be any event that can cause difficulties in providing service successfully, a disaster is not only the catastrophic environmental issues that may damage resources or hamper services. A contingency plan helps in gaining some competitive advantages on the face of disasters. The disaster recovery plan can be considered as a part of the business continuity plan. Purpose The disaster recovery policy provides a baseline to the disaster recovery plan. The plan is yet to be developed based on this policy. The plan will describe the process of recovering the Information Technology infrastructure including information systems, data, applications etc. It covers up all type of disaster that can cause a bigger outrage. Scope The disaster recovery policy is directed to the information technology management staffs of the organization. They are responsible for keeping the plan up to date and ensuring development and implementation of the disaster recovery plan. This policy will include all requirements that are needed for developing a disaster recovery plan. Policy It is recommended that the disaster recovery policy is reviewed annually for ensuring the relevancy of it. The planning team will be responsible for developing the policy. The planning team consists of personnel from upper management, IT, information security, sales, accounts, human resource etc. The planning team will have the following roles and responsibilities, Carrying out an initial risk assessment to identify the vulnerabilities in the existing information technology infrastructure. Carrying out an initial business impact analysis for documenting the identified interdependencies among the business processes and determining how an outage of the information systems will affect the business. An inventory of the information technology assets like data, information systems, and applications will be considered. The single points of failure present in the current information technology infrastructure will be identified. All critical systems, applications, data will be identified. The core business functions will be prioritized. The organization will follow the procedures described below to implement the disaster recovery policy across the organization. There will be data backup facilities on offsite along with some electronic vaults facilities. It will add redundancy to the IT infrastructure but will enhance reliability. All critical data, applications and systems will be placed is some easily accessible places and in such a way that a disaster cannot effect all resources easily. An incident response team will be created. The team will consists of personnel from IT, information security, legal, HR, marketing etc. The roles and responsibilities of the incident response team will be clearly defined. The contact information of all members of the incident response team will be obtained. A communication plan will be developed for communicating to the incident response team during some disaster. The plan will have all details of the communication methods to be followed for each member. A public relations plan will be developed for handling an incident effectively. A manager from the IT or information security department will be assigned and authorized to carry out the roles and responsibilities of talking important decisions. Testing standards will be developed. The disaster recovery plan will be documented and distributed. The plan will be distributed among all persons who are related to the organization. Extra copies will be kept for emergency use. These extra copies should be kept securely. There will be a succession plan that will describe the actions to be followed in absence of any staff. A detailed study of the data stored across the information systems and storage of the organization will be carried out. The confidentiality of the data will be checked and ensured. A list of the services provided by the organization, will be created. The list will be according to the importance of the services. The recovery plan include policies for short and long term recovery. There will be an equipment replacement plan. It will describe all required equipment for delivering services successfully and according to the service order list. Detailed features of the equipment and contacts for purchasing the same will also be part of the plan. A mass media management plan will be there. The disaster recovery policy will follow some continuous procedures as describe below. Data backup, storage etc. will be performed continuously. There will be some backup plan by categorize the backups weekly, daily, monthly levels. The test plans will be executed at least annually. The results will be reviewed and documented. The plans may be updated if needed. The plans will be analyzed regularly to ensure alignment of the plan to the business processes, objectives and requirements of the business. All team members will be frequently trained and educated by disaster recovery and security awareness educations. The network diagrams and information security policies will be updated regularly. Patching and bug fixing will be done regularly to ensure security of the critical applications and data used by the information systems. There will be regular information security audits and vulnerability assessment. After developing a disaster recovery plan, the management will test the implementation of the plan. It will help to uncover the cases where the plan may fail. And corrective options or extension of the plan can be developed. Policy Compliance There may be set of methods that will help to ensure compliances with the disaster recovery policy. For example, there may video monitoring, internal and external audits, reports from business rolls, feedback from the owner of the policy etc. The management should approve any exception to the policy during the early stage of implementation of the policy in the organization. The staffs, who may fail to comply with the disaster recovery policy, will be subjected to different disciplinary action. Even they may be terminated from their job. Other Standards, Policy or Procedure None Revision History Version Date Description of Changes 1.0 Creation of the policy 2. User Authentication Policy Name of the Organization: ABC Information Technology Consultancy Disclaimer: This policy has been created for ABC Information Technology Consultancy. All or part of this policy is owned by the organization. No part of it is reproducible in any form. Last Update: 9th March 2015 Overview Use authentication is a broad domain and applicable to many situation. This user authentication policy covers the simpler user authentication method based on user name and passwords. This policy will cover best practices to provide user name and password based authentication process, how to secure the passwords, what are needed to be avoided etc. Use name and password based authentication can be applied to different cases. For example, it can be used to secure user accounts, email accounts, access to computer, smart phones, tablet etc. ABC Information Technology Consultancy uses username and password based authentication process to secure their IT resources like computers, restricting access to database, securing email accounts of the users. Purpose This user authentication policy will provide a baseline for the user authentication plan and information security policy for the organization. The purpose is to secure information technology resources from unauthorized access and at the same time ensuring availability of the same to the legitimate users only. This policy is applicable to the computers, emails, accounts of the employees in the MIS system of the organization, user accounts to the database. (Heng, 2009) Scope The user authentication policy is directed to the staffs of the ABC Information Technology Consultancy. They need to adhere to the policy to ensure information security implementation and access policies to the information security resources. User authentication policy covers a significant part of the information security implementation at the organization. This policy will include all details to ensure user authentication process based on username and passwords, at different types of applications and scenarios at the organization. Policy The policy contains information about the password creation and management along with best practices to follow for ensuring the user authentication process. (Janulaitis, 2007) Creation of Passwords While creation of username and password, following factors are needed to be considered. There should be some password construction guidelines that will ensure the strength of the password. The strength of a password refers to the complexity in guessing the password by some third party. Password construction guidelines can ensure strong password constructions by limiting length and pattern of the password. A user is supposed to follow the guidelines. All system and user level passwords should be generated by following the password construction guidelines. Users must not use their name, birthdays, company names or other similar kind of personal or trivial information as a part of their username and password. Same username and password should not be used for more than one accounts like email accounts and database user accounts. (Kizza, 2015) There will be system level privileges to a group of users while granting access to the information technology resources of the organization. But users should change the default username and password as soon as possible. They should use some personalized username and password combination for the same. System administrators are responsible to grant access or revoking access rights. Thus a system administrator will have master password to unlock any account of the database system. But the master passwords should be complex enough and should be changed periodically. The password is also needed to be kept secure. It should not be shared with any persons other than the authorized entities. In the organization, wherever, SNMP or Simple Network Management Protocol has been used, then the community string should be different from the trivial or default private, public or system related information. Again the password construction guidelines are to be followed in constructing the community string. Changing Passwords There are several system level passwords. For example Root level, Admin level, administration level, applications etc. These passwords are needed to be changed periodically. At least after two months. (Khosrowpour, 2003) User level passwords like email, computers, websites, user accounts etc. are needed to be changed periodically, at least once in six months. There should be some checking by using different password cracking methods. This kind of checking will ensure to measure how stronger the passwords are in the face of some attack. The passwords that are cracked, should be changed immediately and some stronger password should be used. Protection of the Passwords Users must not share their username and passwords with anyone. Passwords are to be handled as highly confidential and sensitive information. If there is some legacy system that does not support proxy system then proper measurements should be taken. Passwords should not be written on some document on the system, email messages etc. if it is needed to be shared, then proper encryption should be used. And the password should be changed after that. Password should not be shared by telephonic conversation. Password should not be revealed in any form or questionnaire. Even there may be some scope to provide password hint but it is recommended not to provide some explicit hint or some hint at all. No staffs of the organization must share the system level passwords with any other. Passwords are not to be written on some hard copies or somewhere. Do memories the passwords. It is recommended not to use Remember me options on office computers. Dont save the username and passwords on web browsers. If any user suspect that his/her passwords and username have been compromised, then he/ she should contact to the information security department as soon as possible. He/ she is recommended to change all username passwords of all accounts belonging to him/ her. Development of Application Being an information technology consultancy, ABC Information Technology Consultancy works on application development. User authentication plays important roles in this domain also. Following factors are to be considered while ensuring implementation of user authentication policy in application development. The developed applications should have proper implementation of user authentication in those. All security measurements, policies and best practices are to be followed while developing the applications. The applications should have support for individual users. Groups can be used only where it is needed. Applications should not store passwords without encryption. It should not display the passwords in textual format also. If passwords are needed to be transmitted over some network or Internet, then encrypted version of the passwords should be shared instead of the raw password in text format. There should be implementation of role management in the applications. Users should be able to use functions of the application without any requirement to know passwords of others. Passwords and Passphrases This is a specific area of user authentication based on authentication by private and public keys. There should be a mathematical relationship between system and public key. Public key will be known to all. On the other hand, the private key will be known to the user only. User need some passphrase to gain access to the system and unlock the private key. (SANS Institute, 2014) A passphrase is a type of longer password containing multiple words. This is used to ensure security against dictionary attacks. There will be combination of upper and lower levels of alphabets, special characters etc. Compliance with the Policy There will be set of different methods and tools to ensure and check compliance with the user authentication policy. Some methods and tools are password cracking methods and tools, internal and external information security audits, feedback from the owner of the policy. The information security team can approve the user authentication policy in advance or along with the information security plan. If any staff does not comply with the user authentication policy then the staff may face legal issues or may be expelled from the job. Other Standards, Policy or Procedure Guideline for password construction Revision History Version Date Description of Changes 1.0 Creation of the policy References Apelbaum, Y., 2007. User Authentication Principles, Theory and Practice. s.l.:Fuji Technology Press. Cumbie, B. A., 2008. The Role of Information Technology in Effective Recovery and Aiding Sustainability of Coastal Regions After a Disaster. s.l.:ProQuest. Fallara, P., 2003. Disaster recovery planning. s.l., IEEE. Heng, G. M., 2009. A Manager's Guide to Implement Your IT Disaster Recovery Plan. s.l.:GMH Continuity Architects. Hiatt, C. J., 2000. A Primer for Disaster Recovery Planning in an IT Environment. s.l.:Idea Group Inc (IGI). Information Resources Management Association, 1999. Managing Information Technology Resources in Organizations in the Next Millennium. s.l.:Idea Group Inc (IGI). Information Resources Management Association, 2002. Issues Trends of Information Technology Management in Contemporary Organizations. s.l.:Idea Group Inc (IGI). Janulaitis, M. V., 2007. Disaster Recovery - Business Continuity Plan Template. s.l.:Janco Associates, Inc.. Khosrowpour, M., 2003. Information Technology and Organizations. s.l.:Idea Group Inc (IGI). Kim, T.-h. Fang, W.-c., 2010. Security Technology, Disaster Recovery and Business Continuity. Jeju Island, Springer. Kizza, J. M., 2015. Guide to Computer Network Security. s.l.:Springer. Kouns, J. Minoli, D., 2011. Information Technology Risk Management in Enterprise Environments. s.l.:John Wiley Sons. Management Association, 2013. IT Policy and Ethics: Concepts, Methodologies, Tools, and Applications. s.l.:IGI Global. Mattord, M. W. H. Green, A., 2013. Principles of Incident Response and Disaster Recovery. s.l.:Cengage Learning. Microsoft, 2013. Authentication Policies and Authentication Policy Silos. [Online] Available at: https://technet.microsoft.com/en-in/library/dn486813.aspx [Accessed 9 March 2015]. O'Gorman, L., 2003. Comparing passwords, tokens, and biometrics for user authentication.. s.l., IEEE. Ruiz-Martinez, A., 2013. Architectures and Protocols for Secure Information Technology Infrastructures. s.l.:IGI Global. SANS Institute, 2014. Disaster Recovery Plan Policy - SANS Institute. [Online] Available at: https://www.sans.org/security-resources/policies/general/pdf/disaster-recovery-plan-policy [Accessed 9 March 2015]. SANS Institute, 2014. Password Policy - SANS Institute. [Online] Available at: https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy [Accessed 9 March 2015]. Senft, S., Gallegos, F. Davis, A., 2012. Information Technology Control and Audit. 4th ed. s.l.:CRC Press. Watters, J., 2013. Disaster Recovery, Crisis Response, and Business Continuity. s.l.:Apress.