Cloud Outsourcing, Disaster Recovery, and Security Bundle

  • ID: 3302147
  • Report
  • Region: Global
  • Janco Associates, Inc
1 of 3
IT managers have eagerly implemented cloud applications to reap its many benefits: lower hardware and energy costs, more flexibility, faster responsiveness to changing and new applications, and improved resiliency.

But when disaster strikes, some IT managers find their disaster recovery techniques and hardware configuration have not kept pace with their changed production environment, and they’re stuck, along with their recovery times, in the pre-cloud era. They falsely believe the improved day-to-day resilience of their cloud environment lessens their need for disaster recovery (DR) planning. In fact, the opposite is true: Catastrophic hardware failures in the cloud environments bring down many more applications than in non-virtualized environments, making DR planning and implementation more critical, not less.

Protecting business means protect ongoing access to functional applications, servers and data; traditionally that means backing up data. However, backing up the data is only part of the equation. If you can’t restore the data, the backup effort is useless. If a business relies on tape backup alone, restoration is easy only for the simplest failure, and only if everything goes perfectly. If a hard disk fails and all the backup tapes are good and the staff is practiced at doing the repair and restore, then you might be able to simply buy a replacement part and get things up within a couple of hours – though the data will be from last night’s backup. If the problem is more complicated and involve s a replacement server for instance, you will probably need a day or two to get new hardware in place before you even begin to recover.

The right way to evaluate the quality of your system and data protection is to evaluate the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These metrics define how long you think it will take you to get back online and how current the data has to be.

The best way to ensure a fast recovery is to have replacement equipment standing by at an off-site location with the necessary software and configuration to quickly transfer users and data. The best practice includes a remote data center with servers, storage, networking equipment and internet access.

Restoring to this remote data center from backup tapes will likely take too long, assumes that the tapes were not affected by the original problem and still leaves the risk of only recovering old data. Instead, replication software can be used to keep the backup systems constantly updated.

A four hour RTO and RPO requires:

- Off-site hardware and infrastructure to run servers and applications
- Data updates to the DR site more often than every four hours; preferably real-time
- Continuous updates of the application and OS configuration (without this, recovery may fail after a patch or an upgrade).
- A method to deal with any hardware differences between production and recovery environments.

The bundle includes in editable Microsoft WORD and PDF formats:

- Practical Guide for Cloud Outsourcing includes a job descriptions for Manager Cloud applications, Cloud Computing Architect, sample contract, service level agreement, ISO 27001 - 27002 - 27031 security audit checklist, Business and IT Impact Questionnaire and much more.

- Disaster Recovery Plan (DRP) can be used in whole or in part to establish defined responsibilities, actions and procedures to recover the computer, communication and network environment in the event of an unexpected and unscheduled interruption. The template is IS0 27000 (27031) Series, COBIT, Sarbanes Oxley, PCI-DSS, and HIPAA compliant.

- Security Manual Template - (ISO CobiT SOX HIPAA Compliant) includes the Business Impact questionnaire and a Threat and Vulnerability Assessment Form (PDF and Excel). It is a complete Security Manual and can be used in whole or in part to comply with Sarbanes Oxley, define responsibilities, actions and procedures to manage the security of your computer, communication, Internet and network environment.

Note: Product cover images may vary from those shown
2 of 3
Practical Guide for Cloud Outsourcing Table of Contents

How to Guide for Cloud Processing and Outsourcing
- License for This Document
- Limitations
- Cloud and Outsourcing Management Standard
- Service Level Agreements (SLA)
- Problem Responsibility
- Cloud Processing and Outsourcing Policy Standard
- ISO 31000 Compliance – Risk Management
- Cloud Processing and Outsourcing Approval Standard
- Cloud Outsource Service Provider Level Agreements and Metrics
- SLA and Metrics Reporting
- Finding and Selecting an Cloud Outsource Vendor
- Outline for RFP and Negotiation of Contract Terms
- Mutual Non-Disclosure Agreement
- Base Case Development
- Job Description - Manager of Cloud Applications
- Job Description - Cloud Computing Architect
- Sample Service Level Agreement
- Sample Metrics for Service Level Agreements
- Business and IT Impact Analysis Questionnaire
- ISO - Security Process Audit Checklist
- Outsourcing Security Compliance Agreement
What’s new

Disaster Recovery Plan Table of Contents

1.0 Plan Introduction
Mission and Objectives
ISO Compliance Process
ISO 27031 Overview
ISO 22301
ISO 28000
1.2 Disaster Recovery / Business Continuity Scope
1.3 Authorization
1.4 Responsibility
1.5 Key Plan Assumptions
1.6 Disaster Definition
1.7 Metrics
1.8 Disaster Recovery / Business Continuity and Security Basics
Server Requirements
Recovery Procedures
Role of Social Networking
Designated operators
Designated manager
External resources

2.0 Business Impact Analysis
2.1 Scope
2.2 Objectives
2.3 Analyze Threats
2.4 Critical Time Frame
2.5 Application System Impact Statements
2.6 Information Reporting
2.7 Best Data Practices
2.8 Summary

3.0 Backup Strategy
3.01 Site Strategy
3.02 Data Capture and Backups
3.03 Backup and Backup Retention Policy
3.04 Communication Strategy and Policy
3.05 ENTERPRISE Data Center Systems
3.06 Departmental File Servers
3.07 Wireless Network File Servers
3.08 Data at Outsourced Sites (including ISP’s)
3.09 Branch Offices (Remote Offices & Retail Locations)
3.10 Desktop Workstations (In Office)
3.11 Desktop Workstations (Off site including at home users)
3.12 Laptops
3.13 PDA’s and Smartphones
3.14 BYODs

4.0 Recovery Strategy
4.1 Approach
4.2 Escalation Plans
4.3 Decision Points

5.0 Disaster Recovery Organization
5.1 Recovery Team Organization Chart
5.2 Disaster Recovery Team
5.3 Recovery Team Responsibilities
5.3.1 Recovery Management
5.3.2 Damage Assessment and Salvage Team
5.3.3 Physical Security
5.3.4 Administration
5.3.5 Hardware Installation
5.3.6 Systems, Applications and Network Software
5.3.7 Communications
5.3.8 Operations

6.0 Disaster Recovery Emergency Procedures
6.1 General
6.2 Recovery Management
6.3 Damage Assessment and Salvage
6.4 Physical Security
6.5 Administration
6.6 Hardware Installation
6.7 Systems, Applications & Network Software
6.8 Communications
6.9 Operations

7.0 Plan Administration
7.1 Disaster Recovery Manager
7.2 Distribution of the Disaster Recovery Plan
7.3 Maintenance of the Business Impact Analysis
7.4 Training of the Disaster Recovery Team
7.5 Testing of the Disaster Recovery Plan
7.6 Evaluation of the Disaster Recovery Plan Tests
7.7 Maintenance of the Disaster Recovery Plan

8.0 Appendix
8.01 Disaster Recovery – Business Continuity Plan Distribution
8.02 Disaster Recovery – Business Continuity Remote Location Contact Information
8.03 Disaster Recovery – Business Continuity Team Call List
8.04 Disaster Recovery – Business Continuity Team Vendor Contacts
8.05 Disaster Recovery – Business Continuity Off-Site Inventory
8.06 Disaster Recovery – Business Continuity Personnel Location Form
8.07 Disaster Recovery – Business Continuity LAN Hardware/Software Inventory
8.08 People Interviewed
8.09 Preventative Measures
8.10 Sample Application Systems Impact Statement
8.11 JOB Descriptions
Disaster Recovery Manager
Manager Disaster Recovery and Business Continuity
Pandemic Coordinator
8.12 Application Inventory and Business Impact Analysis Questionnaire
8.13 Key Customer Notification List
8.14 Resources Required for Business Continuity
8.15 Critical Resources to Be Retrieved
8.16 Business Continuity Off-Site Materials
8.17 Work Plan
8.18 Audit Disaster Recovery Plan Process
8.19 Vendor Disaster Recovery Planning Questionnaire
8.20 Departmental DRP and BCP Activation Workbook
8.21 Web Site Disaster Recovery Planning Form
8.22 General Distribution Information
What to do after an Explosion - Terrorist Attack
How to Clean Up After a Disaster
8.23 Business Pandemic Planning Checklist
8.24 Disaster Recovery Sample Contract
8.25 Incident Communication Plan
8.26 Social Networking Checklist
8.27 Safety Program Forms
Area Safety Inspection Report
Employee Job Hazard Analysis Acknowledgement
First Report of Injury
Inspection Checklist – Alternative Location
Inspection Checklist – Office Areas
New Employee Safety Checklist
Safety Program Contact List
Training Record
8.28 Physical and Virtual Server Security Policy
Policy Purpose
Policy Statement
Terms and Definitions
Server Requirements
Server Configuration Guidelines

9.0 Change History
License Conditions

Security Manual Template Table of Contents

Security - Introduction
- Scope
- Objective
- Applicability
- Best Practices When Implementing Security Policies and Procedures
- Web Site Security Flaws
- ISO 27000 Compliance Process
- Security General Policy
- Responsibilities

Minimum and Mandated Security Standard Requirements
- Best Practices to Meet Compliance Requirements
- Best Practices to Manage Compliance Violations
- Best Data Destruction and Retention Practices
- What Google Knows
- Internet Security Myths

Vulnerability Analysis and Threat Assessment
- Threat and Vulnerability Assessment Tool
- Evaluate Risk

Risk Analysis – IT Applications and Functions
- Objective
- Roles and Responsibilities
- Program Requirements
- Frequency
- Relationship to Effective Security Design
- Selection of Safeguards
- Requests for Waiver
- Program Basic Elements

Staff Member Roles
- Basic Policies
- Security - Responsibilities
- Determining Sensitive Internet and Information Technology Systems Positions
- Personnel Practices
- Education and Training
- Contractor Personnel

Physical Security
- Information Processing Area Classification
- Classification Categories
- Access Control
- Levels of Access Authority
- Access Control Requirements by Category
- Implementation Requirements
- Protection of Supporting Utilities

Facility Design, Construction and Operational Considerations
- Building Location
- External Characteristics
- Location of Information Processing Areas
- Construction Standards
- Water Damage Protection
- Air Conditioning
- Entrances and Exits
- Interior Furnishings
- Fire
- Electrical
- Air Conditioning
- Remote Internet and Information Technology Workstations
- Lost Equipment
- Training, Drills, Maintenance and Testing

Media and Documentation
- Data Storage and Media Protection
- Documentation

Data and Software Security
- Resources to Be Protected
- Classification
- Rights
- Access Control
- Internet / Intranet / Terminal Access / Wireless Access
- Spyware
- Wireless Security Standards
- Logging and Audit Trail Requirements
- Satisfactory Compliance
- Violation Reporting and Follow-Up

Physical and Virtual File Server Security Policy
- Policy Purpose
- Policy Statement
- Applicability
- Terms and Definitions
- Server Requirements
- Server Configuration Guidelines

Network Security
- Vulnerabilities
- Exploitation Techniques
- Goal
- Responsibilities
- Resource Protection
- Configuration Management
- Dial-Up Controls
- Message Authentication
- Encryption
- Network Contingency Planning

Sensitive Information Policy - Credit Card, Social Security, Employee, and Customer Data
- Policy
- Secure Network Standards
- Email Retention Compliance
- Privacy Guidelines
- Best Practices

Internet and Information Technology Contingency Planning
- Responsibilities
- Information Technology
- Contingency Planning
- Documentation
- Contingency Plan Activation and Recovery
- Disaster Recovery / Business Continuity and Security Basics

Insurance Requirements
- Objectives
- Responsibilities
- Filing a Proof of Loss
- Risk Analysis Program
- Purchased Equipment and Systems
- Leased Equipment and Systems
- Media
- Business Interruption
- Staff Member Dishonesty
- Errors and Omissions

Outsourced Services

Travel and Off-Site Meeting Special Considerations

Waiver Procedures
- Purpose and Scope
- Policy
- Definition
- Responsibilities
- Procedure

Incident Reporting Procedure
- Purpose & Scope
- Definitions
- Responsibilities
- Procedure
- Analysis/Evaluation

Access Control Guidelines
- Purpose & Scope
- Objectives
- Definitions of Access Control Zones
- Responsibilities
- Badge Issuance

Internet, Email, and Electronic Communication
- Overview
- Internet and Electronic Communication Policy
- Email

Blog and Personal Web Sites Policy
- Policy
- Rights to content
- Personal Website and Blog Guidelines – Non ENTERPRISE domains
- Security Standards

Mobile Access and Use Policy
- Overview
- Policy

Processes, Forms, and Checklists
- Security Violation Reporting
- Security Audit Report Form
- Preliminary Audit Security Checklist
- New Employee Security Acknowledgement and Release
- Internet & Electronic Communication - Employee Acknowledgment
- Email - Employee Acknowledgment
- Internet Use Approval
- Internet Access Request
- Security Access Application Form
- Blog Policy Compliance Agreement

BYOD Access and Use Agreement Form
- Mobile Device Access and Use Agreement
- Company Asset Employee Control Log
- Employee Termination Process

Supporting Materials
- Security Management Compliance Checklist
- Massachusetts 201 CMR 17 Compliance Checklist
- HIPAA Audit Program Guide
- ISO 27000 Security Process Audit Checklist
- Firewall Security Requirements
- Firewall Security Policy Checklist
- BYOD and Mobile Content Best of Breed Security Checklist
- 1. Business and IT Impact Questionnaire
- 2. Threat and Vulnerability Assessment Tool
- 3. Sarbanes-Oxley Section 404 Check List Excel Spreadsheet
Revision History

Note: Product cover images may vary from those shown
3 of 3


4 of 3
Note: Product cover images may vary from those shown