Contingency Management
Indiana University of Pennsylvania
John P. Draganosky
Brief Overview

What is Contingency Planning?

Major Components

IUP Contingency Plan

IUP Information & Safeguard Security Program
Contingency Planning

The process by which the information
technology and information security
communities of interest position their
organizations to prepare for, detect, react
to, and recover from events that threaten
the security of information resources and
assets, both human and natural.
Major Components

Incident Response Plan (IRP)

Disaster Recovery Plan (DRP)

Business Continuity Plan (BCP)
Major Components

Incident Response Plan (IRP)

Focuses on the immediate response to
an incident.

Any unexpected event is treated as an
incident, unless and until a response
team deems it to be a disaster.
Major Components

Disaster Response Plan (DRP)

Focuses on restoring operations at the
primary site.

If operations at the primary site cannot
be quickly restored, then the BCP occurs
concurrently enabling the business to
continue at the alternate site until normal
operations are restored.
Major Components

Business Continuity Plan (BCP)

Ensures that critical business functions
can continue if a disaster occurs.

BCP is activated & executed concurrently
with the DRP when the disaster is major
or long term & requires fuller & complex
restoration of information & IT resources.
IUP Contingency Plan

The Incident – IRP

Some sort of facility compromise
 Fire
and/or Water
 Terrorism or Bomb Threat
 Building Evacuation for an indefinite or
unknown amount of time.

Reaction
 Activate
DRP
 Switch all production operations & user
services to the Alternate Site.
IUP Contingency Plan

The Incident – IRP

User Problems (Administration, Faculty,
Staff, and the Students)
 Virus
or Worm Attack
 Hardware Failure
 User installed software problem that causes
network problems (i.e., P2P & File Sharing)

Reaction
 Help
Desk services are notified by the User
 TSC Network Operations management
suspends all network activity to that PC &
notifies that user’s Help Desk.
IUP Contingency Plan

The Disaster Response – DRP
Once operations are running at the
Alternate site, the damage assessment
team takes over to get the primary site
cleaned up with Recovery Operations
 In the case of User Problems, if the PC
has been compromised, every effort will
be made to save the data before
rebuilding begins
 Data is placed on a remote secured
server & is put back on the PC after the
rebuild is complete

IUP Contingency Plan

The Business Continuity – BCP
Primary & Alternate Hot site user
services are always online together
 When the Primary site fails, the
Alternate site picks up immediately due
to server replication that runs constantly
 The only down time there is in switching
sites is getting the alternate site staffed
 Once the Primary site is operational,
replication from the alternate site will
keep information current

IUP Information & Safeguard Security Plan

Information Protection Policy &
Safeguard Plan

Serves as the public portion of IUP’s
compliance with the Gramm-Leach-Bliley
Act (GLBA) defining what IUP will do &
who is responsible for doing it
IUP Information & Safeguard Security Plan

IUP Policy Statement

“It is the policy if Indiana University of
Pennsylvania that all information be used
in a manner that maintains an appropriate
& relevant level of confidentiality & that
provides sufficient assurance of its
integrity in compliance with existing laws
& PASSHE & University Policies.”
IUP Information & Safeguard Security Plan

Existing Laws & Policies
Copyright Law
 US Title Code 18
 Family Educational Rights & Privacy Act
(FERPA)
 Pennsylvania Library Theft Law
 Gramm-Leach-Bliley Act (GLBA)
 Health Insurance Portability &
Accountability Act (HIPPA)
 Electronic Communications Privacy Act
 Federal Privacy Act

IUP Information & Safeguard Security Plan

University related information systems

“Individual users with critical information
maintained locally, i.e., on a PC, on paper,
or in other media, shall also take
appropriate steps to ensure that valuable
& confidential information not be lost,
damaged, or otherwise compromised.”
IUP Information & Safeguard Security Plan

University related information systems

“…confidential files should be locked when
not in use. Sensitive or confidential info
should be destroyed when discarded. It is
particularly important that passwords to
PC accounts with access to restricted
information not be shared.”
IUP Information & Safeguard Security Plan

Information Protection Procedures

All IUP PC systems are subject to the IUP
Information Assurance Guidelines.
Designated system administrators are
responsible for full compliance with the
guidelines including the provisions for the
physical & logical (authentication, secured
hosts, virus scanning, active monitoring,
backup/recovery) security management of
each computer system.
IUP Information & Safeguard Security Plan

Information Protection Procedures

Physical Access Controls
 “Organization
of work areas to minimize
security risks of physical exposure to
personally identifiable information, including
storage in locked file cabinets, rooms, or
vaults.”
 Requirements to enter a valid UserID and
Password to access PCs (log off of PCs when
not in use, use password-protected screen
savers).
IUP Information & Safeguard Security Plan

Information Protection Procedures

Physical Access Controls
 Organize

personal information & papers
Use the Clean Desk method
 IUP
Password Requirements are to change
logon/AD password every 180 days.
 IUP
does not require email passwords to be
changed
Review

Contingency Planning

Major Components

IRP – DRP - BCP

IUP Contingency Plan

IUP Information & Safeguard Security Program


Information Protection Policy
Information Protection Procedures
Questions?