Information Technology Division - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Information Technology Division

Description:

... has been an ongoing activity, with annual reviews of the ITD risk register, and ... Multi-level firewalls. IDS/IPS. NAC (A/V and patch status) User ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 17
Provided by: questn
Category:

less

Transcript and Presenter's Notes

Title: Information Technology Division


1
  • Information Technology Division
  • BCP
  • Presented By
  • Roy Gregory
  • IT Security Manager

2
Introduction
  • The CQU Information Technology Division (staff
    and data centre) was relocated from the ground
    floor of the Library building into a newly
    established Building 19 in 1995.

3
When did we get started?
  • We commenced our BCP journey in the second half
    of 2002.
  • The driving factors were -
  • Queensland Audit Office criticism of the lack of
    a University-wide BCP
  • Queensland Government Information Standard 18
    Principle 9 (of 10)

4
How did we get started?
  • In August 2002 key ITD technical staff
    brainstormed an initial Risk Assessment.
  • 14 separate (high level) risks were identified,
    along with potential control measures.
  • Our greatest exposure was an outage of key
    business systems of up to 6 weeks as a result of
    a disaster in the Building 19 data centre.
  • A Risk Assessment Report was subsequently created
    and budget items for the following year were
    raised to address the most urgent control
    measures.

5
Getting assistance
  • Having secured limited funding, we engaged a
    Brisbane based consultant to-
  • Ensure that the BCP process we followed would
    meet with QAO approval
  • Work with us on the BCP process for Financial
    Services and Student Administration
  • The consultant provided us with a freeware MS
    Access project risk management tool to use for
    storing and reporting on our identified risks.

6
BCP documentation
  • With guidance and assistance from the consultant,
    we developed and have maintained, the following
    documentation-
  • Threats and Risk Assessment
  • BCP project overview and scope, limitations,
    assumptions, deliverables, risk database
  • Event Response Plan
  • Roles and responsibilities, team membership,
    contact details, action checklists, escalation
    process
  • Business Continuity Plan
  • Risk categories, treatment strategies, B19/B87
    service contingency status spreadsheet

7
A rude awakening!(or a blessing in disguise?)
  • In November 2002 an incident occurred which threw
    a new light on the BCP issue-

8
Not a pretty sight!
9
UPS meltdown
  • The initial incident resulted in a 10 hour
    outage, followed by a few weeks of running on
    unclean power, and another outage of a few hours
    to cutover to the replacement UPS (units - two of
    them).
  • This event highlighted the vulnerability of the
    infrastructure in the central data centre, and a
    commitment was made by Senior Executive to
    provide funding for the establishment of a second
    data centre.

10
The second data centre
  • For cost and logistical reasons, it was decided
    that the second data centre would be located on
    the CQU Rockhampton campus.
  • There is 700m of fibre in the ground between the
    2 data centres and at least 500m distance as the
    crow files.
  • Building 87, or The Bunker, which was designed
    in accordance with AS2834 (Computer
    Accommodation) and is capable of housing 22
    racks, was handed over to ITD in the middle of
    2004.

11
Second data centre (contd..)
  • The facility is protected by UPS, Genset, VESDA
    and 2 factor entry authentication (proximity card
    and PIN).
  • We have over the past 2 years progressively split
    infrastructure between the 2 facilities, with
    many services now supported in hot standby
    mode.
  • Our recovery timeframe for core business systems
    in the event of a disaster in the B19 data centre
    is currently up to 72hrs. With the deployment of
    HPs StorageWorks Continuous Access EVA product
    later this year, that timeframe will reduce to a
    couple of hours!

12
The Bunker

13
Risk identification and mitigation
  • This has been an ongoing activity, with annual
    reviews of the ITD risk register, and
    determination of budget items to address further
    risk mitigation measures for the following year.
  • When built, the main data centre (in B19) only
    had 3 of its 4 perimeter walls extend to the
    floor above. Earlier this year the forth wall
    was extended, along with replacement of the entry
    doors, resulting in the facility now having an
    official 1 hour fire rating. VESDA installation
    is planned for early next year.

14
Our current risk exposure

15
The Australian August 29/06
  • The 3 biggest threats are -
  • Human error
  • Robust change management process
  • Development/test environment
  • System failure
  • Removal of single points of failure
  • Routine testing and maintenance of supporting
    infrastructure (e.g. Gensets)
  • Malicious software
  • Multi-level firewalls
  • IDS/IPS
  • NAC (A/V and patch status)
  • User education
  • Admin rights

16
Ongoing issues
  • Lack of a University-wide Business Impact
    Analysis
  • Tech staff not keeping the BCP spreadsheet
    up-to-date
  • Lack of scheduled testing of standby generators
  • Lack of rechargeable torches in suitable
    locations
  • Staff leaving combustible material in data
    centres
  • Commitment to drilling the BCP
  • Availability of key staff out of hours
  • 85 of MOE staff users having local admin rights
Write a Comment
User Comments (0)
About PowerShow.com