March 10, 2022
Perform a Disaster Recovery and Risk Impact Assessment for a large national health institute.
- Client: Major National Health Institute
- Type of Service: Disaster Recovery and Business Risk Impact Assessment
The KLC IV&V Team started the project by analyzing the mission and the objectives of the client organization, and works closely with the CIO’s staff to understand the complexity of the project. Based on the objective, mission, and complexity, the KLC IV&V Team worked with the client to draft the scope of the Disaster Recovery Study project.
The project required thorough understanding of FISMA and federal and NIST requirements such as NIST Special Publications 800 series (800-30, 800-34, and 800-53), FIPS 199, and FIPS 200. Based on the NIST 800-53, the KLC IV&V Team worked with the CIO’s staff to gather the risk rating for each in-scope system using the client’s confidentiality and risk rating standards. The KLC IV&V Team guided the client’s staff and determined the risk rating of each application under different risk categories including confidentiality, availability, integrity, reputation, and organizational impact.
In addition, the KLC IV&V Team worked with the client’s staff to document the system and application components and dependent resources, and then determined the Recovery Time Objective (RTO), Recovery Point Objective (RPO) and Maximum Tolerable Downtime (MTD). Based on the information gathered for each application, KLC developed a table with color coding that clearly showed the risk rating of “High”, “Moderate”, and “Low” for each risk category. This table provided an easier way to demonstrate the risk of each application, and has become a tool for the client to prioritize the importance of each application in the Disaster Recovery planning.
KLC Consulting worked as a subcontractor with the client to perform an independent study of their Enterprise Disaster Recovery capabilities, and provide a detailed analysis on the impact of enterprise systems and applications. The goal was to provide a report to help the CIO office prioritize the system recovery based on multi-factor evaluation of systems critical to the organization.
Technical review of systems and applications include identifying:
- Operating Systems
- Network connectivity
- Database Management Systems
- Storage Devices
- Internal vs. Internet facing characteristics of applications
- Web server environment
- Middleware requirements
- Data Center environment, physical security and continuous power usage evaluation
KLC Consulting IV&V Team worked closely with the IT staff of the CIO’s office to define the scope of the study. The scope covered approximately 60 enterprise applications within the organization. The objective of the project was to use Federal security standards including NIST 800-53 (Recommended Security Controls for Federal Information Systems and Organizations), NIST 800-34 (Contingency Planning Guide for Federal Information Systems), NIST 800-30 (Risk Management Guide for Information Technology Systems), and FIPS 199 and FIPS 200 to identify the risks for each application. The IV&V Team also detailed the technical components and dependencies for each application, and their supporting organization to determine the level of controls on the dependency resources. KLC Consulting IV&V Team studied the dependencies such as operating systems, databases, applications, networks, internal vs. Internet facing characteristics, security control requirements, internal vs. external supporting resources and input.
In addition, the IV&V Team also visited the primary and future backup data centers to understand the capability of these facilities in an event that the Disaster Recovery Plan should be activated. The IV&V Team covers the physical controls, power consumption, continuous power usage and generation to ensure sufficient resources are in place for continuous operation.
The KLC Consulting Team then gathered security risk information for each of the applications and their associated dependency systems based on the FIPS 199, which include confidentiality, integrity, availability, as well as reputational impact. In addition, the KLC Consulting Team also gathered the Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO) based on the NIST 800-34.
Once all of the information was collected, the KLC Consulting Team developed a color coded table with detailed overall risks, confidentiality and availability priority based on the client’s risk rating standards. The table is then included in the comprehensive Disaster Recovery Study report. The IV&V Team achieved the goal to help the agency identify risks, system recovery prioritizations and strategies. This project was completed on time and on budget.