Business Impact Analysis - Carteret Community College
advertisement
Carteret Community College “Education for Life” Business Continuity Plan Background Information Carteret Community College is a leader in improving the quality of life for all citizens of Carteret County, and Eastern North Carolina by offering high-quality education, training, enrichment, and support to all who need and value these services. Carteret Community College, located at 3505 Arendell Street, Morehead City, NC, was founded in 1962. Carteret Community College received accreditation from the Southern Association of Colleges and Schools to award associates degrees, diplomas, and certificates. The College was recently reaccredited by the Southern Association of Colleges and Schools in December 1999. Carteret Community College offers up-to-date vocational technological training and features programs that prepare students for the skills they need in the fast-paced information age, where computers and the Internet are changing the way business is conducted. At Carteret Community College, the Information Technology (IT) department provides a total source, single point resource for computer support in accordance with the mission of Carteret Community College. The IT department is organizationally structured in the Administrative Services Division of the College. The IT department consists of 3 Directors and 3 support staff employees. The Director of Administrative Computing Services is also the UNIX Systems Administrator and he has an Assistant UNIX Systems Administrator that reports to him. The Director of Software Solutions and Web Development is the College Webmaster and is responsible for software, database, and web design and development. The Director of Network Technologies has a Senior Information Technology Specialist and an Information Technology Specialist who report to him. All of the Directors report to the Vice President of Administrative Services who reports to the President of the College (see Appendix A IT Organization Chart). The IT department is designed to provide administrative and instructional support for the College to allow for the most effective, efficient, and economical utilization of computer systems while at the same time providing protection of equipment and data. Page 1 of 44 Carteret Community College “Education for Life” Business Continuity Plan Introduction A comprehensive Business Continuity Plan focuses on sustaining an organization’s operations during and after a disruption of technology resources. This plan focuses on operations at Carteret Community College (CCC) that involve Information Technology (IT) Resources and telecommunications. IT resources at CCC are supported by the staff of the IT department, a component unit of the Administrative Services Division. This plan consists of : A Business Impact Analysis that describes the critical functions of the IT at the College and identifies the impact on the business of the College if the critical function is unavailable. A Contingency Plan that discusses how any interruption in service, including minor disruptions, will be dealt with. A Disaster Recovery Plan that focuses on catastrophic emergencies that disrupt services and that may require complete relocation of rebuilding of facilities. Page 2 of 44 Carteret Community College Business Continuity Plan Table of Contents Business Impact Analysis Description of Process and Narrative of Critical Systems Contingency Plan Disaster Risks and Prevention Risk Prevention and Information Technology Security Policies and Procedures Administrative Computing System Access and User Rights System Access Security Procedures Administrative Computing Access Security Campus Network and Email Systems Security Backup Procedures Administrative Computing Systems Campus Network Servers Anti-Virus Procedures Desktop Workstations College Network Servers Anti-Spam Procedures Critical Systems and Applications Risk Assessment Applications Risk Assessment Administrative Systems Risk Assessment Procedural Risk Assessment Personnel Risk Assessment Information Technology Notification List Assessment of Disruption Procedures Recovery Operations Recovery Procedures Return to Normal Operations Disaster Recovery Plan Introduction Assumptions Disaster Preparation Disaster Notification List Damage Assessment Notification and Activation Phase Recovery Operations Disaster Recovery Preparations Recovery Operations Recovery Procedures Return to Normal Operations (Reconstitution Phase) Appendices Appendix A: IT Organization Chart Appendix B: Maintenance Contract Vendor List Appendix C: Technology Acceptable Use Policy Appendix D: Campus Network Diagrams Appendix E: Datatel/UNIX Access Rights Request Form Appendix F: Student Data Access Agreement and Security Procedures Page 3 of 44 “Education for Life” Carteret Community College “Education for Life” Business Continuity Plan Business Impact Analysis Description of Process and Narrative of Critical Systems The IT Staff has broken down the critical functions as they relate to the different services provided by the IT Department. Based upon current administrative/instructional operations and workflows and the anticipated impact of loss of IT resources on these workflows a contingency plan has been developed for all identified critical systems. Campus network stakeholders have been identified as follows: Administrative Staff, full and part-time Faculty, full and part-time Students Carteret Community College has broken down critical functions of the IT Department and then further broken down these global groups into more specific services provided. The following five functions have been determined to be critical IT global concerns: Local Area Networks (LAN) Wide Area Networks (WAN) Telephone Systems Servers Workstations Critical IT Resources Identified in Relation to the Global Concerns Switches Local Area Networks Network Cabling Access Points Network Cabling to end nodes NCSU Router Wide Area Networks Router Cables Cisco Call Manager Telephone Systems Nortel System Call Pilot Voice Mail Staff Email Servers Student Email Staff Authentication and File Storage Student Authentication and File Storage DNS/DHCP BlackBoard Call Manager Student FTP Eprocurement/BookLog Fire/Paralegal Software Web Server IP Camera Server Terminal Services IIPS Datatel Desktops WorkStations Laptops Page 4 of 44 Carteret Community College “Education for Life” Business Continuity Plan The following is a list of other critical needs that are not provided by the IT Department: Heat, Ventilation, and Air Conditioning Electric Power Facilities Physical Security The five critical functions of IT need to be evaluated independently due to the diverse and unique qualities each one possesses. The evaluation below focuses on each of the 5 critical IT functions. I. Local Area Network (LAN) Definition: Fiber Optic cable linking each building, network cabling to each end node, the Michael J. Smith Building, wireless or wired devices such as switches and access points the allow network connectivity. A. The maximum time the department could operate with this function is four hours. B. The maximum amount of this operation that could be lost without a significant impact on this department is unknown due to the large number of scenarios that could happen. If the core switch located in the MICHAEL J. SMITH Building was lost then almost all communications would fail. If there was a fiber optic cut then that one building could lose connectivity or depending on the building’s location multiple buildings that communicate through that one failed connection could lose communication. If a connectivity device failed we could restore communication fairly quickly. The chart below shows the estimate down time for each device: Device Minimum Down Time Core Switch 1 day Switch 4 hours Access Point 1 day Fiber Cut 1 day Local network cable cut 1 day C. The estimated financial loss would be significant. D. The non-financial loss would be loss of reputation, loss of goodwill, and a loss of confidence. E. An even when the resource is more critical would be during registration. F. The electronic and non-electronic media required for this function is fiber optic cabling, category 5e or 6 copper cabling, servers, desktops, phones, IT Staff, switches, and access points. Page 5 of 44 Carteret Community College “Education for Life” Business Continuity Plan G. Work Around Section Device 4 Hours 1 Day 1 Week 1 Month Core Switch No fix Replacement should arrive in one day Warranty states the switch will be replaced in one day Students will need to be moved to local high schools Endpoint Switch IT will replace within 4 hours Same as 4 hour fix Same as 4 hour fix Same as 4 hour fix Access Point IT will replace if budget allows as these have no warranty Same as 4 hour fix Same as 4 hour fix Same as 4 hour fix Fiber Cut No fix, it will take a minimum of 1 day to fix depending on severity Should be resolved in a day See one day fix See one day fix Local Network Cable Cut Should be resolved in 4 hours Same as 4 hour fix Same as 4 hour fix Same as 4 hour fix Additional Notes and Recommended Strategies: If the core switch fails, the Cisco 4006 located on the first floor MICHAEL J. SMITH Building, all building communications will fail as to data and those buildings using VoIP for a phone system will fail as well. As this is the end point for building communications VoIP will fail as well as printers and other network devices. To combat this issue the college must maintain a warranty for the 4006 that allows for replacement in one day due to failure. The end point switches can be replaced within four hours. The access points will be replaced depending on budgets. A fiber cut will take a minimum of one day to repair. A local network cable cut can be repaired within four hours. All warranties for core switching devices need to be maintained with a maximum replacement period of one day. A supply of network cable and other necessary tools and connectors should be maintained for any internal wiring failures. Page 6 of 44 Carteret Community College “Education for Life” Business Continuity Plan II. Wide Area Network (WAN) Definition: The definition of the WAN is the cable connecting the 4006 to the router and the router. Router support is provided by NCSU and they would have it replaced within two days. The WAN is what connects the local area network to the internet. A. The maximum time the department could operate with this function is four hours. B. The maximum amount of this operation that could be lost without a significant impact on this department is about four hours. C. The estimated financial loss would be significant. D. The non-financial loss would be loss of reputation, loss of goodwill, and a loss of confidence. E. An even when the resource is more critical would be during registration. F. The electronic and non-electronic media required for this function is the router and any network cables attached to it. G. Work Around Section There is no workaround. We do not have the financial capability to maintain a spare router. NCSU will have a replacement here within two days. If the router remained down for an extended period servers could be located at other community colleges so access could be regained. Additional Notes and Recommended Strategies: III. Contact with NCSU has been made questioning their ability to replace the switch and the time frame to perform this service. Devices need to be monitored and attached to an Uninterruptible Power Supply (UPS) at all times. If the outage was expected for an extended period there are a few work arounds. We could partner with another community college and move critical servers to their location and then change our DNS settings to reflect this change. For seat classes that needed internet access we could partner with an area high school to hold classes in the evening. A redundant network connection from another provider such as Time-Warner would allow for the quickest recovery of external connectivity if the failure is isolated to the WAN connection only. Telephone Systems Definition: The definition of the Phones is the Nortel phone system, the Cisco Call Manager, and any cabling needed to connect these devices. The Nortel system included Call Pilot which the campus uses for voice mail. A. The maximum time the department could operate with this function is four hours. B. The maximum amount of this operation that could be lost without a significant impact on this department is about four hours. C. The estimated financial loss would be significant. Page 7 of 44 Carteret Community College “Education for Life” Business Continuity Plan D. The non-financial loss would be loss of reputation, loss of goodwill, and a loss of confidence. E. An even when the resource is more critical would be during registration. F. The electronic and non-electronic media required for this function is the phone switches, the Call Manager server, the Nortel servers, and any network cables attached to it. G. Work Around Section The work around is to use individual cell phones during the outage. Additional Notes and Recommended Strategies: IV. Centurion Maintenance from Sprint is used to warranty both the Cisco Call Manager and the Nortel System. Unless a catastrophic disaster to the area occurs a reasonable restoration of service time period should be one day. The backup of the Call Manager needs to be maintained and a redundant Call Manager should be purchased in case of failure to the primary unit. Servers Definition: The definition of Servers is all servers that users need to carry out their educational goals. There are twenty servers which all varying degrees of importance. A table will be included to define their importance further. A. The maximum time the department could operate with this function is one day. B. The maximum amount of this operation that could be lost without a significant impact on this department is about one day. C. The estimated financial loss would be significant. D. The non-financial loss would be loss of reputation, loss of goodwill, and a loss of confidence. E. An even when the resource is more critical would be during class time. F. The electronic and non-electronic media required for this function is the server hardware, software and any network cables attached to it. G. Work Around Section If a hardware failure occurs, we would go through the IT procedure of calling Dell and determining which defective part needs returning. Depending on which server we are analyzing then each one will have a different recovery period. We maintain a hardware maintenance contract through Dell for Servers that are less than 5 years old. Anything older than 5 years is out of warranty. H. Server Recovery Priority Recovery priorities have been assigned for the identified system resources. High priorities are based on the need to restore critical resources within their allowable outage times; medium and low priorities reflect the requirement to restore full operational capabilities over a longer recovery period. Page 8 of 44 Carteret Community College “Education for Life” Business Continuity Plan Server Recovery Priorities Server Resource Priority Outage Impact Max. Outage Time Datatel High Users could not access administrative applications, including Payroll, HR, CF, and ST modules. 8 hours Unix (IIPS) High Users could not access administrative applications OF legacy applications not running on Colleague. 8 hours GroupWise High Staff/Faculty could not send/receive email 8 hours Student Email High Students could not send/receive email 8 hours Staff Data Server High Staff/Faculty could not access stored data or authenticate to the network 8 hours Student Data Server High Students could not access stored data or authenticate to the network 8 hours DNS/DHCP Server High Users could not receive a dynamic IP address or internal DNS 8 hours BlackBoard High Users could not DL classes 8 hours Cisco Call Manager High User could not send or receive phone calls with the IP phones 8 hours Student FTP Medium Students data files could not be accessed 1 day Eprocurement High Fire and Paralegal Medium Course specific software would be inaccessible 1 day IP Camera Server Medium IP camera storage and new recordings would be unavailable 1 day Terminal Server Medium Software on terminal server would be inaccessible for students 1 day Web Server High Users could not access Carteret Web Services 8 hours Web Advisor Server High Users could not access Web Advisor Services 8 hours 8 hours Page 9 of 44 Carteret Community College “Education for Life” Business Continuity Plan Additional Notes and Recommended Strategies: There are three external storage devices used to backup the servers. The tape backup units use DLT, SDLT, and LTO 2 tapes. Currently the tape back up units do not back up open files very well so recovery may be limited. If there are open files they may not get backed up and if there are system files that don’t get backed up the operating system may not be recoverable. The servers all are in a RAID 5 configuration so a single hard drive failure would allow us to recover. Being that most servers need 24 x 7 access we need some way to either backup open files efficiently or have a built in down time to perform a full, complete backup. We have moved 2 servers, Groupwise and Blackboard, to a Storage Area Network (SAN) to allow redundancy and better bckups. Server imaging is another technology which would allow the IT Department to get a full and complete backup with the down side being that the server must be brought down so to backup all files. V. Workstations A. The maximum time the department could operate without this function is one day. B. The maximum amount of this operation that could be lost without a significant impact on this department is about one day. C. The estimated financial loss would be significant. D. The non-financial loss would be loss of reputation, loss of goodwill, and a loss of confidence. E. An even when the resource is more critical would be during class time. F. The electronic and non-electronic media required for this function is the workstation hardware and software. G. Work Around Section If a hardware failure occurs we would follow the IT procedure of calling Dell and determining which devices need replacement. Depending on which workstation has failed they will have different recovery periods. All workstations are purchased with a three year warranty so if we are within that timeframe the faulty part will arrive the next day. If the workstation is past its warranty period then the IT Department may have the faulty part available through the use of another system. The IT Department does have older computers available for use if the user’s workstation is incapacitated beyond a short period. If a situation arose where multiple workstations were unavailable due to a building outage it is possible those staff or student users could be moved to a classroom after it was setup with the software they need. Additional Notes and Recommended Strategies: The workstations that are less than three years old are kept under a hardware maintenance contract on through Dell. Anything older than that is out of warranty. There have been situations due to budgetary constraints where items such as laptops have only included one year warranties. The recommended strategy is to continue with a three year initial warranty on all new workstation purchases. Page 10 of 44 Carteret Community College “Education for Life” Business Continuity Plan VI. Additional Needs There are several other critical needs that are not provided by the IT Department including: Heat, Ventilation, and Air Conditioning (HVAC) Electric Power Facilities Physical Security Additional Notes and Recommended Strategies: The server room needs to remain well ventilated and the temperature controlled. Physical security should remain tight as the area should be never left unattended. All doors need to be checked that they are secure as the last person leaves for the evening. IT Staff only should be allowed to enter the server room. All servers and critical workstations should be attached to a UPS. A generator should be purchased for the IT area as all communications go through the MICHAEL J. SMITH Building. As the endpoint for multiple outside entities that use our router for their network needs the purchase of a generator is imperative. Outside users are: CMAST, NCSU, Duke Marine Lab, local K-12 schools, NOAA, and UNC-Chapel Hill Marine Sciences. (Note: The Carteret County Commissioners appropriated money for the purchase of a generator for Fiscal 2008.) Page 11 of 44 Carteret Community College “Education for Life” Business Continuity Plan Contingency Plan Disaster Risks and Prevention As important as having a disaster recovery plan is, taking measures to prevent a disaster or to mitigate its effects beforehand is even more important. This portion of the plan reviews the various threats that can lead to a disaster, where our vulnerabilities are, and steps we should take to minimize our risk. Classification Physical Security Risk Fire Lightning Environment Water Electricity Intruder Technical Security Accessibility Infrastructure Equipment Failure Viral infections Preventive Measure(s) Smoke Detectors Fire Alarm Fire Extinquishers No smoking policy Fireproof media containers Proper grounding Power conditioning/protection Temp Control (AC) Separate AC for computer room Temperature monitoring Computer room safe from water Clean electricity supply UPS Emergency Lighting Computer Room locked/secure Windows locked Network connections secure Campus Security Password authentication Password length requirements VPN Access to critical servers only Firewall Router ports blocked Encryption/Secure Server Apps. Cable protection/conduit Systems Maintenance Plans Redundancy Periodic testing Virus protection software Anti-spam software Backup systems/procedures Activity Logs Risk Prevention and Information Technology Security Policies and Procedures A fire extinguisher rated for electrical fires shall be maintained in the computer room. Un-interruptible Power Supplies (UPS) are connected to network and administrative servers. In the event of power loss, the IT staff will attempt to shutdown suspended user processes in an orderly fashion that will prevent damage to the logical data structure. Page 12 of 44 Carteret Community College “Education for Life” Business Continuity Plan The UPS’s will be tested regularly. The test will consist of reviewing the display status of the UPS systems and ensuring that loads are within tolerance to allow acceptable backup time and to ensure batteries are charging properly. A maintenance contract will be maintained for the Administrative Computer System and all critical systems. A maintenance contract will be maintained for peripheral equipment and the Director of Network Technologies and the Director of Administrative Computing Services/SA will be responsible for determining what peripheral equipment is included under the maintenance contract. User departments are responsible for maintaining adequate training in the use of the application software. The Information Technology department will assist as needed to maintain as low a risk as possible for operational error. User access rights will be maintained at a minimum level. The Information Technology department shall include any appropriate features to enhance the ability of locally developed software to withstand operator error. Appropriate software development practices shall be used to minimize software failure. Appropriate system security shall be maintained. Practices commons to the data processes industry and as recommended by the North Carolina Community College System, (NCCCS), the NCCCS IIPS organization, and audit teams shall be adopted whenever possible. It is the practice of Carteret Community College not to modify standard administrative software as delivered by Datatel or by NCCCS, without specific guidance from the System Office or the State Auditor. Non-financial related software may be enhanced under exceptional circumstances and vendor provided security patches are applied as directed by NCCCS. Page 13 of 44 Carteret Community College “Education for Life” Business Continuity Plan Administrative Computing System Access and User Rights Requests for access to applications or data on the administrative computing systems are submitted using an access request form. This form details the access being requested and security permissions required. The user’s supervisor must approve the access request form and then the completed access request form is submitted for approval to the application area supervisor as listed below in the Applicaton Area Approval Supervisors table. The approved request is submitted to the IT department and serves as the documented basis for granting access to administrative system(s). The applicable approval supervisor is also responsible for authorizing access to the colon prompt or to Shel. Application Area Approval Supervisors Application Area Financial Applications All CF Module applications Curriculum Student Records All ST Module applications Financial Aid Financial Aid applications within ST Module Human Resources All HR Module applications Continuing Education All Continuing Education applications within the ST module Approval Supervisor Janet N. Spriggs, Vice President of Administrative Services Susan L. Smith, Registrar Susan L. Smith, Registrar Janet N. Spriggs, Vice President of Administrative Services Perry L. Harker, Vice President of Corporate and Community Education Administrative Computing System Access Processes The Director of Administrative Computing Systems/Systems Administrator (SA) or the Assistant Systems Administrator will set the access rights at the lowest level that will allow the user to perform the prescribed job functions. All additions and changes of users and user rights must be authorized in writing by the application area supervisor. Each year the IT staff will review the access rights for all users and require new approved access rights forms. An Employee Termination Checklist is generated by the Human Resources Office when an employee is terminated for any reason. Termination of computer access rights is included on the checklist and the Director of Network Technologies and Director of Administrative Computing Services/SA must sign the checklist indicating that the employee’s access rights have been terminated. The checklist must be completed and returned to Human Resources before the employee receives their final paycheck. If a situation arises where an employee is terminated under unfavorable conditions, the Director of Network Technologies and the Director of Administrative Computing Services/SA are immediately notified by the Director of Human Resources or the Vice President of Administrative Services. All system access for the employee are immediately removed. Page 14 of 44 Carteret Community College “Education for Life” Business Continuity Plan System Access Security Procedures Administrative Computing Access Security Each user shall have a unique user id and password. Users should not share user ids. In the event of an emergency, user ids may be shared if a job function is required during the emergency. Passwords should not be written down. Users should protect the password from unauthorized persons. The system shall require users to change their passwords every 30 days. Passwords should not consist of information that may be easily associated with the user. The password shall be a minimum of six characters long. Active sessions on the Datatel system are logged out after 30 minutes of inactivity. A console log of logins shall be maintained and periodically reviewed to determine if unauthorized login attempts occur. A banner is displayed upon connection to the Administrative Computing Systems, both the IIPS Legacy system and the Datatel system that warns against unauthorized use of the system. Campus Network and Email Systems Security Each user shall have a unique user id and password. Users should not share user ids. In the event of an emergency, user ids may be shared if a job function is required during the emergency. Passwords should not be written down. Users should protect the password from unauthorized persons. The password should be changed every 30 days. The password shall be a minimum of six characters long. A console log of logins shall be maintained and periodically reviewed to determine if unauthorized login attempts occur. After a set number of invalid login attempts, the account is frozen for a specific period of time before it is released automatically. A banner is displayed upon connection to the Virtual Private Network (VPN) that warns against unauthorized use of the system. Page 15 of 44 Carteret Community College “Education for Life” Business Continuity Plan Backup Procedures Administrative Computing Systems All administrative, student, and operational records are fully backed up each working day at 11:00 PM on 8 mm data cartridges. The backup tapes for backups executed on Mondays, Tuesdays, Thursdays, and Fridays are reused every 3 months. The backup tapes for backups executed on Wednesdays are labeled and will be kept for 3 months. In addition, an End-Of-Month (EOM) backup for each month will be kept for 1 year and an End-OfFiscal (EOF) year backup which is executed in July after the General Ledger fiscal year end processes are run, will be kept for 5 years. The daily backups executed on Monday, Tuesday, Thursday, and Friday are stored in the IT Computer Center. The Wednesday backup tapes, the EOM backup tapes, and the EOF backup tapes are stored in the safe located in the Corporate and Community Education Building. College Network Servers All College Email servers and File servers are backed up twice a week by doing full backups using BackUpExec from Veritas. We use DLT, SDLT, LTO2, and LTO3 tapes. The tapes are stored in the IT Computer Center. Page 16 of 44 Carteret Community College “Education for Life” Business Continuity Plan Anti-Virus Procedures Desktop Workstations In an effort to prevent viral infections of College computing resources, all desktop computers are pre-loaded with Trend Micro Anti-Virus. The client workstations are configured to receive their antivirus updates through a decentralized server. As users log in to their computers their workstations check with the anti-virus server to see if there are any updates available. If there are updates available, the workstation performs an unattended install while the user continues to work. Workstations that are out of date due to old definition files are checked through the Trend Micro Anti-Virus server. When one is found to have out-of-date definitions, the user is requested to reboot their computer and if that doesn’t resolve the problem an IT Specialist is dispatched to the employee’s workstation to update the definitions. College Network Servers In an effort to prevent viral infections from damaging campus server systems, all servers are maintained to run the most current virus definition files using Trend Micro or Kaspersky Anti-Virus software. The servers receive their updates automatically. The anti-virus logs are monitored to make sure they remain current with updates. Page 17 of 44 Carteret Community College “Education for Life” Business Continuity Plan Anti-Spam Procedures Carteret Community College uses two systems to monitor spam. As Email enters the campus, it goes through a Barracuda Anti-Virus/Anti-Spam server. We use Real Time Black Hole Lists to eliminate known spam sources and we use Bayesian scoring for the remainder of spam. The Barracuda device provides quarantine for users to review, remove, and release spam intended from them. We also use a product called Guinevere which further checks Email for viruses and spam. We have set up shared folders for willing participants to add spam as well to allow for further identification of spam. Page 18 of 44 Carteret Community College Business Continuity Plan Critical Systems and Applications Critical Systems I. Administrative Computing Servers UNIX Administrative Datatel Server UNIX Administrative IIPS Legacy Server II. Novell Network Operating Systems 2 GroupWise 7.0 Novell 6.5 Server Available for all full-time and part time faculty/staff Novell NetMail 3.52 Novell 6.5 server Available for all curriculum students, staff, faculty Novell NetWare 6.5 Staff/Faculty authentication server and storage Available for all full-time and part time faculty/staff Novell NetWare 6.5 Student authentication server and storage Available for all full-time and part time faculty/staff Novell Netware 5.1 DNS/DHCP Server Available for all VLANS III. Stand Alone Windows Servers BlackBoard – Windows 2003 CISCO Call Manager 4.0 – Windows 2000 Student FTP Access Server – Windows 2000 Eprocurement and Booklog Server – Windows 2000 Fire Program and Paralegal Software Server – Windows 2000 IIS and Backup Software Host – Windows 2003 IP Camera Software – Windows 2003 Terminal Services Test Server – Windows 2003 IV. Stand Alone Critical Windows Desktops Guinevere Antivirus for GroupWise – Windows XP Workstation Page 19 of 44 “Education for Life” Carteret Community College “Education for Life” Business Continuity Plan V. Cisco Network Equipment Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco CISCO Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco EDC CivicCenter 110EastA 110EastB 110EastC 236WestA 334WestA 344WestB 344WestC 344WestD 344WestE 312EastA 312EastB 312EastC 312EastD 312EastE MarTec1 VPN 1stFloorWestAccessPoint 1stFloorEastAccessPoint 2ndFloorWestAccessPoint 2ndFloorEastAccessPoint 3rdFloorWestAccessPoint 3rdFloorEastAccessPoint MarTec1 MarTec2 MISTEST IT Tech Bench EDC CivicCenter WW WW WW WW WW WW WW WW WW WW WW WW WW WW MarTec VPN WW WW WW WW WW WW Martec MarTec MISDepartment IT MIS Department VI. Telephone Systems: Nortel Option 11 Cisco Call Manager VoIP system Nortel Call Pilot Voice Mail Page 20 of 44 Cisco WS-C2950G-24-EI (EDC) Cisco WS-C3524-XL Cisco WS-C3750-24P Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C3750-24P Cisco WS-C3750-24P Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C3750-24P Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C2950G-48-EI Cisco WS-C3750-24P Cisco VPN Concentrator 3000 Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1200 Access Point Cisco 1100 Access Point Enterasys VH-2402S Carteret Community College “Education for Life” Business Continuity Plan Risk Assessment Applications Risk Assessment Application Probability of Interruption Email Medium Impact on Risk College Operations Medium Service Interruption Time Before Loss Potential Accelerates Email Medium Medium Loss of stored Email 2 days Internet Medium Low Service Interruption 1-2 days Use of Internet Services will be prohibited. College Financials Low High Service Interruption Major impact to operations College Financials Low High Loss of Data Payroll - HR Low High Service Interruption 1 normal business day; 1 hour during registratino periods 1 normal business day; 1 hour during registratino periods 1-2 days during payroll processing period Payroll - HR Low High Corrupt file transmissions 1-2 days during payroll processing period Student Applications Low High Service Interruption or Loss of Data Blackboard Medium High Service Interruption 1 normal business day; 1 hour during registratino periods 1 day during semester classes Blackboard Medium High Loss of Data 2 days 1 day during semester classes Page 21 of 44 Impact Medium impact, delay of Email delivery. Medium impact, loss of stored Email communications; Data can be restored from backups and/or messages can be resent. Major impact to operations Major impact to operations during the 15th through the 30th of each month. Control Totals validated by Bank; Data can be resent. Major impact to operations Impacts classes and forces instructors to use alternate instructional methods. Impacts classes and forces instructors to use alternate instructional methods. Carteret Community College “Education for Life” Business Continuity Plan Administrative Systems Risk Assessment Classification Administrative Systems Resource All servers Risk Intrusion Impact Preventative Measures Unauthorized disclosure, modification, or destruction of information and databases; compromised passwords and /or user accounts; server outages and unauthorized access; services or daemons. Secure location of servers; periodic change of passwords; periodic audit of users accounts and passwords; system monitoring of logs; security classes; periodic patching of operating system; ensure only critical daemons are running. 280R Sunfire System failure Major impact on college Support contract with Datatel System operations. NCR. L9 and Backup failure Inability to create or restore Periodic testing of backup; Powervault a backup. review of backup 128T Autoloader logs/alerts; periodic Backup System replacement of backup tapes; periodic cleaning of backup drive; support contract with NCR; Backup using 8mm tape drive as an alternativie backup each night.. Sparc 20 System failure Users could not access data Administrative and apply for new programs. servers (Legacydolphin) Sun v240 Web Advisor Server System failure Students are not able to see grades, financial aid information, and register for classes. Periodic preventative maintenance; daily/monthly backups; periodic patching on operating system; support contract with NCR. Periodic preventative maintenance; periodic backups; periodic patching on operating system; support contract with NCR. Dell Poweredge System failure FA-Link-bookstore financial Periodic preventative 2650 FA-Link; aid transactions will not maintenance; daily Ncmentor; post;Ncmentor-new backups; periodic patching Eprocurement prospect students will not be on operating system; . downloaded to datatel;Eprocurementpurchase orders will not be processed. Page 22 of 44 Tier Recommended Actions 1 Perform annual vulnerability audits (summer); evaluate security templates; 1 Miroring server 1 Iimplement an network backup system using either Fulcrum or other system which would take a snapshot of changed data each hour. N/A 1 Implement a miroring server to reduce down time and support contracts. 2 Support contract and server mimoring. Carteret Community College “Education for Life” Business Continuity Plan Procedural Risk Assessment Classification Procedural Resource Backup procedures User access Risk Impact Tier Recommended Actions Inaccessibility Longer system downtime; Place in Contiuing N/A Network backup system to tapes users unable to perform Education Vault on a remote server. daily tasks. Continued Possible unauthorized College has adopted check- N/A access after access to college servers and out procedures for fullemployee data; possible unauthorized time employees; accounts termination disclosure, modification, or are deleted or locked after destruction of information. notification of termination; require Information Technology signatures on exit form; annual recertification of user forms and accounts. Patches (Unix Possible malfunction Usersofunable operating to perform system Operating daily tasks. System) Patches (Datatel Possible Users unable to perform applications) malfunction of daily tasks. administrative applications. Daily System Monitoring Preventative Measures Unauthorized access. Follow System Office procedures for patch installs. Patches are loaded in test environment and tested prior to loading live account. Possible unauthorized Daily review of access to college servers and /var/adm/sulog, data; possible unauthorized /var/adm/messages, and disclosure, modification, or /var/cron/log. destruction of information. Page 23 of 44 N/A N/A Extensive time to do more testing on the patches which are loaded in the test environment. 1 Carteret Community College “Education for Life” Business Continuity Plan Personnel Risk Assessment Classification Personnel Resource Risk Impact Preventative Measures Users Failure to secure passwords and data IS Staff Inability to Delays in technical support Support contracts on cover all areas of users; extended critical systems and of downtime. equipment. responsibilities due to unexpected absences Tier Recommended Actions Possible unauthorized Mandatory periodic N/A Promote password access to college servers and password change awareness. data; possible unauthorized procedures for servers and disclosure, modification, or domains; supervisors are destruction of information. notified when noncompliance is found. Page 24 of 44 N/A Cross-training of IT department personnel; create plan and implementation schedule; document daily procedures in IT department. Carteret Community College “Education for Life” Business Continuity Plan Information Technology Notification List The emergency notification list for Information Technology is shown in the table below. College employees are asked to call the Helpdesk at 222-6196 to notify IT of problems and outages. All of the IT employees have access to the Helpdesk number on their campus phones. The emergency notification list is to be utilized when outages occur during hours that the College is closed. Name Ken Martin David Looney John Green Debbie Favorite Chris Capoccia Title Director of Network Technologies Director of Administrative Computing Services/SA Senior IT Specialist IT Specialist Assistant Systems Administrator Campus Extension Cellular Home (252) 222-6243 (252) 342-9012 (252) 726-9012 (252) 222-6180 (252) 222-6273 (252) 222-6192 (252) 723-0087 (252) 342-6993 (252) 725-9642 (252) 223-2319 (252) 222-0670 (252) 223-3029 (252) 222-6390 (252) 241-7550 (252) 726-8982 Page 25 of 44 Carteret Community College “Education for Life” Business Continuity Plan Assessment of Disruption Procedures Upon notification of disruption of service, the Director of Network Technologies or the Director of Administrative Computing Services/SA will immediately arrange to assess the extent of the damage or disruption. A typical assessment will include activities to determine: The cause of the disruption. Potential for additional disruption or damage. Affected physical area and status of physical infrastructure. Status of IT equipment functionality and inventory, including items that will need to be replaced. The estimated time to repair services to normal operations. Once the assessment has been made, the Director of Network Technologies or the Director of Administrative Computing Services/SA will take the following steps: 1. Make arrangements with necessary IT staff to initiate recovery activities. 2. Notify the Vice President of Administrative Services. 3. If additional expenditures are required for recovery activities, seek approval from the Vice President of Administrative Services to proceed with activities. 4. Notify College employees and/or students as appropriate. 5. Proceed with recovery activities accordingly. The Vice President of Administrative Services, the Director of Network Technologies, or the Director of Administrative Computing Services/SA, individually or in consultation, will determine if the interruption of computing services is having or will have serious consequences for the College. If it is determined that serious consequences may occur, the key contact persons in the table below will be notified immediately and appropriate notification will be sent to College employees and students. Notification may be sent via Email, Network Messaging, or Voicemail. Office President’s Office Instruction and Student Support Corporate and Community Education Public Information Office Bookstore Security Student Enrollment Resources Plant Operations Finance Office College Reception Contact Person Dr. Joseph Barwick Dr. Fran Emory Perry Harker Morgan Smith Ronetta Gaskill Glendon Flecther Rick Hill Renee Donald Christine Trigleth Receptionist Page 26 of 44 Campus Extension 222-6140 222-6144 222-6205 222-6240 222-6254 222-6188 (Forwards to cell) 222-6151 222-6159 222-6158 222-6000 Carteret Community College “Education for Life” Business Continuity Plan Recovery Operations Recovery operations can vary depending upon the nature of the disruption. Generally, interruptions of service on campus will fall into one of the following categories: 1. Electrical service interruption 2. Telephone service interruption originating off-site 3. Telephone system hardware failure 4. Voice mail system hardware failure 5. Core network component equipment failure 6. Server component failure 7. Telecommunications cable or fiber-optic line cut 8. Data loss or corruption due to extraneous event 9. Network logical failure 10. Applications failure 11. Virus attack Recovery Procedures The college has taken preventive measures as outlined above in routine contingency operations to reduce the likelihood of failures interrupting systems. Systems are backed up, infrastructure is protected to a reasonable extent, and hardware has a reasonable level of redundancy built in. In spite of these measures, systems do fail from time to time. Upon notice of systems failure, the IT department staff will undertake immediate activities to assess the problem and implement the most expedient correction. The goal is to restore services as expeditiously as possible, using data backups and exercising equipment maintenance contracts and service level agreements as necessary to return the network, telecommunications systems, or campus central computing facilities to service. In the event of loss of data, the IT department will restore to the latest data backup level available at the time. Using the processes outlined in this plan, the IT department will take steps to keep the campus community informed when service interruptions occur and when service is restored. Page 27 of 44 Carteret Community College “Education for Life” Business Continuity Plan Return to Normal Operations In the reconstitution phase, recovery activities are terminated and normal operations are restored. Once the systems are restored to the level that they can support the IT system and its normal processes, the system may be transitioned back into normal operation. Activities in this phase will be performed by College IT staff under the direction of the Director of Network Technologies or the Director of Administrative Computing Services/SA. The following major activities will occur in this phase: Ensuring adequate infrastructure support, such as electric power, water, telecommunications, security, environmental controls, office equipment, and supplies are in normal operation Restoring system hardware, software, and/or firmware as may be the case. Re-establishing connectivity and interfaces with network components and external systems Testing system operations to ensure full functionality Backing up operational data on the contingency system and uploading to the restored system Terminating contingency operations. Official notification will be made by the Director of Network Technologies or the Director of Administrative Computing Services/SA will be made to the Vice President of Administrative Services. Official notification will be made to the College employees and students as appropriate by the Vice President of Administrative Services, the Director of Network Technologies, or the Director of Administrative Computing Services/SA. Page 28 of 44 Carteret Community College “Education for Life” Business Continuity Plan Disaster Recovery Plan Introduction The purpose of the Disaster Recovery Plan is to guide the College management and technical staff in the recovery of network and administrative computing services and facilities in the event of a catastrophic disaster that destroys all or part of the IT facilities located at Carteret Community College, 3505 Arendell Street, Morehead City, NC. The primary focus of this part of the plan is to provide an orderly way to respond to a major disaster that destroys or severely impacts the central administrative computing systems and/or the campus network operated by the College IT Department. The intent is to provide a plan that will restore operations as quickly as possible with the latest and most up-to-date data available. The following objectives have been established for the disaster recovery plan: Maximize the effectiveness of contingency operations through an established plan that consists of the following phases: o Notification/Activation phase to detect and assess damage and to activate the plan o Recovery phase to restore temporary IT operations and recover damage done to the original system o Reconstitution phase to restore IT system processing capabilities to normal operations. Identify the activities, resources, and procedures needed to carry out processing requirements during prolonged interruptions to normal operations. Assign responsibilities to designated personnel and provide guidance for recovering and continuing operations during prolonged periods of interruption to normal operations. Ensure coordination with other College staff who will participate in the contingency planning strategies. Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies. Assumptions The following assumptions were used when developing the Disaster Recovery Plan: Catastrophic long-term disasters in which the College ceases to function for 30 days cannot be planned for. Computer services recovery from such an event will be part of a general recovery process. Some risks are acceptable. The College does not possess the necessary resources (financial and personnel) to protect itself against every conceivable risk. The campus network or critical server is inoperable at the College campus and cannot likely be recovered within 72 hours. Critical Systems/Applications are affected. Key personnel have been identified and trained in their emergency response and recovery roles; they are available to activate the Disaster Recovery Plan. Preventive controls (e.g., generators, environmental controls, fire extinguishers, and fire department assistance) are fully operational at the time of the disaster. Computer center equipment, including components supporting the campus network or critical server are connected to an uninterruptible power supply (UPS) that provides 30 minutes to 1 hour of electricity during a power failure. Page 29 of 44 Carteret Community College “Education for Life” Business Continuity Plan The campus network or critical server hardware and software at the College campus are expected to be unavailable for at least 72 hours. Current backups of the application software and data are intact and available at the offsite storage facility. The equipment, connections, and capabilities required to operate are available at the alternate site(s) in New Bern, Craven County, NC, or in Raleigh, NC. Service agreements are maintained with hardware, software, and communications providers that service the College to support the emergency system recovery. Disaster Preparation When a hurricane or other potential disaster is expected, the Director of Network Technology and the Director of Administrative Computing Systems/SA will make two backups of the Administrative Computer Systems and the other critical systems prior to leaving the College. One set of backups will be placed in the safe in the Corporate and Community Education Building and/or the safe in the Finance Office at the McGee Building and the Directors will take personal control of the second set of backups. The Directors will also maintain personal control of a copy of this Business Continuity Plan including the Disaster Recovery Plan. All of the computer systems in the IT Computer Center will be covered with plastic and moved if possible up as high as possible off of the ground. All network printers and other hardware peripherals will be covered with plastic by the IT staff. All workstation users should also protect terminals, microcomputers, printers, and other technology equipment in their offices and work areas by covering them with plastic. The Facilities Department will be responsible for providing necessary plastic for these tasks. All electronic equipment must be unplugged before employees leave the campus. The Facilities Department will be responsible for sandbagging entrances to all buildings on Campus. Additionally, the Facilities Department will board windows as applicable. Page 30 of 44 Carteret Community College “Education for Life” Business Continuity Plan Disaster Notification List The Disaster Notification List for an IT disaster is shown below. These people are to be notified as soon as possible when a disaster threatens or occurs. Name Dr. Joseph Barwick Janet N. Spriggs Ken Martin David Looney John Green Debbie Favorite Chris Capoccia Glendon Fletcher Terry Murphy Tommy Rhue Title President Vice President of Administrative Services Director of Network Technologies Director of Administrative Computing Services/SA Senior IT Specialist IT Specialist Assistant Systems Administrator Head Security Officer Facilities Manager Director of Construction and Renovations Campus Extension (252) 222-6140 Cellular (252) 725-0928 Home (252) 728-0787 (252) 222-6224 (252) 723-0050 (252) 504-4740 (252) 222-6243 (252) 342-9012 (252) 726-9012 (252) 222-6180 (252) 222-6273 (252) 222-6192 (252) 723-0087 (252) 342-6993 (252) 725-9642 (252) 223-2319 (252) 222-0670 (252) 223-3029 (252) 222-6390 (252) 241-7550 (252) 726-8982 (252) 222-6188 (252) 222-6153 (252) 222-6188 (252) 723-0071 (252) 223-5979 (252) 240-0707 (252) 222-6198 (252) 241-6480 (252) 728-3780 Page 31 of 44 Carteret Community College “Education for Life” Business Continuity Plan Damage Assessment Upon notification of disruption of service, the Director or Associate-Director, IST will immediately arrange to assess the extent of the damage or disruption. A typical assessment will include activities to determine: The cause of the disruption. Potential for additional disruption or damage. Affected physical area and status of physical infrastructure. The status of IT equipment functionality and inventory, including items that will need to be replaced. The estimated time to repair services to normal operations. Once the assessment has been made, the Director of Network Technologies or the Director of Administrative Computing Services/SA will take the following steps: 1. Make arrangements with necessary IT staff to initiate recovery activities. 2. Notify the Vice President of Administrative Services. 3. If additional expenditures are required for recovery activities, seek approval from the Vice President of Administrative Services to proceed with activities. 4. Notify College employees and/or students as appropriate (include an estimate of time to repair, if possible). 5. Proceed with recovery activities accordingly. Page 32 of 44 Carteret Community College “Education for Life” Business Continuity Plan Notification and Activation Phase The Vice President of Administrative Services, the Director of Network Technologies, or the Director of Administrative Computing Services/SA, individually or in consultation, will determine if the interruption of computing services is having or will have serious consequences for the College. If it is determined that serious consequences may occur, the key contact persons in the table below will be notified immediately and appropriate notification will be sent to College employees and students. Notification may be sent via Email, Network Messaging, or Voicemail. Office President’s Office Instruction and Student Support Corporate and Community Education Public Information Office Bookstore Security Student Enrollment Resources Plant Operations Finance Office College Reception Contact Person Dr. Joseph Barwick Dr. Fran Emory Perry Harker Morgan Smith Ronetta Gaskill Glendon Flecther Rick Hill Renee Donald Christine Trigleth Receptionist Page 33 of 44 Campus Extension 222-6140 222-6144 222-6205 222-6240 222-6254 222-6188 (Forwards to cell) 222-6151 222-6159 222-6158 222-6000 Carteret Community College “Education for Life” Business Continuity Plan Recovery Operations Disaster Recovery Preparations The Director of Network Technologies and the Director of Administrative Computing Services/SA will maintain backup copies of all software and data. The backups will be maintained to ensure availability in the event of an emergency or disaster. Specific backup procedures are documented in this plan. The College will maintain agreements with one or more compatible sites at which essential operations can be performed. The Director of Network Technologies and the Director of Administrative Computing Services/SA shall coordinate with the system management personnel of the mutual aid sites for implementing the use of the site. An individual plan for each department responsible for critical applications shall be maintained. The plan shall address actions to be taken if an emergency or disaster interrupted computer availability. The plan should consider the maximum time that the department could operate without computer support and periodic peak processing requirements. Each department should consider developing manual alternative processes to the automated computer processes and the entry of the data generated by the alternative process into the computer database. The plan should address individual items of equipment used by the department for data processing. A minimum level of capability shall be defined for each department. If the department is to continue limited operation at the mutual aid site, then the department plan should address how this is to be accomplished. The College will maintain adequate insurance coverage to replace or repair the computer system in the event damages are caused to the computer systems that are not covered by a service agreement. Sources of replacement equipment will be maintained. This plan contains a list of primary equipment and replacement sources. Recovery Operations Recovery operations can vary depending upon the nature of the damage. Generally, disasters relating to IT services on the College Campus would fall into one of the following categories: 1. IT central computer room facilities located in Michael J. Smith Building are destroyed all or in part. 2. IT core network facilities and telephone/voice mail facilities located in Michael J. Smith Building and the adjoining Civic Center Building are destroyed all or in part. 3. Campus network or telecommunications facilities are lost to any other particular building on campus, but are confined to locations not affecting the core network equipment or central campus server farm. 4. All facilities are destroyed, resulting in a general campus shutdown. Page 34 of 44 Carteret Community College “Education for Life” Business Continuity Plan Recovery Procedures 1. IT central computer room facilities located in Michael J. Smith Building are destroyed all or in part. If the college’s central computer room is destroyed, all administrative computing applications and primary server applications would be lost. In this case, alternate servers would have to be purchased under expedited delivery, set up in the Wayne West Building and the latest applications reloaded from backup tapes stored in the off-site location. Once services are restored to temporary status, continue with permanent facilities replacement. 2. IT core network facilities and telephone/voice mail facilities located in Michael J. Smith Building and the adjoining Civic Center Building are destroyed all or in part. In this case, telecommunications facilities serving the entire campus would be destroyed including, the switchboard, the entire extension cross-connect facility, all central office trunks, and voice mail. This type of disaster would not be easily recovered from. Recovery would involve the following procedures: Relocating central office facilities to the Wayne West Building temporarily. This would have to be accomplished by the dial-tone provider. Using the services of Embarq, the college would have to contract to install replacement PBX components in the PBX cabinetry located in Civic Center Building. Once the Call Manager is operational again, we would have 50% of the campus phones available. Performing emergency communications by routing through the Cisco call manager to other buildings using the campus network once it is restored. Upon the loss of Simpson building, the campus computing network core would be lost. This includes the fiber optic feeds that route to each building. The following procedure would restore the campus network in the shortest time possible. Using the Wayne West Building 4506 switch, establish a new, temporary core, in the Wayne West Building. Obtaining replacement blades from Cisco using overnight delivery. This would restore the campus network within 1 day to the majority of campus buildings. Restoring the core switch configurations from backups. Contracting with a cable installer to evaluate if any buildings are without communications and to restore communications to the buildings using existing fiber lines or other means as necessary. Once services are restored to temporary status, continue with permanent facilities replacement. 3. Campus network or telecommunications facilities are lost to any other particular building on campus, but are confined to locations not affecting the core network equipment or central campus server farm. This situation would not affect the overall campus network or telecommunications facilities. In this case the following procedures would be in effect: Installing a temporary building connection switch at the location where staff would be relocated. Providing service at alternate sites as necessary since all buildings on campus are wired. Once services are restored to temporary status, continue with permanent facilities replacement. Page 35 of 44 Carteret Community College “Education for Life” Business Continuity Plan 4. All facilities are destroyed, resulting in a general campus shutdown. Catastrophic long-term disasters in which the College ceases to function for an extended period cannot be planned for. Computer services recovery from such an event will be part of a general recovery process. In this event, select applications such as payroll could be performed by use of an alternate site at the discretion of the President. Page 36 of 44 Carteret Community College “Education for Life” Business Continuity Plan Return to Normal Operations (Reconstitution Phase) In the reconstitution phase, recovery activities are terminated and normal operations are transferred back to the College computer operations facility. If the original facility is unrecoverable, the activities in this phase can also be applied to preparing a new facility to support system processing requirements. Once the original or new site is restored to the level that it can support the IT system and its normal processes, the system may be transitioned back to the original or to the new site. Until the primary system is restored and tested, the contingency system should continue to be operated. Activities in this phase will be performed by College IT staff under the direction of the Director of Network Technologies and the Director of Administrative Computing Services/SA. The following major activities will occur in this phase: Ensuring adequate infrastructure support, such as electric power, water, telecommunications, security, environmental controls, office equipment, and supplies. Installing system hardware, software, and firmware. This activity includes detailed restoration procedures similar to those followed in the Recovery Phase. Establishing connectivity and interfaces with network components and external systems. Testing system operations to ensure full functionality. Backing up operational data on the contingency system and uploading to the restored system. Shutting down the contingency system. Terminating contingency operations. Official notification to be made by the Director of Network Technologies and the Director of Administrative Computing Services/SA. Notifying the Vice President of Administrative Services that operations have been restored to normal and systems use may resume. Notifying campus personnel that operations have been restored to normal and systems use may resume. Securing, removing, and/or relocating all sensitive materials at the contingency site. Arranging for recovery personnel to return to the original facility. President’s Signature for Disaster Recovery Plan Signature:____Joseph T. Barwick_______________ Joseph T. Barwick President Carteret Community College Page 37 of 44 Date: 7/10/07 Carteret Community College Business Continuity Plan Appendices A. IT Organization Chart B. Maintenance Contract Vendor List C. Technology Acceptable Use Policy D. Campus Network Diagrams E. Datatel/UNIX Access Rights Request Form F. Student Data Access Agreement and Security Procedures Page 38 of 44 “Education for Life” Carteret Community College “Education for Life” Business Continuity Plan Appendix A IT Organization Chart Joseph Barwick President Janet N. Spriggs Vice President Ken Martin Director of Network Technologies John Green Sr. IT Specialist Terence Smith Director Software Solutions and Web Development Debbie Favorite IT Specialist David Looney Director of Administrative Computing Svcs./SA Chris Capoccia Assistant SA Page 39 of 44 Carteret Community College Business Continuity Plan Appendix B Maintenance Contract Vendor List Administrative Computer Servers: NCR 800-876-7378 Workstations and Servers: Dell 800-234-1490 Telecommunications and CISCO Equipment: Embarq 800-786-6272 Page 40 of 44 “Education for Life” Carteret Community College “Education for Life” Business Continuity Plan Appendix C Carteret Community College Technology Acceptable Use Policy (TAUP) The purpose of Carteret Community College’s technological resources is to enhance and support the educational mission of the college. All students, faculty, staff and public patrons are responsible for using CCC’s technological resources in an effective, ethical and lawful manner. These resources include but are not limited to: computers, computer networks and telecommunications, multimedia and hyper media, camcorders and VCRs, instructional television and video microscopes, telephones and voice mail. Acceptable Use Use related to administrative and other support activities considered consistent with the mission of Carteret Community College. Use for purposes of, or in support of, education and research. Use consistent with the Acceptable Use Policies (AUP) for the North Carolina Research and Information Network (NCREN), the North Carolina Integrated Information Network (NCIN), and the National Science Foundation Network (NSFN). Copies of the AUPs for these organizations are available on each organization’s Internet Web Site. Unacceptable Use Use of CCC technological resources that violates federal, state or local laws or statutes. Use of CCC technological resources which provides or assists in gaining unauthorized or inappropriate access to systems, software or data at CCC and or other sites. Use for activities that interfere with the ability of others to use CCC’s technological resources effectively. Use for activities that result in the loss of another person’s work or unauthorized access to another person’s work. Use for distribution of obscene, abusive or threatening messages via electronic mail or other means. Use for distribution of chain letters or broadcasting to lists of individuals in such a manner that might cause congestion on the network. Use of CCC technological resources for commercial use or for profit-making enterprises except as specifically approved by the President. Use inconsistent with the Acceptable Use Policies of NCREN, NCIN and NSFN. Conditions Violations of this policy may be met with a reduction of access to CCC technological resources or with complete denial of access to CCC technological resources. Violators may be brought to the attention of CCC officials who may take legal action. Action taken by CCC does not preclude the possibility of legal action taken by others. Modifications CCC reserves the right to modify this policy at any time. Page 41 of 44 Carteret Community College Business Continuity Plan Appendix D Campus Network Diagrams Page 42 of 44 “Education for Life” Carteret Community College “Education for Life” Business Continuity Plan Appendix E CARTERET COMMUNITY COLLEGE DATATEL/UNIX ACCESS RIGHTS REQUEST FORM Name: ________________________________ Login ID: _____________________ Department: ___________________________ Date: _________________________ Request to: ADD CHANGE DELETE Security Classes (place an X next to the security class to be added or removed from user) APPROVALS All access rights must be approved by the employee's direct supervisor. Security rights must also be approved by the authorized official for each specific application: CF, HR, or ST (CU & CE) Supervisor's Signature & Title______________________________________________________________ College Financials Approval: ____________________________________Approved for QB ____Shel____ VP, Administrative Services Human Resources Approval: ____________________________________Approved for QB ____Shel ____ VP, Administrative Services Student Con-Ed Approval: ______________________________________Approved for QB ____Shel____ VP, Corporate & Community Education Student Curriculum Approval: ___________________________________Approved for QB ____Shel____ Registrar MIS USE ONLY Date Access Rights Assigned: _____________________________ Rights Assigned By: ____________________________________ Annual User Review 2006_______ 2010_______ 2007_______ 2011_______ Comments: ____________________________________________ 2008_______ 2012_______ ______________________________________________________ 2009_______ 2013_______ Page 43 of 44 Carteret Community College “Education for Life” Business Continuity Plan Appendix F Student Data Access Agreement & Security Procedures This is to certify that I have read YOUR RESPONSIBILITIES UNDER THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT OF 1974 and fully understand the legal requirements that accompany any access to student information. I am aware that allowing another individual to have access to my security code is in violation of the rights assigned to me with regard to student data. Furthermore, I will not allow my student to have access to the computer terminal(s) assigned to my area of responsibility without approval from the Director of Institutional Computing. Security refers to the protection of all computer resources from damage of any kind and to the protection of data from (1) disclosure to any unauthorized persons, (2) unauthorized modification, or (3) unauthorized destruction. While disclosure or damage may occur accidentally or intentionally, the results are the same. The security systems implemented in the following procedures will, if used properly, facilitate the protection and integrity of the institutional computing system’s data, software and hardware. A. Each user is responsible for his/her User ID and the user must not share their ID with anyone under any circumstances. B. Users must not leave their terminals unattended after logging in to the UNIX/Datatel system. If the user must be away from their station, the user is responsible for logging out of the system. Printed reports should be picked up from printer immediately after printing is completed. C. Employees requesting access to the UNIX/Datatel system must submit a Carteret Community College Administrative Computer Access Rights Request Form to their supervisor. D. In addition, users who require access to the ‘ST’ mnemonic must have the Director of Student Services sign their Access Rights Request Form. These users must also sign a Student Data Access Agreement which certifies that they have read and understand The Family Educational Rights and Privacy Act of 1974, and that they accept the responsibility of securing all student data available to them. E. If a user has reason to believe that security may have been violated; he/she must report the incident to their supervisor of to the Director of Institutional Computing immediately. The Director of Institutional Computing will investigate and reconstruct security as required. By signing below I certify that I have read the above and fully understand the importance of a secure system. I accept the responsibility to secure all student data available to me and realize that inappropriate access may result in complete loss of access rights. Name (printed): __________________________________ Signed: ________________________________ Date: ___________________ Page 44 of 44
