The Software Metrics And Testing Information Technology Essay
This study introduces a Business Continuity Plan for Cart Retail Limited. CRL depend on people, information, and communications to carry on its concern, breaks and catastrophes that affect these resources will hold a far making impact on their concern and may ensue in the failure of the concern if equal program is non put in topographic point. The study provides a measure by measure usher to set uping and pass oning a continuity program in the event of a catastrophe.
This study looks at the pressing demand for BCP at CRL. The purpose of the study is to heighten the current IT catastrophe program and to supply a exhaustively tested counsel on how to set up a full BCP with assorted counter steps that will assist root or debar any signifier of catastrophe to its IT substructure.
CRL is a retail package company which has merely extended it gross revenues beyond the shores of the UK. The company ‘s web site besides acts as another beginning of income through web advertizements.
The current IT catastrophe program used at CRL is a criterion backup which are stored on disused hardware onsite. The catastrophe program in topographic point at CRL will non defy today ‘s IT threats, more so it does n’t cover with unprecedented catastrophes.
2.0 Business Impact Analysis
2.1 Business Menaces
CRL current IT catastrophe program shows that regular onsite back-up is the merely safeguard step in topographic point against any signifier of concern hazards and menaces to the IT section. However, a partially completed but out of day of the month Y2K catastrophe program was besides located. The Y2K catastrophe program adds no value in footings of counter steps against the hazards being faced by CRL. The concern hazard faced by CRL comes in assorted signifiers which could be Natural, Environmental and Incited catastrophe ( Myers, 1993, p.25 ) .
Risk designation involves naming and measuring all possible type of hazards imaginable to an administration, Therefore its really of import that both pure and bad hazard confronting CRL are identified at this phase in order to set the necessary steps in topographic points in order to extenuate the hazards ( Hiles and Barnes, 2004, p.38 ) .
2.1.1 Catastrophes and their impact
One of the legion menaces to CRL is Denial of service ( DoS ) , these could interrupt concern for the company and the impact might take to loss of net incomes, clients and concern spouses. DoS prevents entree to the web site or limits some of the website functionalities ( Shue et al 2006 ; Park and Lee, 2001 ; Garber, 2001 ) . In February 2000, Yahoo, CNN and Amazon suffered a DoS due to a computing machine viral infection as a consequence of an onslaught ( Joseph, 2005 ; Todd, 2000 ) . ( Kessler, 2001 ) estimated that Yahoo lost $ 500,000 from advertizement grosss, Amazon lost $ 600,000 whilst CNN had a 5 % on-line user lessening. DoS can sometimes intend entire loss of concern. A instance in point is Cloud Nine a Hampshire based company which had its web waiter hacked into and resulted in its clients losing assurance in the company thereby taking to its settlement ( Heikkila, 2002 ; Richardson, 2002 ) .
Online individuality larceny is another major menace to CRL. Recent study has shown that the cyberspace is prone to this signifier of menace ( Fafinski, 2007 ; Lu et Al, 2006 ; Calder and Watkins, 2005, pp.15-19 ) . Harmonizing to Ollington ( 2004, pp.12-14 ) legion on-line retail merchants and Bankss had their web site replicated in a fake manner by fraudsters to obtain clients inside informations which were subsequently used in victimizing the clients.
Disgruntled staff besides poses a menace to CRL IT systems. History has shown that when companies fail to command their IT system an unhappy staff will change the system ( Taylor, 2009, p.32 ; Ollington, 2004, pp.18-20 ) .
Another of import menace is environmental catastrophes which can interrupt concern if the necessary steps to cover will these kinds of menaces are non put in topographic point. Environmental catastrophe like detonation can sometimes take to denial of entree to CRL site. An detonation in Hemel Hampstead in 2003 forced company in the locality to relocate due to denial of entree to their site ( Sharp, 2008, p.13 ; Sanders, 2005 ) . However, companies with a continuity program invoke their program and relocated their concern to a hotsite ( Sanders, 2005 ; Hiles and Barnes, 1999, pp.332-333 ) .
When natural catastrophes like implosion therapy, hurricane, Tsunami and temblor occurs the consequences are really lay waste toing for companies in that these catastrophes can pass over out an full company ‘s installation. A typical illustration is hurricane Katrina which struck New Orleans a Gulf province in America back in 2005 ( Barton, 2008, pp.123-129 ) , the desolation of Katrina was non limited to local concern in New Orleans the consequence was felt across some of the Gulf provinces as it resulted in implosion therapy, loss of power and deficiency of H2O.
It is really important that the company adopts a concern continuity program being that the impact analysis shows that if the concern was to be a victim of any signifier of catastrophe the opportunities of IT section retrieving are really slim without an equal program.
3.0 Risk Management
3.1 Risk Treatment
The likeliness of these menaces happening varies however counter measures demands to be put in topographic point in footings of accepting the hazard, extenuating the hazard, halting the hazard and uninterrupted planning for the hazard ( Sharp, 2008, pp.34-35 ; Borodzicz, 2005, pp.96-98, BCI, 2003 ) . More so, CRL will necessitate to update the Y2K catastrophe program, incorporate their bing hazard registry by adding all the identifiable internal and external menaces into the registry.
3.2 Prioritised Actions
CRL will hold to take some prioritised counter steps in covering with the hazard that face the administration by extenuating some of the hazard, halting some of the hazard or by supplying uninterrupted be aftering for those hazards that can non be stem instantly. The steps have been set out in stages ; phase 1 steps are immediate actions that will take up to a month, phase 2 between 1 to 6 months whilst stage 3 will take up to 18 months.
Phase 1 counter steps
One of the first steps to be taken by CRL is to guarantee that the onsite hardware storage is replaced with the latest compatibility hardware storage for site backup. Onsite backups has proven to be a success when catastrophes interrupts concern partly, in that it ensures a quicker response to recovery by reconstructing informations to the affected country when the informations are stored decently ( Calder and Watkins, 2005, p.186 ) .
Second an antivirus has to be installed on all of the computing machines being used at CRL to assist forestall viral onslaughts that can take to DoS ( Ollington, 2004, p.105 ) . Along with the antivirus, the web firewall security will be enhanced to guarantee that choping and larceny of informations is preventable ( Sharp, 2008, p.33 ; Whitten, 2008 ; Ollington, 2004, pp.100-103 ) . More so, to avoid dissatisfied staff or human mistake in interrupting concern all computing machines will now hold a restricted control entree ( Calder and Watkins, 2005, p.142 ) . Furthermore, all usernames and watchwords that are non operational will be deleted and the Human Resource section will be notified about the latest Information technology policy which will be distributed to bing and new employees.
All surpassing electronic mails will be accompanied with a digital signature embedded at the terminal of the mail. This will assist in protecting the genuineness and veracity of the information being sent out of CRL ( Calder and Watkins, 2005, p.210, pp.274-275 ; Ollington, 2004, pp.114-117 ) .
Phase 2 counter steps
In the event of a catastrophe that prevents motion like the December snow that brought most of the UK to a arrest or the recent work stoppage in Greece that stopped all metropolis workers in Athens from traveling to work, the company will hold to implement a Virtual Private Network ( VPN ) over a secured connexion to let workers to be able to go on indispensable portion of the administration ‘s operation from wherever they are.
Its critical that CRL includes an escrow understanding with assorted package sellers that they deal with, in instance the seller goes out of concern ( Calder and Watkins, 2005, p.198 ) .
Phase 3 counter steps
One of the uninterrupted planning that has to be in topographic point is a hot-site. A hot site is an understanding to hold a company ‘s indispensable functionality set up at another site by a concern continuity specializer company in the event of a catastrophe ( BCI, 2003 ) . Hot site takes few hours to be up and running with the latest offsite backed-up informations. However CRL do n’t hold an offsite backup Centre, hence an offsite back will be an immediate precedence for CRL.
The following line of action for CRL is to hold a local offsite back up Centre which is on a different inundation field, power grid, or mistake line to its present site. More so, it ‘s critical that the credibleness of the companies supplying the hot-site and the local backup Centre are verified and that they are in conformity with the latest Data Protection Act ( DPA ) . Whilst the dialogue for the hot site is ongoing CRL will necessitate to subscribe up to a impermanent outsourced catastrophe recovery Centre. An outsourced informations Centres can be in the signifier of a impermanent Mobile site which is constructed and transported to the client ‘s pick of location ( Sandhu, 2002, pp.135-136 ) . Local offsite storage and outsourced informations Centre will be a stage 2 step in that they require lesser clip to implement comparison to the hotsite.
Web content reproduction is another step that will guarantee that indispensable content and construction of the web site are captured over a secured Local Area Network. Content Replication provides uninterrupted entree to concern information and helps root unplanned downtime by supplying immediate timely entree to critical concern information via distant entree ( Breton, 1998 ) . Once content reproduction has been established, this will guarantee that the hot site gets asynchronised or synchronised informations and it ‘s ready to be used within few hours should a catastrophe occur. Table 1 below shows the prioritised counter steps.
Counter Measure Actions
0 – 1
New onsite storage
Enhanced Network Firewall with restricted entree on computing machines
New Information Technology policy
1 – 6
Local offsite storage
Up to 18
Web Content ReplicationTable 1. Prioritised Measures
All these counter steps will guarantee that CRL is en path to set uping a Business Continuity Management in conformity with BS 25999 criterion as it has taken preventative steps to avoid concern break ( Taylor, 2009, p81 ; Sharp, 2008, pp.5-6, p.8 ; BSI, 2007 ) . However, the security and backup steps means that CRL is implementing ISO/IEC 27005 which constitutes ISO/IEC 27001 ( BSI, 2008 ) .
4.1 Plan Content
Planning is at the bosom of concern continuity direction ( Wan and Yuk-Hee, 2008 ) , in that the first call of action following a minor or major catastrophe is the Restoration, recovery and recommencement of concern through the continuity program papers ( ASIS International, 2005, p.10 ; Myers, 1993, p.41 ) . The continuity program will detail all the necessary actions and stairss that will be taken to acquire the concern back to normal degree.
4.1.1 Phase Planning
The direction will hold to put up a crisis direction squad where each member of the squad has a function and a delegated duty for fixing for an incident before and after ( Taylor, 2009, pp.19-20, Sharp, 2008, p.37 ) . The undertaking of the direction squad will be to measure the impact, respond to the incident by triping the program, reach the necessary parties and maintain them informed if the program is invoked and take an informed determination on how to command the state of affairs. More so, the program will hold a title-holder to supervise the planning, dictate governments and do determination. Puting up a full crisis direction is a phase 3 stage development program. Hence a subset of the squad will be set-up in stage 1 of the program. Furthermore, its vital that the continuity program is besides available offsite should in instance the site is cordoned off to the populace ( Sharp, 2009, p.47 ) .
Phase 1of the development program illustrates indispensable actions that has to be in topographic point. The stage 1 program will hold inside informations of how to raise the program with the right mandate, system recovery papers, contact inside informations ( inside informations of client, insurance company, cardinal forces, media administration and exigency services ) and priority order of recovery.
The Phase 2 program will hold inside informations of the local offsite storage and the outsourced information Centre. In add-on, the stage 1 program papers will be incorporated into stage 2 program papers and updated as required. Most significantly the system recovery papers will now hold inside informations of how to utilize the offsite storage and the outsourced informations Centres to reconstruct concern normalcy. In stage 3 the crisis direction will be to the full functional, inside informations of the hotsite and content reproduction will be incorporated into the stage 3 program document alongside the latest system recovery papers which now includes the hotsite and reproduction inside informations with all the critical resources needed.
During the stage be aftering preparation will be given to all forces involved and all staff will be made cognizant of the continuity program. In the event of a awful catastrophe at any stage of the program the company will declare a catastrophe with a recovery clip to the necessary parties identified in the contact list. Besides all the necessary parties will be updated invariably sing the state of affairs and the earliest clip of concern recommencement.
5.0 Testing and Maintenance
5.1 Testing Precedence
A recovery program without dry run has no guarantee that the program will fulfill its intended usage. Therefore, it is important that all the steps taken against each hazard are verified and validated. However, it is really hard to stress all the possible trial exercising in this state of affairs. However, CRL will guarantee that critical functional demands are decently covered in the trial activities.
5.1.1 Testing Phase
CRL will make the undermentioned paperss: Test-Plan, Test-Design, Test-Case and Test-Procedures ( IEEE, 1998a ) . The first signifier of proving is by inspecting and reviewing of demands, resources and the program to determine that things are in order ( Vliet, 2008, pp.425 ; Perry, 1999, p.102 ) .
Penetration proving will uncover any defects in the IT security of the company ; in that it involves the usage of assailing technique conducted by sure forces that are likewise used by hackers ( BSI, 2008 ; SANS, 2002 ) . If the system is breached or fluctuations occur during proving, these are celebrated and actions are taken instantly to fasten the system security. Penetration proving will be performed onsite and offsite to guarantee that the security degree put in topographic point is robust plenty to manage any signifier of invasion ( Swanson et al, 2002, p.22 ) .
Testing can besides be used in finding how long it will take for the recovery procedure to be up and running. In order for CRL to set up the Recovery Time Objective and Recovery Point Objective in the event of a catastrophe the backup system onsite and offsite will be tested ( Yanosky, 2007, p.65 ; Bakowski 2006 ) . The trial will be a scheduled automated one that will prove the cogency of informations that are being backed-up and in a similar manner that of the recovered informations within an appropriate mode in a given clip frame. Furthermore, the trial will assist in finding informations truth and the point of recovery for the company ( Boles, 2009 ) . However, informations stored on the bing disused informations storage will be retrieved and transferred onto the new storage equipment for compatibility and informations truth.
The company will besides do certain that periodic testing is carried out yearly to determine that the program will ever be functional when invoked. More so, the system will be to the full regressed when alterations occur in footings of security updates, package and hardware alterations to the backup storages onsite and offsite.
The tabular array below shows the proving precedences.
Onsite informations storage
Local offsite storage
Virtual Private Network
Temporary Outsourced informations Centre
Hot site functionality
Table 2. Prioritised Testing.
5.1.2 Test Report
A trial study will be created at the terminal of each proving stage with a trial log papers to capture the consequence of the testing activities. More so, all the assorted trial paperss will be updated to reflect any alterations in the system.
The continuity program will be a life papers that has to be updated on a regular basis to stay current with any system sweetenings ( Taylor, 2009, p.17 ) . CRL will hold a uninterrupted monitoring procedure for hazard appraisal, industry event tendencies, regulative demands and administration alterations for proper care ( ASIS International, 2005, pp.31-32 ) . This will guarantee that CRL are invariably look intoing for hazard, be aftering against hazard, taking necessary actions and implementing them against emerging hazards ( BSI, 2007 ) . By making this means the company are now in full conformity with BS 25999 in that the company now follows the Plan-Do-Check-Act ( PDCA ) attack ( Sharp, 2008, p.9 ) . Furthermore, all paperss associating to the program would be reviewed invariably, updated when alterations are applied and most significantly that staff are invariably trained and informed about the latest development sing the continuity program.
This study has critically reviewed the current catastrophe program being used at CRL by analyzing assorted incidents that will interrupt concern. The study has propose an enhanced IT catastrophe program through BCP which is on a regular basis rehearsed by the crisis direction squads, stress-tested against known hazards and ready to be invoked when needed.
The stage planning, counter steps and proving in the continuity program means that CRL will now hold a robust and assured program in the event of a catastrophe.
Finally, a future recommendation of uninterrupted and effectual hazard direction will guarantee that new concern hazards are identified and treated as the concern alterations shape through concern continuity direction.
ASIS International. 2005. Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management and Disaster Recovery. Alexandria, VA. ASIS International. Available: hypertext transfer protocol: //www.uschamber.com/NR/rdonlyres/epg4tobesrsp3rv7ojrc42mhgbcoaqim7ru2flfat3rwoqa4ddvjo6yigmnvp3bbdk7ocqnlydm6k5s4yu65nqqjq4g/guidelinesbc.pdf [ assessed 29 April 2010 ]
Bakowski, C. 2006. Business Continuity Plan Development. Available: hypertext transfer protocol: //www.continuitycentral.com/feature0348.htm [ assessed 21 April 2010 ]
Barton, L. 2008. Crisis leading now: A real-world usher to fixing for menaces, catastrophe, sabotage, and dirt. New York, NY: McGraw-Hill
BRETON, R 1998. Reproduction Schemes for High Availability and Disaster Recovery. IEEE Data Engineering Bulletin, 21 ( 4 ) , pp.38-43.
Boles, J. 2009. Plan your recovery clip aims and recovery point aims ( and how to lodge to your programs ) . hypertext transfer protocol: //searchstorage.techtarget.com.au/articles/33498-Plan-your-recovery-time-objectives-and-recovery-point-objectives-and-how-to-stick-to-your-plans- [ assessed 24 April 2010 ]
Borodzicz, Edward P. 2005. Hazard, Crisis & A ; Security Management. Chichester: Wiley
British Continuity Institute. 2003. Expecting the unexpected: Business continuity in an unsure universe. hypertext transfer protocol: //www.thebci.org/London % 20Firsts.pdf [ assessed 28 April 2010 ]
British Standard Institute. ( 2008 ) . Information engineering – Security techniques -Information security hazard direction.
British Standard Institute. ( 2007 ) . Business continuity direction -Part 2: Specification.
BRITT, P. 2005. Taking Stairss for Disaster Recovery. Information Today 22 ( 9 ) , pp 1-21. Available: hypertext transfer protocol: //search.ebscohost.com [ assessed 15 September 2006 ]
CALDER, A. AND S. WATKINS. 2005. IT Governance: A Manager ‘s Guide to Data Security and BS 7799/ IS0 17799. 3rd erectile dysfunction. London, Kogan Page Limited.
FAFINSKI, S. 2007. UK Cybercrime Report. Available: hypertext transfer protocol: //www.garlik.com/press/Garlik_UK_Cybercrime_Report.pdf [ assessed 21 April 2010 ]
GARBER, L. , 2001. Denial-of-Service Attacks Rip the Internet. IEEE Computer Society Press, 33 ( 4 ) , pp.12-17.
HEIKKILA, P. 2002. Hack onslaught brings down ISP. Available: hypertext transfer protocol: //www.silicon.com/technology/security/2002/01/21/hack-attack-brings-down-isp-11030597/ [ assessed 21 April 2010 ] .
HILES, A AND BARNES, P. 1999. The Definitive Handbook of Business Continuity Management. Chichester: John Wiley and Son.
IEEE. ( 1998a ) . IEEE Standard for Software Test Documentation ( No. IEEE-829 ) : IEEE. Available: hypertext transfer protocol: //mycourse.solent.ac.uk/file.php/142/Papers/IEEE829.pdf [ assessed 23 March 2010 ]
IEEE. ( 1998b ) . IEEE Standard for Software Verification and Validation ( No. IEEE-1012 ) : IEEE. Available: hypertext transfer protocol: //mycourse.solent.ac.uk/file.php/142/Papers/IEEE1012.pdf [ assessed 15 February 2010 ]
JOSEPH, L. 2005. Denial of Service or “ Nuke ” Attacks. Available: hypertext transfer protocol: //www.irchelp.org/irchelp/nuke/ [ assessed 21 April 2010 ] .
KESSEL, C. 2001. Defenses against Distributed Denial of Service Attacks [ online ] . In partial fulfillment of the SANS/GIAC Security Essentials Certification ( GSEC ) .
Available: hypertext transfer protocol: //www.garykessler.net/library/ddos.html [ assessed 21 April 2010 ] .
LOGAN, Y. 2003. Bitten by a Bug: A Case Study in Malware Infection. Journal of Information Systems Education, 14 ( 3 ) . Available: hypertext transfer protocol: //jise.org/Issues/14/14 ( 3 ) -301.pdf [ assessed 3 May 2010 ] .
LU, C. , JEN, W AND S. CHOU, 2006. Cybercrime & A ; Cybercriminals: An Overview of the Taiwan Experience, Journal of Computers, 1 ( 6 ) , pp 11-18. Available: hypertext transfer protocol: //www.academypublisher.com/ojs/index.php/jcp/article/view/01061118/257 [ assessed 21 April 2010 ]
Myers, K. N. 1993. Entire Contingency Planning for Disasters. New York: Wiley.
OLLINGTON, C. 2004. The Secure Online Business Handbook: E-commerce, IT Functionality and Business Continuity, 2nd erectile dysfunction. London, Kogan Page.
PARK, K. , AND H. LEE. , 2001. On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack. IEEE INFOCOM ’01, pp. 338-347.
Perry, W. ( 1999 ) . Effective Methods for Software Testing. 2nd erectile dysfunction. New York: Wiley.
RICHARDSON, T. 2002. Cloud Nine blown off, blames hack onslaught Shut down. Available: hypertext transfer protocol: //www.theregister.co.uk/2002/01/22/cloud_nine_blown_away_blames/ [ assessed 21 April 2010 ] .
Reuvid, J. 2005. Pull offing concern hazard: a practical usher to protecting your concern ( 6th edition ) . London: Kogan Page.
Drum sanders, T. 2005. Oil blast shuts down tech houses ‘ offices Buncefield explosionA affects operations of Epson, Dixons and 3Com [ online ] . Available: hypertext transfer protocol: //www.computing.co.uk/vnunet/news/2147473/tech-offices-hit-oil-blast [ assessed 21 April 2010 ]
SANDHU, R. J. ( 2002 ) . Disaster Recovery Planning. Cincinatti, Ohio: Premier Press
SANS INSTITUTE. 2002. Conducting a Penetration Test on an Organization. SANS Institute InfoSec Reading Room [ online ] . Available: hypertext transfer protocol: //www.sans.org/reading_room/whitepapers/auditing/conducting-penetration-test-organization_67 [ assessed 15 February 2010 ] .
SHARP, J. 2008. The Route Map to Business Continuity Management: Meeting the demands of BS 25999, UK, British Standard Institution.
SHUE, C. , KOPECKY, B AND C. WEILEMANN, 2006. Denial of Service Attack: Detection Using Extended Analog Computers. IUCS Technical. Report, pp. 1-5. Available: hypertext transfer protocol: //www.ioc.ornl.gov/publications/techreport624-06.pdf [ assessed 20 March 2010 ] .
Swanson, M. , Wohl, A. , Pope, L. , Grance, T. , Hash, J. , Thomas, R. 2002 Contingency Planning Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology. NIST Particular Publication 800-34. Washington, DC: United states
TODD, B. 2000. Distributed Denial of Service Attacks. Available: hypertext transfer protocol: //www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html [ assessed 21 April 2010 ] .
Vliet, V. , 2008. Software Engineering Principles and Practice, 3rd erectile dysfunction. Chichester: Wiley.
Taylor, J. 2009. Catastrophe Planning ( 2nd edition ) . Surrey: Wolters Kluwer.
WACK, J. , TRACY, M. , M. SOUPPAYA, 2003. Guideline on Network Security Testing. NIST Special Publication [ online ] , 800 ( 42 ) . Available: hypertext transfer protocol: //csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf [ assessed 15 February 2010 ] .
Wan, Stewart H. C. , Yuk-Hee, C. 2008. Adoption of concern continuity planning processes in IT service direction. BDIM 2008: Third IEEE/IFIP International Workshop on Business-Driven IT Management. Salvador, Bahia, Brazil, p. 21-30.
WHITTEN, D. 2008. The Chief Information Security Officer: an Analysis of the Skills Required for Success. The Journal of Computer Information Systems [ on-line ] . Available: hypertext transfer protocol: //www.iacis.org/jcis/pdf/Whitten_2008_48_3.pdf [ assessed 15 February 2010 ]
Yanosky, R. 2007. Shelter from the Storm: IT and Business Continuity in Higher Education Roadmap. hypertext transfer protocol: //net.educause.edu/ir/library/pdf/ers0702/rs/ers0702w.pdf [ assessed 01 May 2010 ]