Considering the recent attack it is imperative for Gem Infosys to have a plan in place for incident-response / operational readiness in the event of an info security breach. This policy is to coincide with our current group and policies and procedures while expanding on how Gem Infosys will develop an incident-response team (interchangeably IRT), disaster recovery process (interchangeably DRP)and business-continuity plan (interchangeably BCP). The goal is for this to be considered a blueprint / foundation in the event Gem Infosys must deploy resources out in the event of an incident and even more importantly the steps and procedures so that down time is at a near zero time during such security risk.
Even though “It takes the enterprise some time to assess the exact effects of the disaster” (Disaster Recovery: Best Practices, 2008). Gem Infosys’ is a small software company with a smaller computing environment currently consist of 10 pc’s, and 6 servers that range from file servers, web servers, and AD servers. At present there is a firewall protecting the network but from running an analysis of response time after the recent attack it took responders 6 hours to realize the breach, 24 hours to determine all the components that have been breached and an additional 24 hours to resolve the issue. This length of response time resulted in Gem Infosys networks being down for 48 complete hours (2 business days). This downtime resulted in great corporate loss and was quite costly. The following points are to outline the steps Gem Infosys will take to remedy this from occurring on a continual.
IRT (Incident-Response Team)
I. The first step that must be in place will be the development of the IRT. Considering the small size of the company all hands must be willing to be on the deck in the event of an attack such as this. At present there are a total 3 Help desk associates, 1 system administrator and the Chief Information Officer (reference DRT III. Each member will now receive a Blackberry that is integrated / synced up to the syslog server (reference BCP III). If and when an attack occurs the syslog server will push out the occurrence to first in line on the shift. To make this happen Gym Infosys technical team must be willing to adhere to the on call schedule. Responsibilities are allocated by tier of technical staff meaning the first to know will be the CIO and System administrator from here the rest of the team will receive emails in number of priority and who’s next on call which has been built into the system / server. Also since working with a VAR all numbers and contact information will be made readily available to the team so that in the need of additional hands or equipment, the company will be in a position to quickly order and deploy.
Disaster-Recovery Process
II. The DRP must also illustrate the trust model for Gem Infosys. “An immediate consequence of not enforcing an adequate trust model is that the overall security implementation becomes less immune to malicious activities.” ("Securing Networks With Private," 2008) As illustrated in the IRT bullet there must be a chain of command and designated team. This allows for each individual playing a role in the IRT to know there responsibilities and support leg. The disaster-recovery process will be headed by the CIO in which has appointed the System Administrator as the team lead and point of contact for the Gem Infosys. Materials that will be used will be new mobile phones for those on the IRT, the phones will allow for constant contact and must be on 24/7. The IRT team also will now begin receiving emails and updates on severity issues and system downs. Until the issue has been resolved an escalation email will be sent to the group every 30 minutes until the system has been restored.
a) First Step will be for the system administrator to meet with the rest of the Incident-response team and update on the network issue. The IRT team inevitably becomes a planning group as well and must quickly decide what steps must be taken to resolve the issue (attack)/ downtime.
b) Backup systems must be in place. This means tape must be pulled regularly and in the event of disaster this back up will aide in restoring defaults and minimizing system build time if complete loss occurred.
c) Additional machines must be ordered. In event of total loss there must be the same number of HDD, and computing accessories. This will allow for quick deployment and system restoring.
Business-Continuity Planning
III. As the network must have a form of redundancy in the event of a failure it’s a recommendation to have a Syslog Server installed on a separate but corresponding network that receives periodic updates from the embedded intrusion detection systems we are now putting in place. On top of the log server it will be viable to segment the network. This can be done via VLANs, with additional security and firewalls on each access point. The VLANS will now be segmented into Administration, Operations, Sales, Marketing, Research & Development. The three file servers will fall under the operations VLAN, Active Directory will fall under the administration VLAN, and the two web servers will fall under the Research & Development VLANS. This segmentation will add an additional layer of layer 2 security to our network.
a. Tape must be updated on all servers for backup
b. Redundancy measures must be in place such as supervisory engines and load balancing
c. Additional firewalls are recommended

References
Disaster Recovery: Best Practices. (2008, May). Retrieved from Cisco website: http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-453495.pdf
Securing Networks with Private VLANs and VLAN Access Control Lists. (2008, May). Retrieved from Cisco website: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml