Business Continuity Planning in the IT Age - A railway sector case study

.

Master’s Thesis

Business Continuity Planning in the IT Age

- A railway sector case study

by

Arulmozhi Varman Govindarajan.

LITH-ISY-EX--11/4539 -- SE

.

Master’s Thesis

Business Continuity Planning in the IT Age

- A railway sector case study

by

Arulmozhi Varman Govindarajan.

LITH-ISY-EX--11/4539 -- SE

2011-12 -14.

Supervisor Viiveke Fåk.

Linköping Institute of Technology. Examiner

Jan-Åke Larsson.

Presentation Date 2011-12-14

Publishing Date (Electronic version) 2012-02-07

Department and Division

Department of Electrical Engineering Division of Information Coding.

URL, Electronic Version http://www.ep.liu.se

Publication Title

Business Continuity Planning in the IT Age - A railway sector case study.

Author(s)

Arulmozhivarman Govindarajan.

Abstract

In today's business Information technology (IT) and Information plays a key role. Due to development and influence of Information Technology, using systems, IT services and networks cannot be avoided in the business and they all need to be protected and secured.

In order to ensure such a higher sort of security and protection, the Information security system (ISS) have been used. Still the businesses today are enveloped with higher risks and upshots which are also being narrower and keeping changed consistently. At such circumstance the solution providing method should be very unique and narrower to each and every slot of business, for a competitive and higher security. Thus such compact solutions been given by Business Continuity Planning (BCP) method. Business Continuity Plan, a chief idea engendered from the stream of information security.

This research involves with a case study in regard to the Railway sector in making a Business Continuity Planning (BCP) on Network security, System Security and Physical Security of it. Thus the way of presentation been more systematically followed up in order to make the reader to understand the results more easily.

Following in the Chapter 1 and Chapter 2, the Introduction and background studies which are needed to be known to draw a BCP plan on Network, System and Physical Securities. Chapter 3 Result section, will gives the recommendation that need to be followed for drawing a Network, System and Physical Securities in a railway network.

Keywords

Information Technology, Information Security, Business Continuity Planning, Information System. Language

x English

Other (specify below)

Number of Pages 47 Type of Publication Licentiate thesis x Degree thesis Thesis C-level Thesis D-level Report

Other (specify below)

ISBN (Licentiate thesis)

ISRN: LiTH-ISY-EX--11/4539--SE Title of series (Licentiate thesis)

Acknowledgement

First I would like to thank my parents and my brother for their love, support and encouragement that had been given all through my life.

I am very thankful to my professor Dr.Viiveke Fåk, who had given me this opportunity to do my master thesis under her and also for her help, support, guidance and suggestion during my whole thesis. Her assistance helped me in achieving to understand and to do each and every task in the thesis. In addition I like to thank Mr. Arul Wilfred Sahayaraja, Administrator of RAILNET Software solutions, South Indian railway, Madurai division, for his support and guidance to make my theoretical understanding into practical in South Indian railway organization. Further, I am grateful to all my friends for their support and help in completion of the thesis.

.

Abstract

In today's business Information technology (IT) and Information plays a key role. Due to development and influence of Information Technology, using systems, IT services and networks cannot be avoided in the business and they all need to be protected and secured. In order to ensure such a higher sort of security and protection, the Information security system (ISS) have been used. Still the businesses today are enveloped with higher risks and upshots which are also being narrower and keeping changed consistently. At such circumstance the solution providing method should be very unique and narrower to each and every slot of business, for a competitive and higher security. Thus such compact solutions been given by Business Continuity Planning (BCP) method. Business Continuity Plan, a chief idea engendered from the stream of information security.

This research involves with a case study in regard to the Railway sector in making a Business Continuity Planning (BCP) on Network security, System Security and Physical Security of it. Thus the way of presentation been more systematically followed up in order to make the reader to understand the results more easily.

Following in the Chapter 1 and Chapter 2, the Introduction and background studies which are needed to be known to draw a BCP plan on Network, System and Physical Securities. Chapter 3 Result section, will gives the recommendation that need to be followed for drawing a Network, System and Physical Securities in a railway network.

Table of Contents

Acknowledgements………. Abstract……… Chapter 1 - Introduction

1.1 Influence of Information technology and Globalization in IT security service…………. 1.2 Information security Introduction……….. 1.3 Business Continuity Plan (BCP) Introduction……… 1.4 Thesis Task……….. 1.6 Objective and Research Questions………... 1.7 Limitations……… 1.8 Target Audience……… Chapter 2 - Background Study

2.1 Information Security………... 2.2 Business Continuity Planning (BCP)……….. 2.3 Security………... 2.3.1 System and Network Security:

2.3.1.1 Network Topology………... 2.3.1.2 Communication……… 2.3.1.3 Access Control………. 2.3.1.4 Authentication………...

Chapter 3 - Results (Railway Sector)

3.1 The main assets of the Railway organization………... 3.2 The risks and the threats with respective to the organizational main assets………

3.3 Develop a BCP to reduce or to remove the risks………. 3.3.1 To Network and System security issues of the railways………... 3.3.2 To Physical security issues of the railways……… 3.3.3 External dependencies……… Chapter 4 - Conclusion. Chapter 5 – Bibliography. 5.1 Literatures………. 5.2 Text Books……… 5.3 Online Links………..

Chapter 1 – Introduction

1.1 Influence of Information technology and Globalization in IT security service

The world we live in today is in such a tremendous growing position, where the ideas are transmitted globally at a higher pace in similar to the thought’s processing within a neural network of the human system. This miracle has been realized solely due to the advent of Information technology and its globalization. These two plays a vital role in today’s Business approach.

So now a user can buy and use products or services from all parts of the world by employing Information Technology (IT) as it makes the business process easier, being less time consuming and gives more competitive and better solutions. So today Information Technology (IT) is employed in all sections of a business and considering the past, the present and the future scenario, Security will be a major constraint for making a successful venture.

But in today’s business the security plan, will not only be oriented with their products/process, equipments used for their business or as in a financial basis. In addition to that they need to make security plan for the services that being used by the organizations like Information Technology (IT) services, electricity services, Infrastructure provision, etc.

1.2 Information security Introduction

In the present scenario, electronic information/data plays a major role, which are being handled and managed by different users and employees through various system and components in a network of an organization. So the information’s and those information handling system and devices are to be secured from various threats and disasters. For such a higher security, a numerous solutions are originated through an information security.

As development in an information technology (IT) service, has paved a way lot in develop a lot of new businesses and methods like in support, service, customer care, business consultant, share business, online shopping, mobile shopping, outsourcing strategy, off shoring etc.

Nowadays an organizations business objectives and focuses are become very narrower. An organization does not fully involved with the whole process of its business, instead it outsource or offshore all other modules of its process than its key functionality process. This makes an organization to be more competitive, price cheaper and narrower in its focus. This shows that security plan for an organization alone will not give an organization an inclusive security solution, since it has external dependencies with other organization. So we want to consider external dependency as well which will differ for each and every business. This concludes that security level also differ with respective to each and every organizational business. We need to change our view from general information security to business perspective.

1.3 Business Continuity Plan (BCP)

Introduction

Business Continuity Plan (BCP), the system which has been developed from an information security, whereas it provides a unique, complete security and backup solution for all possibilities of threats and disasters in concern with every aspect of a businesses. The Business continuity planning is a cyclic process which has different phases in each process. as such process its own responsibility in analysing and providing security solutions to an organization which all follows up in the background study.

1.4 Thesis Task

The task of this research is to study and recommend a Business continuity plan (BCP) for a Railway sector on network, system and physical security. The railway sector is a vast, quite interesting and challengeable field of business, which deals with a lot of information and real time competitive edges.

BCP cannot be derived solely from a theoretical background, as it leads with enormous empirical studies in coordination with theoretical works.

With such an empirical study and analysis, I had an opportunity in real time at the Southern Indian railways organization, where I made to learn and use the theoretical approach and also to derive a thriving Business Continuity Planning (BCP).

1.5 Objective and Research Questions

“The main objective of this thesis is to design a Business Continuity Plan (BCP) for a Railway sector, in order to make a strong and secure provision of information security for their organization assets.”

The proposed solution plan is based on the following questionnaires:

• Does the organization have any prior knowledge or experience in using Business Continuity Planning (BCP)?

• What are the current plans/methods that been followed by the organization with respect to the safety and security measures for their electronic assets?

• To determine which aspect of the current plans are suitable and which are not suitable in accordance to the safety and security measures of their assets in a futuristic view?

• How to switch from a non-suitable plan to a new plan without affecting the current work progress of the organization?

1.6 Limitations

• The empirical data collection was made through various interviews, observations and by cross verification of the observations. But also certain primary and secondary sources of information’s were not cross validated in order to ensure confidentiality.

• This research work will not cover the entire railway sector as because of both the time constraint as well as the diversity of an organization.

• The action trial was done but it’s not documented over here, due to a matter of security and confidentiality.

1.7 Target Audience

This research paper targets the audience who are interested in Information security and in Business Continuity Planning (BCP) field. This paper will help the reader to understand and analyse the various network security, system security and physical security threats to a railway sector and a security solution that are recommended with respective to Business Continuity Planning (BCP) to them.

Chapter 2 - Background Study

2.1 Information Security

In our day to day’s booming business life, its being too apparent that the term IT (Information Technology) has got its own and peculiar strength at various circumstances. Such of its strength and growth cannot be restricted within a limit. In the way, one of its major sources of escalation is being in the development over the Internet. The growth in the internet makes the development of Information technology to spread all around globe rapidly. It suits well for all sorts of business processes. It makes the business processes/functionalities to be easier, simpler and more comprehensible. Moreover the IT provides us a service through taking the time factor as major consideration.

Since the word ‘Information’ by itself by insists us the meaning which has to be assured and secured in a more confidential manner. As in such competitive technical world, there are higher consequences for threats like Piracy, Deletion or burglarising one’s information which leads to lose their competiveness, business advantages, customers and their reputation in the market. So its being very obvious for us protect our and secure our information. Hence ultimately this can be achieved by Information Security.

Information security is used to provide security for the information and to the information systems of a business from the unauthorized access, disruption, recording, persons, and modification. Security is the biggest concern for all sorts of system. Today mostly Information (data) are available in electronic format, which is been accessed/used by various users through different computers, network devices and components in a network. In order to provide complete security regarding information/(data), information security needs to provide computer/system security, network security and physical security to a network. [1, 2, 3, 4]

The need for an Information security hasn’t been developed or grown-up all of sudden. It’s being in the businesses for a long term but with a minimal application. Making such an Information security solution is not as easy like as developing a software/application, where it differs in many ways. In software/application the software team develops it based on the requirements and features. i.e. their focus are narrowed towards the specification of the applications. But in developing an information security solution, the IS team must need to think on a multidimensional disciplinary approach. Information security solution (ISS) cannot be developed by ISS expertise alone. Since it involves the security of a whole business, it needs other department members to be take part in making a complete ISS. [1, 2, 3, 4]

Using a Standardized principle or model regarding Information security makes a business sector to feel more confident about their implemented security solution and provisions. It gives high regards and reputation for a customer to rely on us. While making an information security plan, a company needs to pursue certain things and conditions such as,

i. It should not treat IS solution just for solving the technical issues, it should be considered as a solution related to the organizational business issue.

ii. Information security plan should on focus on multi-dimensional aspect and in futuristic way of an organization.

iii. The solutions provided by the information securities should be based on all possibilities of identified risks and threats to an organization.

Today globalization plays a main role in business, so each organization need to know and be aware of their international practice regarding business process as well as in information security management. Based on these information’s, security policies are to be formed for the organization. Also Monitoring, its feedback and the Training/awareness programs are essential to an information system. [1, 2, 3, 4]

So they need to add separate divisions in order to keep track or to check how their information security solution works. Training makes all the users to know and be aware about their responsibilities and importance about their system. Human challenge is one of the biggest challenges in information security management, so it can be eradicated only by giving proper training. All these makes information security become a § corporate governance responsibility. By following above steps we can come up with a strong information system. [1, 2, 3, 4]

How this Standardized framework or model regarding for Information security is formed? Standardization regarding Information security is formed based on sharing every business/organization experiences regarding their security problems. By sharing their experiences, today companies gain a lot by improving their Information security system. At one point, all these made them to frame a certain standards that need to be considered while developing the Information Security. [1, 2, 3, 4]

Information security will differ slightly based upon each and every business. But there are certain standard principles which have to be followed to develop a successful Information security solution (ISS) that suits for all businesses. This standard idea helps a company build from existing standard not to start from scratch in order to develop the information security for its system. In addition to that other security provisions are added based upon their business process and risk priorities. [1, 2, 3, 4]

This has made Information security to grow in various specific and specialization fields like in Infrastructure, Security testing, applications, databases, Business Continuity planning etc. [1,2,3,4]

2.2 Business Continuity Planning (BCP)

The Business continuity planning (BCP) is a sort of solution advanced from the platform of information security. As the Business Continuity Planning shortly BCP, has its own unique role and methods in providing a higher security solution. Its solutions are not being a general one whereas its solution will differ with respective to each and every business and organization, which has its distinctive approaches too. Solutions given by a BCP are based upon the objectives and functionalities of an enterprise which varies from one organization to the other. The day, the commercial actions are not only based upon the products/materials other than the things there are also other various businesses like in providing services (IT, Power, Security, Transport, Helpdesk, Customer care, etc) and solutions (Business consultant, financial basis, Maintenance, employee basis etc). So the BCP solutions too vary with respective to every concern. It also differs for a same type of business/organization regardless of its size, geographical condition, infrastructure provision and their functional/processing models. [5, 6, 7, 8, 9]

A Business continuity plan (BCP) cannot be developed by a single person or just by alone a group of BCP expertise. It’s done by working together as a team, which the team has members from are shown below in the figure 1 with respective to their percentage of involvement. [5]

Figure 1 Represent the percentage level of teams that are required and involved to draw a BCP. [5]

The reason for having such a diverse team is to understand various facets of the organization. This helps to device a solid BCP proposal through covering all these facets of an organization. For example, for a particular problem the solution given by IT team can be good, but from Risk/safety team point of view, it can have risks or some deadlock point for the same solution in a particular condition. So we need to analyse the merits and demerits of that solutions, before approval. Besides the financial constraints are also being an important factor, which has also to be kept in mind. [5]

Business continuity plan (BCP) not only points out the risks involved and solutions for it. It also helps an organization to improve their business processes and methods. It also makes an organization to validate its own strength and weakness.

Business Continuity Plan (BCP) is a chain process. A BCP is framed by following these steps in its process. [7, 8]

• To identify the main/real assets of an organization.

• To identify the risks and threats with respective to the organizational main assets. • BCP Developing and Implementation.

• Testing and Training.

• Monitoring and Maintenance. • Reviewing.

Step 1 - To identify the main/real assets of an organization.

The BCP method is very clear about its objectives and goals. Its solution plan to an organization is based upon the organizational needs and requirements and not based on general solution plan. Before making the plan, BCP starts in identifying the real/main assets of an organization and main Core of their business. By identifying such assets and core, the BCP is developed. So the solution given by BCP will be more competitive and in an efficient way for an eternal organization growth. From the step we can get to know the tenacity of assets in assertion to an organization. [7, 8]

Step 2 - To identify the risks and threats with respective to the organizational main assets. To find out all the possibilities of risks and threats involved in respective to an organizational assets, the Risk analysis in BCP methods are being more easeful in a wide and broader scope. Further in today’s business, the risks and threats are not only solely associated on a technical basis, but can also be a

1) Hardware/system/server/data/ devices Thefts due to Insiders or from Outsiders. Insiders – Theft due to peoples working in the organization itself. Outsiders – Theft due to other peoples (i.e) not related to the concern. . 2) Disasters due to Nature like floods, tsunami, heavy wind/storm, fire accidents etc. 3) Terrorist attacks etc. [7, 8]

Figure 2 Represents the percentage level of possible threats in today business [5].

Consequently the BCP provides solution and alternate plans for an organization with respective to all these risks. As it maintain a risk table. It ranks the risks, based on its effects and impacts. So the Solution and priority for the risks are based on the ranking from the risks table. Ranking for the risks are not only based on financial benchmarks, in addition original source recovery time duration, backup/temporary source activation duration, are critical to business processes etc. By this we can get a clear picture about the whole risk level and importance about an organization. Main tool used in BCP analysis are questioning, interviewing and making survey with various department employees of an organization. Risk estimations are calculated with the external dependencies of the organization too. [7, 8]

Step 3 - BCP Developing and Implementation.

Since the major part about the BCP solution is being its development and implementation in concern with the risk analysis. This implementation sometimes makes a lot of change in their existing system, roles and responsibilities of the employees etc of an organization. So the employees of an organization must be aware about this BCP process. Hence they should be ready to accept the change. This will make the BCP team to develop, implement the change easily. Main role in implementing BCP is to reduce the decision making during crisis or at disaster times and just to act based upon the plan. [7, 8]

Step 4 -Testing and Training.

Successfully, through an intense mode of developing and implementing the plan, the very next step follows with the testing and training of BCP solutions. As the BCP solutions are based on diversified aspects. By the way, it deals with the security and business improvements process for an organizational asset. So it involves new technologies, services, devices etc. These are required to work in a real time scenario, so insist that the testing is being mandatory. Therefore the testing should be done with the participation of employees and the training for the employees should be done based on simulation models, functional

models, service models with respective to various scenarios. Accordingly each and every employee can know how to act their role and work on with higher responsibility when sorts of such disaster get to happen. [7, 8]

Step 5 - Monitoring and Maintenance.

Consequently, the monitoring and maintenance plays a major role in BCP service. Developing and implementation will be done at once and it will be looked again if there have any up gradation or release of new version. Maintenance and monitoring helps in keep tracking or to check how the BCP solution works. As a whole it acts as a feedback device by point outing the merits and demerits of the system, which will help for up gradation and in customizing the solution. [7, 8]

Step 6 - Reviewing.

Organizations might believe that implementing BCP will bring an end to all their threats and disasters. But it’s not a right approach, because today technologies are growing very faster correspondingly threats and disasters too. So to be competitive, BCP solutions should be reviewed at least once in a year by the organization. This review helps them to arrive at conclusions about BCP solutions strength against current threats. Reviewing provides an an organization a competitive edge. [7, 8]

These all steps are to be followed to form a Business continuity planning. [5, 6, 7, 8, 9].

2.3 Security

Now we are in an electronic era, the usage of computers, internet and technologies are becoming so common in day to day life which cannot be avoided as well. This technological development makes a lot of impact in today’s business model. It has reshaped and helped the businesses to attain a standardized level. It also paves the way to grow a lot of new opportunities. In addition to the core process/product/function, Information becomes very important for every business. So security aspects are given equal importance as the core process of a business in an organization. Since lag in security makes a huge impact to an organization like losing their business, customers, share holders, competitiveness, reputation etc. So the security features and provisions play a primary role in business, safety and in risk analysis.

Informations are mostly available in electronic format, which are accessed by various users/employees through systems (computer, server, network components etc) in a network. In order to provide the information security, we need to protect these systems and networks. As for such a complete Information security we need of

• System security. • Network Security. • Physical Security.

The objective in providing computer and network security is to achieve three things are, [10] • C - Confidentiality.

• I - Integrity. • A - Availability. Confidentiality

“Only authorised persons can get your protected information” [10]

Integrity

“Your information is reliable in the sense that it has been entered/altered only by authorised persons” [10]

Availability

“Your information is available to those authorised to access it” [10]

2.3.1 System and Network Security

We cannot examine or evaluate the security at the systems level alone or vice versa for networks. Well a network means about the integration or group that connects different systems, servers and networking components etc. It shows both systems and networks are very closely related to each other. Hence security solutions for technological threats and defects are to be based on both System and Network security. This security solution plan will not be based on only threats and defects; in addition it also examines the implemented system in the organization to find its vulnerabilities.

When system and network securities are take into account it automatically includes various fields like computer science, information security, network topology, communication, cryptography, access control, application security, protocol, network service, information network management etc. to make a complete security plan. [11, 12, 13]

2.3.1.1 Network Topology

A network topology is how the systems and networking components get connected in a network of the organization. Network topology act as bridge or interface line between all the components. This topology gives the basic structures for different types of communication like LAN (Local Area Network), MAN (Mobile Area Network), WAN (Wide Area Network) etc. This topology is classified based on six different structures are, [14]

• Bus Topology. • Ring Topology. • Dual Ring Topology. • Star Topology.

• Extended Star Topology. • Hierarchical Topology.

Dual Ring.

Figure 3 Represents the diagrammatic representation of various network topological structures. [14]

These structures are based upon the organization size and their need of requirements. If a break or failure in this topology leads to let down in the whole network it might lead to the security threats. So the topologies should be chosen very carefully.

2.3.1.2 Communication

From their core business process, an IT team has to posses the knowledge in choosing the systems and networking components that are needed for their business. Next by analysing the network topology structure, they can get a picture of how the whole system would get connected. Next is to establish communication and interaction between those all components to share and access the information over a network. For this the concept of communication plays a major role in the information system.

Communication between the systems and networking components in a network will be based on both hardware (Physical) and software basis. Exact technical terms for physical basis is Communication Media and for software basis is Communication Protocol. [17]

Communication Media

Different types of Communication media are used, [15, 17] • Twisted Pair Cable.

• Coaxial Cable. • Fibre Optic cable. • Wireless Connection. • Microwave.

• Satellite channel.

Each communication media has its own distinctiveness in connecting the system and networking components. Accordingly the media are selected based upon the needs and requirements of an organization structure. A network cannot be grouped by using alone a single media. A network will be a combination of many media in its connection, because each media has merits and demerits in connecting distance, cost factor, signal interference, etc. Based upon their strength they should be used in each of the specific areas in an organization.

As an example, we take a media organization, which has its branch in four different places in a country. Their requirement is to integrate all four branches. In a media organization video, audio will be their main data. So their network should be much faster, reliable, should avoid signal interference, noise attenuation etc. As a communication media solution, we can use coaxial cable connection in each branch as their Local Area Connection (LAN) and optical fibre connections in connecting the whole branches and wireless communication. Coaxial fibre is highly resistant to signal interference than twisted pair cable and the optical fibre communication provides scalability, noise attenuation, faster, covers longer distance etc. These two will make a media organization network to be more effective. Through wireless communication we can connect lot of laptops, computers systems in a branch and by using it we can cut down the cable deployment cost. Main issue is security problem. Its principle on communicating between the devices is based on the radio waves. So the Information shared on radio waves can be snooped and can be hacked by wifi hackers. To use this service securely it should be used with the encryption feature like WPA (Wi-Fi protected Access Version). This makes wireless service more secure and stronger. [15, 17, 18]

Consider a big organization or a government or any other service sectors which need to function for 24*7, so in those cases they need a backup solution in communication media in order to support the failure of their existing communication media. As an example we can consider these sectors to have their systems like above mentioned media sector, as backup for the optical fibre they can use microwave or satellite channel communications. [15, 17, 18, 19] Communication Protocol

From the above study, an organization IT team would get the requirement in choosing the systems and devices for their business networks, network topological structures and how the systems and devices are to get physically connected. But to work they really need communication protocols. Protocol is a piece of code which specifies set of rules which defines the working principles and progress the communication for each layer. It plays a key role in the logic and functionalities of the communication.

There is no limit for a network, but still communication has to be done precisely. It can be achieved by using some standardization principle. It’s given by OSI (Open System Interconnection) model for the communication. [15]

They classified the networking components based on five layers are,

Figure 4 Represents the networking components classified based on five layers and their corresponding data units. [15]

Components that are used in the communication are system (computer, server) and networking devices (router, bridge, switches, and hub) that are used in a network. These layer structures will differ based on the components.

Figure 5 Represents how these layers are varied based on each component. [15]

Here the host represents the system components. Only the system components (computer, server) will have all five layers, which are responsible for sending and receiving the packets.

Switch – In Data link layer. Hub – In Physical layer.

Each layer has its own specific protocols in the communication. They have an access control mechanism mean each layer cannot access the above layer functionalities. It cannot also see or modify or delete the information that has been sent from the above layer. This gives standardization to the security mechanism in the communication. [15, 16]

Each protocol has it own feature in transmitting and receiving the packets correctly during the communication. During transmission these protocols check like whether the appropriate receiver receives the packets, received packets are correct, in order, there are any loss in packet during transmission, if there is any loss in packets how to recover, network traffic, how the source port and destination ports are to be identified etc by using different techniques and method in each protocols header like

Security, encryption, Sequence number, Acknowledgement, Timer, re-transmission, Flow control, Congestion control, Error correction and detection control, throughput, data rate, routing algorithm to detect Minimum shortest path (MSP), etc.

These techniques are not used by all protocols. But these are classified and used by each protocols based on their role and responsibility in making a successful communication. [15, 16].

Figure 6 Represents the different protocols that are been used by each layers of the protocol stack. [16]

2.3.1.3 Access Control

Access control plays a main role in today’s IT security issues. Security will not only be full filled by providing solutions for threats and defects, in addition we need control in the whole mechanism of the IT systems. In IT threats are on different basis such as,

Information, Software, network, online threats, physical threats etc. First step in making security is by implementing an access control. Access control has high influences on all these security aspects.

Figure 7 Represents the influence of Access control in different security aspect. [13] Normally a business deals with lot of information, software, network devices, online services etc, which should not be available easily to be used or accessed or viewed or modified by employees or from others outside the organization. This can be achieved by implementing a set of privileges to each process or service by access control administrator.

Employees in the organizations are needed to be grouped based on their role and responsibilities. Based on their role and responsibility privileges should be assigned in accessing the system and network components. Employees should not be authorized to do any action beyond his privileges. We can also use a separate monitoring system to check an employee’s day to day activities. [13, 15, 20]

Information plays an important source in IT services, this need to be handled carefully. These can be secured by setting rights to the employee groups in the organization to use and handle the information. Like whether to R- Read, W- Write, E- Execute based on their privileges. By this group categorization and permission assigning we can make information secure. [15, 21]

Mirroring technology gives information 100% data redundancy and full protection for the data’s either due to break in the system and in editing or modifying the information. [26]

For software security, system security needs to be improved. To access software systems or networking components by an employee based on his privileges, some authentication methods like username, password or pin need to be used to entered in the systems. These username, password and pin details are to be encrypted and to be used for the security features. Other security features such as Auto login files need to be installed in every system to store the entered user details, lock screen or whole session if it finds as unauthorized access. Except network administrator none of the employees are allowed to install or uninstall any applications. If an employee tries it must to be noticed to network administrator via automatic detection. [15]

When we talk about the network security, online threat becomes as of the biggest challenges. Network security can be built by an organization in choosing their network service whether to deploy internet service or intranet service. Today most common use in the organizations is intranet service than internet service. Intranet offers the same technology and service that used in internet service. In shortly, intranet provides an internet service within an organization network. It makes an organization network service much faster, securable, scalable, less network traffic and highly reliable. It also acts as a decision support system (DSS) to an organization. [22, 23]

In order to avoid the online threats like virus, Trojans, spyware and malicious thefts need to use various techniques like scanning process before using any devices or data’s, using updated antivirus software version in all systems and devices to detect and kill the Trojans, worms, viruses etc, Disabling the disk drive, USB port, Bluetooth port for the systems using by lower privilege employees, Stringent firewall filtering to block or to not allow the unauthorized access in to the network. Firewall configuration will play a key role in providing network security. Using encryption and decryption methods in data transmission and in network security to avoid replay attacks, packet sniffers, password attacks etc. [24, 25]

2.3.1.4

Authentication

In Information technology (IT) Security is achieved by using various authentication and identification system. These authentication and identification are [27]

“What I know – passwords, PIN

What I have – ID-cards, smart-card, token

What I am/do – biometrics”

These features make IT security stronger. Security features can be increased by using this authentication as

• Multi-modal systems. [27] • Multiple method system. [27]

Multi-modal systems

Multi-modal systems mean using two or more biometric authentication features together in providing the security for a system. This type of security models are been implemented by the organization based on the importance and risk of the assets. This type of security are used in highly needed security places like nuclear power plant station, Cash system in a bank sector, etc. [27]

Multiple method system

Using any one of the authentication feature that you know (passwords, PIN) or you have (ID-cards, smart-card, token) with biometric authentication is known as a multiple method system. By implementing these features will also make a information security more stronger. [27]

Closed circuit television (CCTV) can be used in addition to increase the security features of the system. This CCTV solution suits for all types of security methods to make an entire system safer.

Figure 8 Represents the support of video surveillance solution in different security methods. [13]

Figure 9 Represents the various security management progress and business continuity planning methods to make a good information security management system for a sector. [13]

Chapter 3 - Results

From the background study, we have understood all the fields and the operations that are required to form a Business continuity plan for a Railway sector. To derive a Business continuity plan for a railway sector is need to know how a railway sector functions and their strategies. So for this research I had worked in Southern Indian Railways, Madurai division to make a business continuity planning for a railway business.

In this research work, I have formed a team and each one has a unique role as follows to make a BCP plan, [5]

General Management. - RAILNET solution Centre administrator Of Madurai division.

Information Technology (IT) - Network administrator team of Madurai division. Business continuity planning person. - Me.

Risk/ Safety management. - Safety advisor of Madurai division. Business continuity plan (BCP) is a step by step process where,

3.1 The main assets of the Railway organization

In a railway business two things are mainly involved are • Large number of human life.

• Multiple Collections of information, data transaction and record details. Lot of human’s life

Human’s life includes both passengers and Railway Employees. In transportation (railways) business, revenue mainly depends upon two sources are passengers and goods export import. So it’s railway organization responsibility to provide safety and security measures. Since it’s a public involved business oriented sector, it makes people’s life as one of the main assets. Multiple Collections of information, data transaction and record details

It Includes employee details, Train schedule details, Reservation details, Passenger details, vendor details, confidential record details like using equipments and components details, security plan details, future project details, current research and development work details, archives, etc.

Information technology plays a main role in the railway sector. Main part of the data’s and records are stored as electronic documents (e-documents).

Hence the main assets in railways are

Human Life’s – In Train Locomotive and In Organization. Information records.

In this research work, a Business continuity plan is proposed to secure these assets from threats and disasters.

3.2 The risks and the threats with respective to the organizational main assets

The term Security is classified into many types such as follows, 1) Security
1.1) Information security
1.1.A) Network Security

Online threats. 1.1.B) System Security

1.1.C) Physical security
Infrastructure Provision

Signal/Track Solution.
1.2) External dependency

Surveillance solution.

Physical security is a wide area; it will cover security aspect in physical point of view, which provides solutions for both technological systems as well as to human’s life.

3.3 Develop a BCP to reduce or remove the risks

The main focus of this study is on the Network and System security issues of railways. Network security and System security are inter-linked to each other.

3.3.1 To Network and System security issues of the railways

1) What type of Network service does a Railway organization needs to deploy?

Intranet network Service. Due to Intranet service, the whole railway network has been isolated from normal Internet web service. So that a railway network service will be more faster and securable one. External people cannot access their network and are being blocked by implementing the Intranet service. [22, 23]

2) Regarding information available in Internet service?

The internet service should be based on OUTBOUND service not as INBOUND service. The information which all obtains by external users from internet about railway sector is to be given and directed by the Railway Sectors. So the common users cannot get information about railway sector based on their query in the internet (Inbound); they can get based upon only the Information technology of railway sector provided information (Outbound).

3) How should the whole system of the railway network needs to be connected and

communicated?

Normally a railway system is divided in to many sub-divisions. Best solution in connecting the whole system is through optical fibre channels. It supports scalability, compatibility and guarantees faster, reliable service, time and in order delivery. It provides low interference and

Optical fibre has channels, each channel can be used for various communication services like network communication service, system communication service, train signal tracking communication service and they can use one channel separately as an Optical fibre tracking system channel which is used to point out if some damage happens to an optical fibre cable. It point outs very specifically the enormity of the damage, the place, time and location of nearest station to provide the service. [15, 17, 18]

4) Any backup plans if current connection (Optical fibre) fails due to technical or

natural disasters?

The backup plan for the current connection

(Optical fibre) failure

is microwave communication and other backup by using Satellite channel communication.

If the whole Optical fibre service of a railway network fails then the backup plan Microwave communication gets into action and provides service completely and if microwave communication fails then the whole railway network service comes under control of satellite channel communication. [15, 19]

5) What type of technique and methods are used to access and control the whole

railway system?

Distribution technique and mirroring methods.

Railway sector is a vast network; if the whole system is accessed and controlled as a single central system the It would create a bottleneck problem. Solution is to deploy distributing technique (i.e) the whole system is divided in to clusters of small systems to make the whole processes of the railway system easier.

The Railways sector has lot of information and confidential data that is being accessed by various employees of the railway sector. Sometimes there is a possibility of risk like delete or cut of original data. So except the central and supportive administrator all other employees are allowed to use only mirror image of the data and information, not the real value. [15, 26]

6) What type of interface is been chosen for the data transfer communication?

Communication occurs through different devices in a network and each device has its own protocol to communicate and to transfer the data. One of the important factor is the communication speed rate should be in acceptable one. So there is a need to optimize this communication area which becomes a challenging task. Solution is by adopting MPLS (Multi

Protocol Label Switching) Protocol. This MPLS supports different protocols and transfer

according to its appropriate operations. This works well in large systems. [30, 31, 32]

7) What type of Network topology is to be deployed in the railway system?

Extended start or dual ring Topology. If some systems /devices/ station get fails, the services can be provided by other sub-system/device or by nearby systems/stations. It will not affect the normal functioning. [14]

8) Is it right in maintaining the whole railway system by a single station/single admin

division?

Maintaining and controlling the whole railway system

by a single station/single admin division leads to central bottleneck problem. So maintaining and controlling should be interchanged randomly to all other stations/admin division team.

So by this interchanging strategy it will make the work to known to all other team of various divisions. So the third person or even the railway employees cannot judge from where the railway system is been controlled. It is type of backup plan and a security feature.

Other than Railway Information technology (IT) department staff based on their privileges, anyone should not Install/uninstall the software’s in the system. If it’s done they should be taken severe action under Cybercrime.

9) How a system/network in a railway system should be accessed by the employee?

Accessing the system/network by an employee should be based on the access control and Privileges.

A privilege assigned depends upon the employee work position category. Based on the privileges only each and every employee should access the systems and networks in the railway system. [15, 21]

10) What are the security measures that are to be implemented to block and to find the

unauthorized access in the system?

The security measures that are to be implemented in the system are follows, [10, 15]

Login file

To keep track the login user/employee details.

If any Unauthorizer acess

Lock the screen or to Lock the whole session.

Network

security Firewall restriction

11) Need to have separate department to find and analyze regarding define cybercrime

theft

Cybercrime department is needed to keep monitoring of each and every activity of the whole railway system. If they find something goes wrong, then they should take an immediate action on the

respective department employee. Since each employee has privileges in accessing

system/network of the railway system. So if an employee breaks his privileges or does any action other than his privileges or by unknown person (hackers, snoopers, etc) to make system/network/server to crashes are to be take action under cyber crime theft.

For example, if an employee works his to keep updating of number passengers and goods travelled in a train through a system. If system gets hanged or system gets down, he needs to complain about this to network/system admin department of that division to rectify it. Unless he tries himself like resetting the router/system/any device or to unplug of the network cable, need to provide security provisions like starts to ring alarm, automatic notification to division IT head and cyber maintenance team. So the employee will be taken under cyber crime action. He needs to explain the reason why he tried this, if it’s a valid reason he should be warned. If not he should be punished. So a railway system should need to have a separate cybercrime department.

12) Database complexity

Normally a railway sector will handle lots of information which will be stored in database for future references accesses. In order to avoid database overload and mapping complexity by implementing as individual database for each functionalities like

Separate Databases

Passenger details, Employee details, Vendor details and Railway information, Travel / Trip

Information.

By using separate databases we can reduce the mapping conflict and overload problems in a database around the network.

13) What is to be done in order to maintain the information/record/data of the railway

system?

They need to implement Archives service in order to maintain all records and information from all the databases. It will be also a backup plan to maintain the information of the railway system.

They need to maintain employee records for 40 years from date of joining in the database. Regarding Passengers, information of each reserved passenger is stored and maintained for at least one year in their database. These are to be done for security aspect.

14) Is there any backup plans for the systems/servers failures in the railway system?

For each Primary server they need to use backup source as a backup server for safety measure. If primary servers get down/fails then backup servers comes to active. If both fail then the whole operation comes under control of standby server automatically. If standby server gets to active mean that the system has in emergency problem. So it should be noted as priority issue and immediate recovery should be taken from IT the rectify team. [5, 6, 7,8, 9].

15) Any different approach in employee recruitments for high profile or in confidential

cater?

Employees are not to be recruited based upon only their talent, score or experience basis. They should undergo various tests like psychological, stress test etc before get appointed. It’s a one of a strategy to avoid problem in the organization due to insiders.

16) Whether the Railway sector employees need to check and keep updates about their

products and component that has been used in the railway service with current market?

By this process the employee will come to know about the products, components and service providers in the current market that are being related to their system growth.

So if any one of the service provider is not in business after a couple of years due to recession, change in ownership or some other reason, it will become risk for the railway service. So by monitoring and checking the current market trend of their usage of product and service provider will help in avoiding product service risk. Second is by based on keeping strict contract with their service providers. [36]

17) How about Training program?

Training program for the employees is to be based on real time scenario or model. It should not be a theory based approach. It would not give a proper understanding to know the importance and responsibilities about the organization network/system security. [7]

18)

System authentication features alone can provide security features for the network

and system security of the organization?

Security provisions for a network and system should not be based upon only system authentication. It cannot alone satisfy the full security requirements. So we need to use various authentication methods like biometric (finger prints, magnetic reader, digital signature, iris sensor, Voice/Image sensor) in order to provide strong security to an organization. [27, 28, 29]

3.3.2 To Physical security issues of the railways

Physical Security

Physical security plays a main role in formulating a complete BCP solution for an organization. [6] If an organization is strong in networks and systems security but lags behind in physical security, it leads to compromising the overall security of an organization.

Security provided by the system devices and Network devices can restrict or prohibit outsiders/ insiders (who try to access than their privilege) in to the system. But theft or external damage to the system/network cannot be avoided. In order to avoid the external damages such as theft, the railway sector needs to implement other type of authentication like Magnetic strip readers, Biometric devices using authentication methods like PIN, Password etc based upon the assets value and priority of the risk level. By providing these features we could decrease the likelihood of physical threats. [27, 28, 29]

Sensitive units of a railway sector like signal/track maintenance unit, Information technology unit, office rooms , research and development unit, record maintenance room, server room etc these should be prohibited for an outsider to enter, and at same time only the privilege allowed insiders to enter, these two condition can achieved by implementing the authentication methods and biometric devices. In Addition to that more sensitive places and rooms of the railway sector can be kept monitored by using CCTV(Closed circuit Television) provision.[13, 29]

A railway has its division and subdivision stations throughout the country (i.e.) in both rural and urban areas, since railway sector will connect and covers all corners of the country. Security level should never to be compromised based on the rural and urban point. All should be treated as a whole railway asset and need to implement the security constraints. To avoid terrorist threats, railway sector need to implement Bomb and metallic detector equipment provisions at entrance, exit and sensitive places of the stations with surveillance provisions. [33, 34]

To contain the threat from inside the organization, the organization is to be divided into several departments. Access to these departments is based upon the privilege of an employee and this is implemented through an employee card with a magnetic strip. Hence a threat management is localized to a particular department. Also this card can be used for attendance maintenance, employee login access record maintenance and to keep track of all employee information. So this strategy will increase the security to find out the theft based on Insiders and unauthorized access in a department. [20, 27, 28]

The above method is effective in managing the threat from inside the organization. But it is not sufficient in dealing with the threats from the outsiders, such as terrorist, competitors, hooligans etc. [33, 34]. Hence needs to provide trained security staff for the organization. The Staff used for securities should be well trained with well equipped equipments. The Security should be provided 24*7 and security staff should be rotated based on shifts. In case of Passengers, the passengers who are travelling in trains need to be checked and confirmed by Train ticket reader (TTR) officers, whether the booked person is travelling or not by verifying their ID proof like their social security number or either one of the copies of passport, driving licence, Pan card details. So we can avoid theft from outsiders. By using these strategies we can reduce and control the theft due to insiders and outsiders.

In the railway sector, accidents can be classified in to, • Mechanical failure.

• Human error.

These two failures can be avoided by giving proper training to the employees. Accidents in a railway system lead to loss of whole information system and human lives. Training programs is to be done periodically for the railway employees and security staffs. Training should simulate real life scenarios. So that individual knowledge of an employee can be tested and known. So they can form a separate department for trainings.

Online Help desk/ Railway Customer care services should to be provided, it makes to get feedback, drawbacks and problems regarding railway system via passenger and from other sources. It is one of the best ways to improve the business processes and infrastructure provision. Emergency Telephone Service should be provided by the railway organization in case of emergency problem. Emergency team, backup team should always be kept ready to act in all stations and sub-stations. In addition first Aid/hospitality service, security team, bomb detection team, fire service team should be provided in each stations and sub-stations of the railway system. These services are to be provided in all trains. Physical infrastructure provisions are needed to be improving by using Electronic locks, automatic emergency access door, door sensor, door alarm etc based on the risk and safety of the railway system. They can use Ultra sound train, to examine the cracks and defect in the tracks, which is to be used individually in each division to keep track the railway track condition. They can use collision

avoidance kit in all trains and signal sensing kit in each stations and railway rail toll gates to avoid the train accidents.

Natural disasters should be kept in mind while developing a business continuity plan, which cannot be judge when it happens. So taking care of these natural disasters while developing a BCP for a company will enable a company to handle these types of disaster. We can place fire sensor, fire alarm devices in all important places of the organization. To face big natural disasters like earthquake, tsunami etc. railway sector need to manage an alternate office, alternative source and alternative site which needs to be get in to work very soon when the disaster strikes. The location aspects of the alternative office should not be near or around the current office location. The alternate office is not only to be kept as a solution plan for the natural disaster recovery, often they can used as a backup divisions in maintaining the information/record/data that are involved in the railway system. It not means that this plan to be implemented in all divisions and divisions of the railway system, In some case divisions has this huge disaster, then as a backup plan the whole operations of this small sub-divisions can be get controlled by their respective head sub-divisions. A head division can be a backup source for the sub divisions. Finance is a main factor, so this alternate office plan cannot be provided to all divisions, they are provided based upon the risk priority and the information involved. [9, 33, 34]

The other main departments they need to have are • Safety and Security department.

• Quality and maintenance department.

Safety and Security department

They need to have meetings regarding safety and security regularly at least once in a week within each division, subdivisions of the organization. In meeting they are not to discuss only about their own division/sub-division safety and security improvement and problems, in addition they need to discuss with respective to other divisions/subdivisions problems and their improvement methods. Even safety and security staffs of each division and subdivision can visit the other divisions/subdivisions to take part in their meetings and can see lively how their strategy works. It can be taken done every 2 months.

Quality and maintenance department

By methods and planning, a railway organization must need to deploy lot of changes to their current infrastructure system to improve the safety and security to their assets. Changes like authentication devices, alternative office, whole system connection, backup components (system, server, and network connecting devices), fire sensors, door sensors, alarm… etc. Main problem is in maintenance, so they need to have a separate team in order to maintain these all components.

3.3.3 External dependencies

The whole railway system cannot be managed and serviced by the railway sector alone. Except its key functionalities; other process or functional units can be outsourced to other vendors like supplying some products, system service, customer care service, hospitality service etc they are known as external dependency. In BCP planning we have to consider them too. So if any threats/disasters happen to them it will affect the railway organizational plans too. External vendor should not be chosen based upon their low cost, service or by experience in the current market, instead they should be chosen based upon our BCP plan. In order to take precautions and security measures to face the threats. They need to be keep monitored with respective Quality and maintenance department of the railway sector. [5, 6, 7]

4. Conclusion

This research helped to understand, how to start and analyze a Business Continuity Plan (BCP) for a business. From literatures and case study we come to know that now BCP are getting more influential in today’s business. BCP are not only seen as security plan or backup plan by an organization. BCP plan are considering equal to the black box in an aircraft.

BCP will evaluate and give a complete skeleton of an organization with its vulnerabilities and possible security threats and disasters. It also provides information regarding business improvements, what are threats are possible to reduce with its current deployment. To conclude shortly

BCP plays two main role are,

• Reduced Decision Making during disaster or crisis time. • How to act and do their role and responsibilities by employee.

Today each and every organization is aware and knows the importance about BCP and making their own BCP solution for their business. But most companies are lagging in testing, training and reassessment of the BCP. This leads to serious issues.

So in future these areas should be focused much deeper by all organizations.

The BCP plan comes in to play when sudden crisis or disaster happens. Any organization cannot judge or predict when these will happens, but all employees in an organization must be ready to face and overcome all these challenges. It is possible only by giving proper training and testing the solution. Testing and training should be done and evaluated frequently.

Most important terms in today’s business are change. Nowadays business approach and methods are getting changed day by day. Based on changes threats/disaster level also will get increases. In order to be still in competitive each organization wants to revise or reassessment their BCP solution in regular intervals at minimum level of once every year. So that they can know whether their BCP solution is good enough with current trend or it required any additional features. It makes an organization to be more specific and competitive.

A business growth not only supports an organization wealth, it also supports a countries development. So each government in a country can take an additional responsibility to advise, recommend and support BCP solution for each organization.