Hill Crest

Corporatio
n

Bondoc, Jessa Krizzel D.

Chancoco, Maria Jasmine
Rhei A.
Gonzales, John Kenneth M.
Lauricio, Helena Marie Q.
Manalese, Aarone Jan T.

Hill Crest Corporation is a private company located in California

providing an online legal software service including data storage and
administrative activities. Planning of IT facilities is delegated to data
processing professionals. It recently moved its headquarters into a
remodeled warehouse and architects retained much of the original
structure, including the wooden-shingled exterior and exposed
wooden beams throughout the interior.
The distributive processing computers and servers are situated
in a large open area making the data center accessible to the rest of
the staff promoting teamwork. City inspectors declared building safe
prior to occupancy; that is, it had adequate fire extinguishers,
sufficient exits, and so on.
It institutes a tape backup procedure that automatically backs up
the database every Sunday evening, to avoid interruption in the
daily operations and procedures. All tapes are labeled and carefully
stored on shelves in the data processing department.
The departmental operators manual has instructions on how to
use these tapes to restore the database, should the need arise. A list
of home phone numbers of the individuals in the data processing
department is available in case of an emergency. It recently
increased its liability insurance for data loss from $50,000 to
$100,000.

Describe the computer security weaknesses present

at Hill Crest Corporation that made it possible for a
disastrous data loss.

CURRENT LOCATION
The fact that the building is made of woodenshingled exterior and exposed wooded beams are
throughout the interior makes it even more prone to
disasters especially fire.
Although city inspectors declared the building
safe, the building was completely ruined by the fire to
which we may imply that the company failed to
consider the inclusion of systems such as sprinklers,
smoke detectors or fire suppression technologies that
could have prevented a total data loss to think that
the company is ventured in a very sensitive business.

 INADEQUATE BACKUP
The backup done by the company are very
infrequent and insufficient. Data backup should
be performed real time or at least daily because
by its nature, it is prone to risk of loss.
No second-site storage back up location. The data
backups were stored within the premises of the
company therefore at the outset of a disaster; no
recovery can be made if all data is wiped out
Housing data and programs in the same location.
The data should have been kept in a different
location
within
the
building
specifically
constructed using fire-retardant materials with
the adequate security systems such as passwordlocked doors, CCTV cameras.

 NO EXISTING DISASTER
RECOVERY PLAN
There was no formal or written disaster recovery
plan that Hill Crest would be using in events that
would paralyze its operations. Although there
were instructions given in the departmental
operators manual, these are not enough. There
were persons assigned but their duties and
responsibility were not appropriately delegated.

List the components that should have been included

in the disaster recovery plan at Hill Crest
Corporation to ensure computer recovery within 72
hours.
A well written and drafted disaster recovery plan
that requires an approval by senior management,
data-processing
management,
end-user
management and internal audit. It should include
a plan on how to acquire the hardware and
software to have at least a short term survival
and a communication plan on how to deal with
the disaster to ensure that data is recovered.

 A second-site or off-site location where data,

processes and programs necessary to revive the
companys operations will be stored. The company
will then resort to this location in cases of
emergency.
Organize a disaster recovery team. Select a
person who will be in charge, identify different
roles that will be needed, recognize duties and
responsibilities, create teams, develop a chart as a
guide for disaster procedures and delegate the
tasks.

 Duties and responsibility should include:

a. Meeting up and contacting to obtain use of
alternate data processing facilities that were
previously arranged with and are willing to help
and activate the backup system and network or
location second-site locations.
b. Retrieve back up data, processes and
programs.
c. Restore data and programs.
d. Identify the critical applications (those that are
NECESSARY to REVIVE the operations).
e. Reconstruct the backed-up data from the latest
back up to continue operations.

What factors, other than those

included in the plan itself?
Acquiring a business interruption insurance which
would cover the losses suffered by the company
during disaster.
Up-to-date or real time system and operations
documentation and easily accessible in cases of
emergency. Backup should include systems,
processes, programs and user data.
The adequacy of the disaster recovery plan by
testing it through simulations every once in a
while.

 Considering different types of scenarios be they

natural or technical.
The length of time the company may survive
amidst disaster and recovery.
Performing a risk/cost analysis to quantify the
expense that may be justified to obtain,
assurance that recovery can be accomplished in
72 hours.
-end-