IT Services and Data Security- Risk Assessment and Disaster Recovery Plan

About Cross:Train Gym

Cross:Train is a national gym brand offering a cross training solution to clients through personal training, scheduled classes and bootcamps. They believe in a holistic approach to health and fitness, teaching clients Olympic weightlifting moves, cardiovascular sessions and general fitness, as well as nutrition advice and bootcamps.

Cross:Train have 23 gyms around the country, located in cities, suburbia and rural areas. Three of the locations are in a high flood risk area. They employ over 200 staff members nationwide. They offer a flat monthly rate of £60 for full membership which includes access to all scheduled classes. Bootcamps and other special events carry additional cost but are discounted by 40% for members.

In a recent review it came to light that there have been some data protection issues where personal data was inadvertently shared, and the senior management team want to ensure that their staff are better trained and have access to devices which are controlled by the company. All gym staff are provided with a tablet to manage bookings, complete attendance registers and conduct one-to-one online sessions with clients who request advice. They also use the tablet to put together personal training programmes for clients.

There are several points senior management want to address with the new system:

• A new set of IT related policies and processes will be developed using the ITIL framework

• Staff will exclusively use their supplied tablet for work purposes and although they can take them home they will be carefully protected and monitored • A small team of technicians will be employed to provide technical support from a distance, with one national manager

• Gym managers will have access to a desktop PC in addition to the tablet and every PC in the company will be identical in set up

• Every gym will have password protected WiFi installed and senior management would like to offer access to clients

• In the near future a mobile app will be deployed to clients so they can make online payments, manage their own direct debit, sign up to sessions, cancel sessions, chat with other clients, track their fitness progress and share achievements

• Staff training in information security and data protection will be mandatory and must be completed at the point of first employment followed up with annual refresher training

• All systems will need to be password protected backed up and consistent across all locations

• Backups and routine maintenance for all systems will take place either overnight or on a Sunday afternoon  gyms are open 7am-10pm every day except Sunday, which opens 10am-2pm.

Requirements

Your task is to put together the following items

1. A risk assessment analysis relating to IT services and data security and your recommendations for risk mitigation to ensure business continuity. 

• To include identified risk name, description, likelihood and severity, overall risk score, specific mitigation with justification linked to business continuity

• All risks should be clearly related to this scenario

2. A summary of ethical, social, legal and regulatory compliance issues relating to this case study, to include clear information on all applicable laws and industry best practice (such as ISO27K). The summary should demonstrate an understanding of the differences between ethical and legal considerations. It should include a clear list of controls you plan to implement with justification for each.

• To include a comprehensive list of all pertinent legislation and ethical and social issues with clear controls identified and justified

• To include clear links between issues identified, suggested controls and associated legislation/standards

• To include an indication of consequences to the organisation in the event of non-compliance

3. An A4 electronic poster showing the steps to be taken for Disaster Recovery. It should indicate responsibilities and have a clear start and end. This process is to be followed by your IT team in the event of an IT related disaster. 

• Should be relevant to the target audience

• Should be generic enough to be followed in the event of any IT related disaster

• Use formal process flow notation

4. A reflection on the portfolio you have produced: its strengths and weaknesses and your own learning based on your degree route.

• The reflection needs to be honest and identify areas for improvement within the portfolio, with justifications

• You can reflect on every aspect of the portfolio you have produced, including presentation, your recommendations, content, references, time management etc.

• It should link to your prior learning, and future career choice