Disaster Recovery by EC-Council / Cengage Learning's Course Technology / Michael Goldner - Heavy Plagiarism

Fri Dec 9 18:39:57 CST 2011

The book "Disaster Recovery" is dual-branded as "Course Technology / Cengage Learning" on the upper left and EC-Council | Press on the upper right, along with EC-Council's Certified Ethical Hacker (C|EH) at the bottom right. The book's information page at the start lists Course / Cengage, but the copyright is 2010 EC-Council. Both Course / Cengage and EC-Council staff are listed under the book title. The preface on page xiii has an introductory paragraph, then "About EC-Council", followed by "About the EC-Council | Press". According to the paragraph there, and a press release from Course / Cengage, EC-Council | Press is a partnership between EC-Council and Cengage.

On page xix, titled "Acknowledgements", it credits Michael H. Goldner as working "closely with both EC-Council and Delmar/Cengage Learning in the creation of this EC-Council Press series". While it does not explicitly call him the author, having an entire page acknowledging him suggests he wrote the book or was the lead in putting together the material.

Mr. Bavisi, President of EC-Council has confirmed that Michael Goldner is not an EC-Council employee or a contractor of EC-Council. Based on that, the following material identified as plagiarized appears to be the responsibility of Cengage Learning's Course Technology group, formerly Thomson Course Technology. From page xvii:

Michael H. Goldner, is the Chair of the School of Information Technology for ITT Technical Institute in Norfolk Virginia, and also teaches bachelor level courses in computer network and information security systems. Michael has served on and chaired ITT Educational Services Inc. National Curriculum Committee on Information Security. He received his Juris Doctorate from Stetson University College of Law, his undergraduate degree from Miami University and has been working for more than 15 years in the area of information technology. He is an active member of the American Bar Association, and has served on that organization's Cyber Law committee. He is a member of IEEE, ACM, and ISSA, and is the holder of a number of industrially recognized certifications including, CISSP, CEH, CHFI, CEI, MCT, MCSE/Security, Security +, Network +, and A +. Michael recently completed the design and creation of a computer forensic program for ITT Technical Institute, and has worked closely with both EC-Council and Delmar/Cengage Learning in the creation of this EC-Council Press series.

The Plagiarism

The following tables detail the portions of the book that were taken from other sources, making up a considerable amount of the material. A cursory examination was performed on portions of three chapters due to time limitations; however, we feel that the amount of material found to be taken from other sources is considerable and likely represents only a fraction of the plagiarism present. Information is included to distinguish not only plagiarized material, but which material was edited to some degree. This shows willful infringement of copyright and inexcusable plagiarism.

Note: Page numbers in this book are in the format #-#, so e.g. 1-7 represents Chapter 1, page 7, and 5-7 represents Chapter 5, page 7.

Chapter / Page Description Original Source
1-10 - 1-11 Disaster Recovery Checklist Mostly verbatim from Peak10.com's DR checklist. An older version w/o registration requirement is available. There is some slight rewording and an addition of at least one check item.
2-3 Antibribery Provisions Footnotes from usdoj.gov, but text does not appear there.
2-7 Lay Person's Guide Half a page is verbatim from Justice.gov's Foreign Corrupt Practices Act: Antibribery Provisions (archive.org).
2-8 - 2-11 Prohibited Foreign Corrupt Practices Most is verbatim from Justice.gov's 1018 Prohibited Foreign Corrupt Practices document (archive.org). It re-orders the sentences a bit.
2-4 Sanctions Against Bribery Footnotes from usdoj.gov, but text does not appear there. 75% of one page is verbatim from Justice.gov's Foreign Corrupt Practices Act: Antibribery Provisions (archive.org). Another page is verbatim from HHS.gov's HIPPA statutes without clearly citing it.
2-4 - 2-5 HIPAA Privacy and Disclosures in Emergency Situations Footnotes from hhs.gov and cms.hhs.gov. A good amount of eight more pages are taken from the Disclosures in Emergency Situations FAQ
2-5 - 2-5 Financial Institutions: Financial Modernization Act of 1999 Footnotes from www.ftc.gov, but text does not appear there. Parts are verbatim with edits for formatting from RegulatoryPro.us's GLBA summary.
2-6 Flood Disaster Protection Act of 1973 Footnotes from fdic.gov without credit (archive.org).
2-6 - 2-7 Disaster Relief and Emergency Assistance Act Footnotes from fema.gov without credit as well as the Robert T. Stafford Disaster Relief and Emergency Assistance Act, as amended, and Related Authorities (archive.org).
2-7 Overview of the Stafford Act Footnotes from fpc.state.gov (archive.org).
2-8 CAN-SPAM Act of 2003 Footnotes a Google-obfuscated URL to a frwebgate.access.gpo.gov document (404, no archive.org)
4-3 - 4-4 Business Continuity Plan See table below with highlighted portions that are directly copied, with the rest summarized or slightly edited. Definitive plagiarism and potentially enough edits to try to hide the plagiarism. This is a sample of material from this section. Other parts in 4-4 to 4-7 are taken from a document by ASIS International (archive.org). Material in 4-8 to 4-9 are similarly plagiarized from the LSU Crisis Communication Plan from 2007 (archive.org).
4-11 - 4-21 Contingency Planning Bullet lists are taken verbatim from NIST SP800-34 including the exact order of topics and heading names taken verbatim.
4-5 - 5-12 Risk Assessment Methodology Parts taken directly from NIST SP800-30 including the risk assessment methodology is verbatim. Figures are pieces from a bigger chart in NIST SP800-30. 5-10's second figure is verbatim from NIST but says "Copyright by EC-Council. All rights reserved. Reproduction is strictly prohibited."

Business Continuity Plan chapter breakout table:

Cengage Book (2011) Business Continuity Guideline (2005)
Assign Accountability

The senior leadership of the organization is responsible for creating, maintaining, testing, and implementing the BCP. All staff members must understand that the BCP is a high priority. It is also important that management at all levels understand their own level of accountability in the BCP.
  • Corporate policy: The BCP should contain all steps to protect people, property, and business interests.
  • Ownership of systems, processes, and resources: Organizations must clearly identify who is responsible for systems, resources, and key business processes.
  • Planning team: A BCP team should be appointed to ensure widespread acceptance of the BCP.
  • Communicating the BCP: The organization needs to communicate the BCP throughout all levels and departments of the organization. All employees should know the BCP structure and their roles within the plan.
Perform Risk Assessment

Risk assessment will identify and analyze the types of risk that can potentially impact the organization. Using existing information about known or anticipated risks, organizations should identify and review new risks that may impact the business and rate the likelihood of each risk. A risk assessment matrix mapping assets, vulnerabilities, probable threats, and risk mitigation methods can be used to identify risks and prioritize mitigation strategies.

Conduct a Business Impact Analysis (BIA)

After identifying the risks, the impact of an interruption in normal operations should be examined in a business impact analysis (BIA). A BIA is an essential function of a business continuity plan that includes analysis of vulnerabilities, risks, components critical to business functionality and/or survival, and a strategy for minimizing those discovered risks to keep the business operational during any critical disruption. The following are the steps involved in a BIA:
  1. Identify critical processes: Organizations must identify and document critical business processes. The document should include such processes as purchasing, manufacturing, supply chain, sales, distribution, accounts receivable, accounts payable, payroll, IT, and research and development. Organizations should assign the importance of these services as high, medium, or low.
  2. Assess crisis impact:
    • Human cost
    • Financial cost
    • Reputation cost
  3. Determine maximum allowable outage and recovery time:
    • Determine the period that a process can fail to function before the impact becomes unacceptable
    • Determine the acceptable amount of time for restoring the process
    • Identify and document backup processes
    • Evaluate the costs of alternate procedures versus waiting for the system to be restored
  4. Identify resources required for resumption and recovery: These resources consist of personnel, technology, hardware and software, specialized equipment, and critical business records. Identifying, backing up, and storing critical business records in a secured location are important parts of an effective BCP.
Strategic Planning

Strategic planning addresses identification and implementation of:
  • Methods to mitigate the risks and exposures identified in the BIA and risk assessment
  • Plans and procedures to respond to any crisis
The BCP should contain multiple strategies to address different probably situations. It also addresses the duration of a business interruption and the extent of interruption. The strategies selected should be attainable, cost effective, likely to succeed, and relevant to the size and scope of the organization.
Assign Accountability

It is essential that senior leadership of the organization sponsors and takes responsibility for creating, maintaining, testing, and implementing a comprehensive Business Continuity Plan (BCP). This will insure that management and staff at all levels within the organization understand that the BCP is a critical top management priority. It is equally essential that senior leadership engage a "top down" approach to the BCP so that management at all levels of the organization understand accountability for effective and efficient plan maintenance as part of the overall governance priorities.
  • Corporate Policy - In the event of a crisis, an organization-wide BCP Policy committed to undertaking all reasonable and appropriate steps to protect people, property, and business interests is essential. Corporate policy should include a definition of a "crisis."
  • Ownership of Systems, Processes, and Resources - Responsibility for systems and resource availability and key business processes should be clearly identified in advance.
  • Planning Team - A Business Continuity Planning Team with responsibility for BCP development that includes senior leaders from all major organizational functions and support groups should be appointed to ensure wide-spread acceptance of the BCP.
  • Communicate BCP - The BCP should be communicated throughout the organization, to ensure employees are aware of the BCP structure and their roles within the plan.

Perform Risk Assessment

Step two in the creation of a comprehensive BCP is completion of a Risk Assessment, designed to identify and analyze the types of risk that may impact the organization. Assessment should be performed by a group representing various organizational functions and support groups. More detailed information on Risk Assessments can be found in the ASIS General Security Risk Assessment Guideline, available at www.asisonline.org/ guidelines/guidelines.htm.

Conduct Business Impact Analysis (BIA)

Once risks have been identified, any organizational impacts that could result from an interruption of normal operations should be examined in a Business Impact Analysis (BIA).
  1. Identify Critical Processes - Business critical processes should be identified and documented. They could include purchasing, manufacturing, supply chain, sales, distribution, accounts receivable, accounts payable, payroll, IT, and research and development. Once the critical processes are identified, an analysis of each can be made using the evaluation criteria described below. Processes should be ranked as a High, Medium, or Low.
  2. Assess Impact if Crisis Were to Happen
    • Human cost: physical and psychological harm to employees, customers, suppliers, other stakeholders, etc.
    • Financial cost: equipment and property replacement, downtime, overtime pay, stock devaluation, lost sales/business, lawsuits, regulatory fines/penalties, etc.
    • Corporate image cost: reputation, standing in the community, negative press, loss of customers, etc.
  3. Determine Maximum Allowable Outage and Recovery Time Objectives
    • Determine how long process can be nonfunctional before impacts become unacceptable
    • Determine how soon process should be restored (shortest allowable outage restored first)
    • Determine different recovery time objectives according to time of year (year-end, tax filing, etc.)
    • Identify and document alternate procedures to a process (manual workarounds or processes, blueprints, notification/calling trees, etc.)
    • Evaluate costs of alternate procedures versus waiting for system to be restored.
  4. Identify Resources Required for Resumption and Recovery - Such resources can include personnel, technology hardware and software (including telecommunications), specialized equipment, general office supplies, facility/office space and critical and vital business records. Identifying, backing-up, and storing critical and vital business records in a safe and accessible location are essential prerequisites for an effective BCP.
Agree on Strategic Plans

Strategic planning addresses the identification and implementation of:
  • Methods to mitigate the risks and exposures identified in the BIA and Risk Assessment (see 11.2 Prevention)
  • Plans and procedures to respond to any crisis that does occur.
A BCP may include multiple strategies that address a variety of probable situations, including the duration of the business interruption (short versus long term), the period in which it occurs (peak versus low), and the extent of the interruption (partial versus complete).

Parts of this book are available on Google Books.

main page ATTRITION feedback