Information Security Planning & Implementation

advertisement
INFORMATION SECURITY
PLANNING &
IMPLEMENTATION
Today’s Reference:
Whitman & Mattord, Management
of Information Security, 2nd edition,
2008
Chapter 3
Overview
• InfoSec Planning
• Why Plan?
• Contingency Planning
–
–
–
–
Business Impact Analysis (BIA)
Incident Response Planning (IRP)
Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
• Continuity Strategies
InfoSec Planning
• “…a systematic study of the organisational IS
assets, possible threats, existing
countermeasures and the proposal of new
countermeasures” (Zviran, Hoge & Micucci
(1990))
• “… a document that describes how an
organisation will address its security needs.”
(Pfleeger 2nd Ed. P. 471)
• An InfoSec plan contains:
–
–
–
–
–
–
–
–
–
–
Risk Objectives
Policy
Current Status of Security
Risk Analysis Results
Requirements
Recommendations
Responsibilities
Timetable
Implementation Strategy
Maintenance Schedule
Why Plan?
• 2-3% loss within 8 days outage
• > 10 days outage can threaten
survival
• Increased dependence on
continuous, available systems
• Clients may demand it (e.g. EDS &
SA Govt.)
• Insurance Company may demand
it (for lower premiums)
• Company Directors are not
exposed to law suits
• Legal, statutory responsibilities
What is at stake?
• Inability to run critical
applications. (i.e. cash flow
operations, management tools)
• Loss of industry image
• Loss of investor confidence
• Loss of competitive edge
• Legal violations
What Is Contingency Planning?
• The overall planning for unexpected
events is called contingency planning
(CP)
• It is how organizational planners
position their organizations to prepare
for, detect, react to, and recover from
events that threaten the security of
information resources and assets
• The main goal is the restoration to
normal modes of operation with
minimum cost and disruption to
normal business activities after an
unexpected event
CP Components
• Business Impact Analysis (BIA)
• Incident response planning (IRP)
focuses on immediate response
• Disaster recovery planning (DRP)
focuses on restoring operations at
the primary site after disasters
occur
• Business continuity planning
(BCP) facilitates establishment of
operations at an alternate site
Slide 7
Business Impact Analysis (BIA)
• BIA provides information about
systems and threats and provides
detailed scenarios for each
potential attack
• BIA is not risk management,
which focuses on identifying
threats, vulnerabilities, and
attacks to determine controls
(what might go wrong)
• BIA assumes controls have been
bypassed or are ineffective, and
attack was successful (when
something does go wrong)
Slide 8
Business Impact Analysis
• Define critical applications
• Define tolerance levels
• Consider different disaster
scenarios
• Consider intangible effects, cash
flow effects, extra expenses,
future effects
–
–
–
–
–
–
Loss of customers
Missed sales enquiries
Blown deadlines
Dissatisfied customers
Loss of market share
Loss of investor confidence
Incident Response Planning
• Incident response planning covers
identification of, classification of,
and response to an incident
• Attacks classified as incidents if they:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten confidentiality,
integrity, or availability of information
resources
• Incident response (IR) is more
reactive, than proactive, with the
exception of planning that must
occur to prepare IR teams to be
ready to react to an incident
Incident Response Plan
• The IRP is a detailed set of
processes and procedures that
anticipate, detect, and mitigate
the impact of an unexpected
event that might compromise
information resources and assets
• Incident response (IR) is a set of
procedures that commence when
an incident is detected
Slide 11
Incident Response Plan
• When a threat becomes a valid
attack, it is classified as an
information security incident if:
– It is directed against information
assets
– It has a realistic chance of success
– It threatens the confidentiality,
integrity, or availability of
information assets
• It is important to understand that
IR is a reactive measure, not a
preventative one
Slide 12
Disaster Recovery Planning
• What is a disaster?
– When the “outage” greater than the
tolerance.
– The interruption of business due to loss
or denial of the information assets
required for normal operation
• Examples:
– National Library fire
– Flood in Sydney Stock Exchange
– 9-11 Twin Towers terrorist attack
• The question is not “if” a disaster
occurs but “when” a disaster occurs
– We must forget about “probability” and
emphasise “impact”
Disaster Recovery Planning
• An InfoSec Management control
which helps to “recover from” a
man-made or natural disaster
• A process which does NOT
prevent threats but addresses the
impact when they occur
• A control that addresses NOT
confidentiality, NOT integrity, but
availability of information
• The objective is to minimise
down-time or the amount of time
that critical IS services are
unavailable (i.e. denied)
Disaster Recovery Planning
• Disaster recovery planning (DRP) is the
preparation for and recovery from a
disaster, whether natural or man made
• In general, an incident is a disaster when:
– The organization is unable to contain or
control the impact of an incident
– The level of damage or destruction from
an incident is so severe the organization
is unable to quickly recover
• The key role of a DRP is defining how to
reestablish operations at the location
where the organization is usually located
Management of Information
Security, 2nd ed. - Chapter 3
Slide 15
What is a DR Plan?
• A tested set of procedures for
reacting to and recovering from a
catastrophe.
• Addresses 2 timeframes:
– The present – maintenance, testing &
training before a disaster occurs
– The future – what to do when a
disaster occurs
• A “roadmap” which details
procedures, responsibilities,
contacts etc. in the event of a
disaster
• It is a basis for decision making
Business Continuity Planning
• Outlines re-establishment of critical business
operations during a disaster that impacts
operations
• If disaster has rendered the business
unusable for continued operations, there
must be a plan to allow business to continue
functioning
• Development of BCP somewhat simpler than
IRP or DRP; consists primarily of selecting a
continuity strategy and integrating off-site
data storage and recovery functions into this
strategy
Business Continuity Planning
• BCP ensures critical business functions
can continue in a disaster
• BCP most properly managed by CEO of
organization
• BCP is activated and executed
concurrently with the DRP when
needed
• While BCP reestablishes critical
functions at alternate site, DRP focuses
on reestablishment at the primary site
• BCP relies on identification of critical
business functions and the resources
to support them
Management of Information
Security, 2nd ed. - Chapter 3
Slide 18
Continuity Strategies
• Several continuity strategies for
business continuity, determining
factor is usually cost
• Three exclusive-use options:
– Hot sites
– Warm sites
– Cold sites
• Three shared-use options:
– Timeshare
– Service bureaus
– Mutual agreements
Management of Information
Security, 2nd ed. - Chapter 3
Slide 19
Exclusive Use Options
• Hot sites
– Fully configured computer facility with all
services
• Warm sites
– Like hot site, but software applications
not kept fully prepared
• Cold sites
– Only rudimentary services and facilities
kept in readiness
Slide 20
Shared Use Options
• Timeshares
– Like an exclusive use site but leased
• Service bureaus
– Agency that provides physical facilities
• Mutual agreements
– Contract between two organizations to
assist
• Specialized alternatives
– Rolling mobile site
– Externally stored resources
Slide 21
Recovery Strategies
• In-house hot site
–
–
–
–
Duplicate site
Solely for recovery
Sometimes used for development
Sometimes extra in-house capacity at branch sites
• Commercial hot site
– International, interstate or local
– With or without communications, office space or
maintained O/S parallelism
• In-house cold site
– A partially developed site
– A space set aside normally used for other
purposes but can be converted quickly
• Commercial cold site
– International, interstate or local
– With or without communications or office space
• Casual arrangements
– Contract with suppliers
– Agreement with organisation with same
equipment (Reciprocal agreement)
– Handshake agreements
Hot site (in-house) option
Commercial hot site option
$
Cold site (in-house) option
Commercial
cold site option
Casual
Arrangement
option
Recovery time
WHAT YOU NEED TO KNOW
• The differences between CP, BIA,
IRP, DRP & BCP
• Continuity Strategies
Download