INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2nd edition, 2008 Chapter 3 Overview • InfoSec Planning • Why Plan? • Contingency Planning – – – – Business Impact Analysis (BIA) Incident Response Planning (IRP) Disaster Recovery Planning (DRP) Business Continuity Planning (BCP) • Continuity Strategies InfoSec Planning • “…a systematic study of the organisational IS assets, possible threats, existing countermeasures and the proposal of new countermeasures” (Zviran, Hoge & Micucci (1990)) • “… a document that describes how an organisation will address its security needs.” (Pfleeger 2nd Ed. P. 471) • An InfoSec plan contains: – – – – – – – – – – Risk Objectives Policy Current Status of Security Risk Analysis Results Requirements Recommendations Responsibilities Timetable Implementation Strategy Maintenance Schedule Why Plan? • 2-3% loss within 8 days outage • > 10 days outage can threaten survival • Increased dependence on continuous, available systems • Clients may demand it (e.g. EDS & SA Govt.) • Insurance Company may demand it (for lower premiums) • Company Directors are not exposed to law suits • Legal, statutory responsibilities What is at stake? • Inability to run critical applications. (i.e. cash flow operations, management tools) • Loss of industry image • Loss of investor confidence • Loss of competitive edge • Legal violations What Is Contingency Planning? • The overall planning for unexpected events is called contingency planning (CP) • It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets • The main goal is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event CP Components • Business Impact Analysis (BIA) • Incident response planning (IRP) focuses on immediate response • Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur • Business continuity planning (BCP) facilitates establishment of operations at an alternate site Slide 7 Business Impact Analysis (BIA) • BIA provides information about systems and threats and provides detailed scenarios for each potential attack • BIA is not risk management, which focuses on identifying threats, vulnerabilities, and attacks to determine controls (what might go wrong) • BIA assumes controls have been bypassed or are ineffective, and attack was successful (when something does go wrong) Slide 8 Business Impact Analysis • Define critical applications • Define tolerance levels • Consider different disaster scenarios • Consider intangible effects, cash flow effects, extra expenses, future effects – – – – – – Loss of customers Missed sales enquiries Blown deadlines Dissatisfied customers Loss of market share Loss of investor confidence Incident Response Planning • Incident response planning covers identification of, classification of, and response to an incident • Attacks classified as incidents if they: – Are directed against information assets – Have a realistic chance of success – Could threaten confidentiality, integrity, or availability of information resources • Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident Incident Response Plan • The IRP is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets • Incident response (IR) is a set of procedures that commence when an incident is detected Slide 11 Incident Response Plan • When a threat becomes a valid attack, it is classified as an information security incident if: – It is directed against information assets – It has a realistic chance of success – It threatens the confidentiality, integrity, or availability of information assets • It is important to understand that IR is a reactive measure, not a preventative one Slide 12 Disaster Recovery Planning • What is a disaster? – When the “outage” greater than the tolerance. – The interruption of business due to loss or denial of the information assets required for normal operation • Examples: – National Library fire – Flood in Sydney Stock Exchange – 9-11 Twin Towers terrorist attack • The question is not “if” a disaster occurs but “when” a disaster occurs – We must forget about “probability” and emphasise “impact” Disaster Recovery Planning • An InfoSec Management control which helps to “recover from” a man-made or natural disaster • A process which does NOT prevent threats but addresses the impact when they occur • A control that addresses NOT confidentiality, NOT integrity, but availability of information • The objective is to minimise down-time or the amount of time that critical IS services are unavailable (i.e. denied) Disaster Recovery Planning • Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made • In general, an incident is a disaster when: – The organization is unable to contain or control the impact of an incident – The level of damage or destruction from an incident is so severe the organization is unable to quickly recover • The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located Management of Information Security, 2nd ed. - Chapter 3 Slide 15 What is a DR Plan? • A tested set of procedures for reacting to and recovering from a catastrophe. • Addresses 2 timeframes: – The present – maintenance, testing & training before a disaster occurs – The future – what to do when a disaster occurs • A “roadmap” which details procedures, responsibilities, contacts etc. in the event of a disaster • It is a basis for decision making Business Continuity Planning • Outlines re-establishment of critical business operations during a disaster that impacts operations • If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning • Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy Business Continuity Planning • BCP ensures critical business functions can continue in a disaster • BCP most properly managed by CEO of organization • BCP is activated and executed concurrently with the DRP when needed • While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site • BCP relies on identification of critical business functions and the resources to support them Management of Information Security, 2nd ed. - Chapter 3 Slide 18 Continuity Strategies • Several continuity strategies for business continuity, determining factor is usually cost • Three exclusive-use options: – Hot sites – Warm sites – Cold sites • Three shared-use options: – Timeshare – Service bureaus – Mutual agreements Management of Information Security, 2nd ed. - Chapter 3 Slide 19 Exclusive Use Options • Hot sites – Fully configured computer facility with all services • Warm sites – Like hot site, but software applications not kept fully prepared • Cold sites – Only rudimentary services and facilities kept in readiness Slide 20 Shared Use Options • Timeshares – Like an exclusive use site but leased • Service bureaus – Agency that provides physical facilities • Mutual agreements – Contract between two organizations to assist • Specialized alternatives – Rolling mobile site – Externally stored resources Slide 21 Recovery Strategies • In-house hot site – – – – Duplicate site Solely for recovery Sometimes used for development Sometimes extra in-house capacity at branch sites • Commercial hot site – International, interstate or local – With or without communications, office space or maintained O/S parallelism • In-house cold site – A partially developed site – A space set aside normally used for other purposes but can be converted quickly • Commercial cold site – International, interstate or local – With or without communications or office space • Casual arrangements – Contract with suppliers – Agreement with organisation with same equipment (Reciprocal agreement) – Handshake agreements Hot site (in-house) option Commercial hot site option $ Cold site (in-house) option Commercial cold site option Casual Arrangement option Recovery time WHAT YOU NEED TO KNOW • The differences between CP, BIA, IRP, DRP & BCP • Continuity Strategies