Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Ch3ContingencyPlanning

advertisement 
INFORMATION SECURITY
MANAGEMENT
LECTURE 3:
PLANNING FOR CONTINGENCIES
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Principles of Information Security Mgmt
Include the following characteristics that will be the
focus of the current course (six P’s):
1.
2.
3.
4.
5.
6.
Planning Chapters 2 & 3
Policy
Chapter 4
Programs
Protection
People
Project Management
http://csrc.nist.gov/publications/PubsTC.html
Introduction
One study found that over 40% of businesses that don't
have a disaster plan go out of business after a major loss
Small Business Approaches
Additional Approaches
Introduction – 2012 Natural Disaster Map
Contingency Planning
• Contingency planning (CP)
– The overall planning for unexpected events
– Involves preparing for, detecting, reacting to, and recovering
from events that threaten the security of information resources
and assets
Fundamentals of Contingency Planning
Incident Response
Disaster Recovery
Business Continuity
Developing a CP Document
•
•
•
•
•
•
•
Develop the contingency planning policy statement
Conduct the BIA
Identify preventive controls
Develop recovery strategies
Develop an IT contingency plan
Plan testing, training, and exercises
Plan maintenance
Business Impact Analysis (BIA)
Provides detailed scenarios of each potential attack’s impact
Business Impact Analysis (cont’d.)
•
The CP team conducts the BIA in the following stages:
–
–
–
–
–
•
Threat attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification
What are the goals of a BIA?
Management of Information Security, 3rd ed.
Business Impact Analysis (cont’d.)
• An organization that uses a risk management process will
have identified and prioritized threats
• The second major BIA task is the analysis and
prioritization of business functions within the
organization
• Each should be categorized
Business Impact Analysis (cont’d.)
• Create a series of scenarios depicting impact of successful
attack on each functional area
• Attack profiles should include scenarios depicting typical
attack including:
(1) Methodology, (2) Indicators, (3) Broad consequences
• Estimate the cost
Should this be done in-house or outsourced?
NIST Business Process and Recovery Criticality
Key recovery measures:
 Maximum Tolerable Downtime (MTD) - total amount of time
the system owner is willing to accept for a mission/business
process outage or disruption
 Recovery time objective (RTO) - maximum amount of time that
a system resource can remain unavailable before there is an
unacceptable impact on other system resources and processes
 Recovery point objective (RPO) - point in time, prior to a
disruption or system outage, to which mission/business
process data can be recovered after an outage
NIST Business Process and Recovery Criticality
Work Recovery Time (WRT) - amount of effort that is
necessary to get the business function operational
AFTER the technology element is recovered
 Can be added to the RTO to determine the realistic amount of
elapsed time before a business function is back in useful service
Total time needed to place the business function back in
service must be shorter than the MTD
Must balance the cost of system inoperability against the
cost of recovery
Timing and Sequence of CP Elements
Figure 3-6 Contingency planning implementation timeline
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Incident Response Plan
The question is not will an incident occur,
but rather when an incident will occur
• A detailed set of processes and procedures that
commence when an incident is detected
• When a threat becomes a valid attack, it is classified as
an information security incident if it:
 directed against information assets
 a realistic chance of success
 threatens the confidentiality, integrity, or availability of
information assets
Incident Response Plan (cont’d.)
Who creates the incident response plan?
• Planners develop and document the procedures that
must be performed during the incident and
immediately after the incident has ceased
• Separate functional areas may develop different
procedures
Incident Response Plan (cont’d.)
• Develop procedures for tasks that must be performed
in advance of the incident
–
–
–
–
–
–
Details of data backup schedules
Disaster recovery preparation
Training schedules
Testing plans
Copies of service agreements
Business continuity plans
Incident Response Plan (cont’d.)
Figure 3-3 Incident response planning
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Incident Response Plan (cont’d.)
• Planning requires a detailed understanding of the
information systems and the threats they face
• The IR planning team seeks to develop pre-defined
responses that guide users through the steps needed to
respond to an incident
Incident Response Plan (cont’d.)
• Incident classification
– Determine whether an event is an actual incident
– Uses initial reports from end users, intrusion detection systems,
host- and network-based virus detection software, and systems
administrators
(Example: RSA Data Loss Prevention)
Incident Response Software
Incident Response Plan Tools
Incident Response Plan Tools
Incident Response Plan: Indicators
• Possible indicators
• Probable indicators
• Definite indicators
• When the following occur, the corresponding IR must
be immediately activated
 Loss of availability
 Loss of integrity
 Loss of confidentiality
 Violation of policy
 Violation of law
http://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-tochina-surfs-web
Incident Response Plan (cont’d.)
• Once an actual incident has been confirmed and properly
classified
– IR team moves from the detection phase to the reaction phase
– A number of action steps must occur quickly and may occur
concurrently
Incident Response Plan: Action Steps
1. Notification of key personnel (alert roster)
2. Assignment of tasks
3. Documentation of the incident
Incident Response Plan (cont’d.)
• The essential task of IR is to stop the incident or contain
its impact
• Incident containment strategies focus on two tasks:
IRP: Stopping the Incident
Containment strategies
• Once contained and system control regained, incident
recovery can begin
• Incident damage assessment
•
An incident may increase in scope or severity to the
point that the IRP cannot adequately contain the
incident
IRP: Recovery Process
•
•
•
•
•
•
•
Identify the vulnerabilities
Address the safeguards that failed
Evaluate monitoring capabilities (if present)
Restore the data from backups as needed
Restore the services and processes in use
Continuously monitor the system
Restore the confidence of the members
Incident Response Plan (cont’d.)
• When an incident violates civil or criminal law, it is the
organization’s responsibility to notify the proper
authorities
• Involving law enforcement has both advantages and
disadvantages
Article: Incident Response – SANS Survey
Disaster Recovery Plan
• The preparation for and recovery from a disaster,
whether natural or man made
• In general, an incident is a disaster when:
Disaster Recovery Plan (cont’d.)
• The key role of a DRP is defining how to reestablish
operations at the location where the organization is
usually located
• Common DRP classifications:
• Natural Disasters
• Human-made Disasters
• Scenario development and impact analysis
– Used to categorize the level of threat of each potential disaster
Disaster Recovery Plan (cont’d.)
Discussion on Disaster Recovery Myths
Dispelling 10 Common Disaster
Recovery Myths:
Lessons Learned from Hurricane
Katrina and
Other Disasters
BRETT J. L. LANDRY
University of Dallas
AND
M. SCOTT KOGER
Western Carolina University
Common Myths to Avoid in
Disaster Recovery
 Only Plan for Natural Disasters
 Mock Tests are not Enough
 External Threats are the only Attack on
Resources
 Data Recovery Sites are Ready for a DR
 Employee Non-Working Areas are
Adequately Equipped
Common Myths to Avoid in
Disaster Recovery
 Implementing DR Testing at a Later Time
for New Systems
 Replacement Equipment will be Available
for DR During or After
 Back-up Data Works and can be Restored
after DR
 DR can be Planned in Company Depts.
 Employees are Aware of what they Need to
Do
Disaster Recovery
 Be a ‘Pessimist’ - (TV show Doomdayers)
 Plan, plan, and plan
 Multiple scenarios
 Have a Multitude of Backups and
Contingencies
 Test – Scheduled and Unscheduled
 Keep DR Planning and Preparation as an
Continuous Task
Beyond The Article
 Multitude of Vendors that help with DR
Plans
 Put together a Disaster Recovery Team
 Document Everything have a Manual
 Personal Experiences
https://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzarm/rzarmdisastr.htm
http://www.sungardas.com/Documents/disaster-recovery-plan-template-SFW-WPS-086.pdf
http://www.disasterrecovery.org/plan_steps.html
Disaster Recovery Plan (cont’d.)
Discussion on Disaster Recovery Checklist
Business Continuity Plan
• Ensures critical business functions can continue in a
disaster
• Activated and executed concurrently with the DRP
when needed
• Relies on identification of critical business functions
and the resources to support them
BCP: Strategies
• Continuity strategies
Business Continuity Plan:Site Options
• Hot Sites
• Warm Sites
• Cold Sites
• Other Alternatives: Timeshares, Service Bureaus, Mutual
Agreements
Ex. RSA data centers – lease 2 - 10gig Ethernet lines between
MA and NC
Business Continuity Plan (cont’d.)
• To get any BCP site running quickly organization must
be able to recover data
• Options include:
Timing and Sequence of CP Elements
Figure 3-4 Incident response and disaster recovery
Source: Course Technology/Cengage Learning
Timing and Sequence of BCP
Source: Course Technology/Cengage Learning
Timing and Sequence of CP Elements
Figure 3-6 Contingency planning implementation timeline
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Business Resumption Planning
• Because the DRP and BCP are closely related, most
organizations prepare them concurrently
Business Resumption Planning (cont’d.)
• Components of a simple disaster recovery plan
–
–
–
–
Name of agency
Date of completion or update of the plan and test date
Agency staff to be called in the event of a disaster
Emergency services to be called (if needed) in event of a disaster
Business Resumption Planning (cont’d.)
• Components of a simple disaster recovery plan (cont’d.)
–
–
–
–
–
Locations of in-house emergency equipment and supplies
Sources of off-site equipment and supplies
Salvage priority list
Agency disaster recovery procedures
Follow-up assessment
Testing Contingency Plans
• Problems are identified during testing
– Improvements can be made, resulting in a reliable plan
• Contingency plan testing strategies
–
–
–
–
–
Desk check
Structured walkthrough
Simulation
Parallel testing
Full interruption testing
Contingency Planning: Final Thoughts
• Iteration results in improvement
• A formal implementation of this methodology is a
process known as continuous process improvement (CPI)
• Each time the plan is rehearsed it should be improved
• Constant evaluation and improvement lead to an
improved outcome
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
Developmental Pathways-Early Intervention Incident Report
Developmental Pathways-Early Intervention Incident Report
illicit discharge report form - Licking Soil and Water Conservation
illicit discharge report form - Licking Soil and Water Conservation
Remove Frame - Disaster Management Centre
Remove Frame - Disaster Management Centre
Download
advertisement