Presentation is loading. Please wait.

Presentation is loading. Please wait.

Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.

Published byDarcy Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do."— Presentation transcript:

1 Management of Information Security Chapter 3 Planning for Contingencies
Things which you do not hope happen more frequently than things which you do hope. -- PLAUTUS. (C. 254–184 B.C.), MOSTELLARIA, ACT I, SCENE 3, 40 (197)

2 Learning Objectives Upon completion of this chapter, you should be able to: Understand the need for contingency planning Know the major components of contingency planning Create a simple set of contingency plans, using Business Impact Analysis Prepare and execute a test of contingency plans Understand the combined contingency plan approach Learning Objectives Upon completion of this material, you should be able to: Understand the need for contingency planning Know the major components of contingency planning Create a simple set of contingency plans, using Business Impact Analysis Prepare and execute a test of contingency plans Understand the combined contingency plan approach Management of Information Security

3 Introduction This chapter focuses on planning for the unexpected event, when the use of technology is disrupted and business operations come close to a standstill Procedures are required that will permit the organization to continue essential functions if information technology support is interrupted Over 40% of businesses that don't have a disaster plan go out of business after a major loss Introduction This chapter focuses on planning for the unexpected event, when the use of technology is disrupted and business operations come close to a standstill. “Procedures are required that will permit the organization to continue essential functions if information technology support is interrupted.” On average, over 40% of businesses that don't have a disaster plan go out of business after a major loss. Management of Information Security

4 What Is Contingency Planning?
The overall planning for unexpected events is called contingency planning (CP) It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets Main goal: restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event What Is Contingency Planning? The overall planning for unexpected events is called contingency planning (CP). CP is the process by which organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets, both human and artificial. The main goal of CP is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event. Management of Information Security

5 CP Components Incident response planning (IRP) focuses on immediate response Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur Business continuity planning (BCP) facilitates establishment of operations at an alternate site CP Components Incident response plan (IRP) focuses on immediate response to an incident. Disaster recovery plan (DRP) focuses on restoring operations at the primary site after disasters occur. Business continuity plan (BCP) facilitates establishment of operations at an alternate site, until the organization is able to either resume operations back at their primary site or select a new primary location. To ensure continuity across all of the CP processes during the planning process, contingency planners should: Identify the mission- or business-critical functions. Identify the resources that support the critical functions. Anticipate potential contingencies or disasters. Select contingency planning strategies. Implement selected strategy. Test and revise contingency plans. Management of Information Security

6 CP Components (Continued)
To ensure continuity across all CP processes during planning process, contingency planners should: Identify the mission- or business-critical functions Identify resources that support critical functions Anticipate potential contingencies or disasters Select contingency planning strategies Implement selected strategy Test and revise contingency plans CP Components Incident response plan (IRP) focuses on immediate response to an incident. Disaster recovery plan (DRP) focuses on restoring operations at the primary site after disasters occur. Business continuity plan (BCP) facilitates establishment of operations at an alternate site, until the organization is able to either resume operations back at their primary site or select a new primary location. To ensure continuity across all of the CP processes during the planning process, contingency planners should: Identify the mission- or business-critical functions. Identify the resources that support the critical functions. Anticipate potential contingencies or disasters. Select contingency planning strategies. Implement selected strategy. Test and revise contingency plans. Management of Information Security

7 CP Operations Four teams are involved in contingency planning and contingency operations: CP team Incident recovery (IR) team Disaster recovery (DR) team Business continuity plan (BC) team CP Operations Four teams of individuals are involved in contingency planning and contingency operations: The CP team The incident recovery (IR) team. The disaster recovery (DR) team The business continuity plan (BC) team Management of Information Security

8 Contingency Planning NIST describes the need for this type of planning as “These procedures (contingency plans, business interruption plans, and continuity of operations plans) should be coordinated with the backup, contingency, and recovery plans of any general support systems, including networks used by the application. The contingency plans should ensure that interfacing systems are identified and contingency/disaster planning coordinated.” Contingency Planning NIST describes the need for this type of planning as follows: “These procedures (contingency plans, business interruption plans, and continuity of operations plans) should be coordinated with the backup, contingency, and recovery plans of any general support systems, including networks used by the application. The contingency plans should ensure that interfacing systems are identified and contingency/disaster planning coordinated.” Management of Information Security

9 Figure 3-1 Components of Contingency Planning
Management of Information Security

10 Incident Response Plan
IRP: Detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets Incident response (IR): Set of procedures that commence when an incident is detected Incident Response Plan The incident response plan (IRP) is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets In CP an unexpected event is called an incident An incident occurs when an attack (natural or man-made) impacts information resources and/or assets, whether through actual damage or the act of successfully attacking Incident response (IR), then, is a set of procedures that commence when an incident is detected. The IRP is usually activated when an incident causes minimal damage—according to criteria set in advance by the organization—with little or no disruption to business operations. When a threat becomes a valid attack, it is classified as an information security incident if : It is directed against information assets It has a realistic chance of success It threatens the confidentiality, integrity, or availability of information resources and assets It is important to understand that IR is a reactive measure, not a preventative one. Management of Information Security

11 Incident Response Plan (Continued)
When a threat becomes a valid attack, it is classified as an information security incident if: It is directed against information assets It has a realistic chance of success It threatens the confidentiality, integrity, or availability of information assets It is important to understand that IR is a reactive measure, not a preventative one Incident Response Plan The incident response plan (IRP) is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets In CP an unexpected event is called an incident An incident occurs when an attack (natural or man-made) impacts information resources and/or assets, whether through actual damage or the act of successfully attacking Incident response (IR), then, is a set of procedures that commence when an incident is detected. The IRP is usually activated when an incident causes minimal damage—according to criteria set in advance by the organization—with little or no disruption to business operations. When a threat becomes a valid attack, it is classified as an information security incident if : It is directed against information assets It has a realistic chance of success It threatens the confidentiality, integrity, or availability of information resources and assets It is important to understand that IR is a reactive measure, not a preventative one. Management of Information Security

12 During the Incident Planners develop and document the procedures that must be performed during the incident These procedures are grouped and assigned to various roles Planning committee drafts a set of function- specific procedures During the incident. First, planners develop and document the procedures that must be performed during the incident. These procedures are grouped and assigned to individuals. The planning committee drafts a set of function-specific procedures. Management of Information Security

13 After the Incident Once the procedures for handling an incident are drafted, planners develop and document the procedures that must be performed immediately after the incident has ceased Separate functional areas may develop different procedures After the incident Once the procedures for handling an incident are drafted, planners develop and document the procedures that must be performed immediately after the incident has ceased. Separate functional areas may develop different procedures. Management of Information Security

14 Before the Incident Planners draft a third set of procedures, those tasks that must be performed in advance of the incident Include: Details of data backup schedules Disaster recovery preparation Training schedules Testing plans Copies of service agreements Business continuity plans Before the incident Finally, the planners draft a third set of procedures, those tasks that must be performed to prepare for the incident. These procedures include the details of the data backup schedules, disaster recovery preparation, training schedules, testing plans, copies of service agreements, and business continuity plans, if any. Management of Information Security

15 Preparing to Plan Planning requires detailed understanding of information systems and threats they face IR planning team seeks to develop pre-defined responses that guide users through steps needed to respond to an incident Pre-defining incident responses enables rapid reaction without confusion or wasted time and effort Preparing to Plan Planning for an incident and the responses to it requires a detailed understanding of the information systems and the threats they face. The IR planning team seeks to develop a series of pre-defined responses which will guide the team and information security staff through the steps needed for responding to an incident. Pre-defining incident responses enables the organization to react quickly and effectively to the detected incident without confusion or wasted time and effort. The IR team consists of professionals capable of handling the information systems and functional areas affected by an incident. Each member of the IR team must know his or her specific role, work in concert with each other, and execute the objectives of the IRP. Management of Information Security

16 Preparing to Plan (Continued)
IR team consists of professionals capable of handling information systems and functional areas affected by an incident Each member of the IR team must: Know his or her specific role Work in concert with each other Execute the objectives of the IRP Preparing to Plan Planning for an incident and the responses to it requires a detailed understanding of the information systems and the threats they face. The IR planning team seeks to develop a series of pre-defined responses which will guide the team and information security staff through the steps needed for responding to an incident. Pre-defining incident responses enables the organization to react quickly and effectively to the detected incident without confusion or wasted time and effort. The IR team consists of professionals capable of handling the information systems and functional areas affected by an incident. Each member of the IR team must know his or her specific role, work in concert with each other, and execute the objectives of the IRP. Management of Information Security

17 Incident Detection Challenge is determining whether an event is routine system use or an actual incident Incident classification: process of examining a possible incident and determining whether or not it constitutes actual incident Initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators are all ways to track and detect incident candidates Careful training allows everyone to relay vital information to the IR team Incident Detection The challenge for every IR team is determining whether an event is the product of routine systems use or an actual incident. Incident classification is the process of examining a possible incident, or incident candidate, and determining whether or not it constitutes an actual incident. Initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators are all ways to track and detect incident candidates. Careful training in the reporting of an incident candidate allows end users, the help desk staff, and all security personnel to relay vital information to the IR team. Management of Information Security

18 Incident Indicators Possible Indicators Probable Indicators
Presence of unfamiliar files Presence or execution of unknown programs or processes Unusual consumption of computing resources Unusual system crashes Probable Indicators Activities at unexpected times Presence of new accounts Reported attacks Notification from IDS Definite Indicators Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker Incident Indicators Possible Indicators Presence of unfamiliar files Presence or execution of unknown programs or processes Unusual consumption of computing resources Unusual system crashes Probable Indicators Activities at unexpected times Presence of new accounts Reported attacks Notification from IDS Definite Indicators Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker Management of Information Security

19 Occurrences of Actual Incidents
Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law Occurrences of Actual Incidents. Loss of availability. Loss of integrity. Loss of confidentiality. Violation of policy. Violation of law. Management of Information Security

20 Incident Response Once an actual incident has been confirmed and properly classified, the IR team moves from detection phase to reaction phase In the incident response phase, a number of action steps taken by the IR team and others must occur quickly and may occur concurrently These steps include notification of key personnel, the assignment of tasks, and documentation of the incident Incident Response Once an actual incident has been confirmed and properly classified, the IR team moves from the detection phase to the reaction phase. In the incident response phase, a number of action steps taken by the IR team and others must occur quickly and may occur concurrently. These steps include notification of key personnel, the assignment of tasks, and documentation of the incident. Management of Information Security

21 Notification of Key Personnel
As soon as incident is declared, the right people must be immediately notified in the right order Alert roster: document containing contact information of individuals to be notified in the event of actual incident either sequentially or hierarchically Alert message: scripted description of incident Other key personnel: must also be notified only after incident has been confirmed, but before media or other external sources learn of it Notification of Key Personnel. As soon as the IR team determines that an incident is in progress, the right people must be immediately notified in the right order. An alert roster is a document containing contact information on the individuals to be notified in the event of an actual incident. There are two ways to activate an alert roster: Sequentially Hierarchically The alert message is a scripted description of the incident and consists of just enough information so that each responder knows what portion of the IRP to implement without impeding the notification process. Not everyone is on the alert roster, only those individuals who must respond to a specific actual incident. During this phase other key personnel not on the alert roster, such as general management, must be notified of the incident. This notification should occur only after the incident has been confirmed, but before media or other external sources learn of it. It is up to the IR planners to determine in advance whom to notify and when, and to offer guidance about additional notification steps to take. Management of Information Security

22 Documenting an Incident
As soon as an incident has been confirmed and the notification process is underway, the team should begin documentation Should record the who, what, when, where, why and how of each action taken while the incident is occurring Serves as a case study after the fact to determine if right actions were taken and if they were effective Can also prove the organization did everything possible to deter the spread of the incident Documenting an Incident. As soon as an incident has been confirmed and the notification process is underway, the team should begin to document it. The documentation should record the who, what, when, where, why and how of each action taken while the incident is occurring. This documentation serves as a case study after the fact to determine if the right actions were taken, and if they were effective. It can also prove the organization did everything possible to deter the spread of the incident. Management of Information Security

23 Incident Containment Strategies
Essential task of IR is to stop the incident or contain its impact Incident containment strategies focus on two tasks: Stopping the incident Recovering control of the systems Incident Containment Strategies One of the most critical components of IR is to stop the incident or contain its scope or impact. Incident containment strategies vary depending on the incident, and on the amount of damage caused by the incident. Incident containment strategies focus on two tasks: stopping the incident and recovering control of the systems. The IR team can stop the incident and attempt to recover control by means of several strategies: Disconnect the affected communication circuits. Dynamically apply filtering rules to limit certain types of network access. Disabling compromised user accounts Reconfiguring firewalls to block the problem traffic Temporarily disabling the compromised process or service Taking down the conduit application or server Stopping all computers and network devices Management of Information Security

24 Incident Containment Strategies
IR team can stop the incident and attempt to recover control by means of several strategies: Disconnect affected communication circuits Dynamically apply filtering rules to limit certain types of network access Disable compromised user accounts Reconfigure firewalls to block problem traffic Temporarily disable compromised process or service Take down conduit application or server Stop all computers and network devices Incident Containment Strategies One of the most critical components of IR is to stop the incident or contain its scope or impact. Incident containment strategies vary depending on the incident, and on the amount of damage caused by the incident. Incident containment strategies focus on two tasks: stopping the incident and recovering control of the systems. The IR team can stop the incident and attempt to recover control by means of several strategies: Disconnect the affected communication circuits. Dynamically apply filtering rules to limit certain types of network access. Disabling compromised user accounts Reconfiguring firewalls to block the problem traffic Temporarily disabling the compromised process or service Taking down the conduit application or server Stopping all computers and network devices Management of Information Security

25 Incident Escalation An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident Each organization will have to determine, during the business impact analysis, the point at which the incident becomes a disaster The organization must also document when to involve outside response Incident Escalation. At some point in time the incident may increase in scope or severity to the point that the IRP cannot adequately handle the event. Each organization will have to determine, during the business impact analysis, the point at which the incident becomes a disaster. The organization must also document when to involve outside response, as discussed in other sections. Management of Information Security

26 Initiating Incident Recovery
Once the incident has been contained, and system control regained, incident recovery can begin IR team must assess full extent of damage in order to determine what must be done to restore systems Immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets is called incident damage assessment Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action Incident Recovery Once the incident has been contained, and system control regained, incident recovery can begin. The IR team must assess the full extent of the damage in order to determine what must be done to restore the systems. The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets is called incident damage assessment. Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action. Management of Information Security

27 Recovery Process Once the extent of the damage has been determined, the recovery process begins: Identify and resolve vulnerabilities that allowed incident to occur and spread Address, install, and replace/upgrade safeguards that failed to stop or limit the incident, or were missing from system in the first place Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or install new monitoring capabilities Recovery Process Once the extent of the damage has been determined, the recovery process begins: Identify the vulnerabilities that allowed the incident to occur and spread and resolve them Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or install new monitoring capabilities Restore the data from backups as needed Restore the services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored Continuously monitor the system Restore the confidence of the members of the organization’s communities of interest Management of Information Security

28 Recovery Process (Continued)
Restore data from backups as needed Restore services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored Continuously monitor system Restore the confidence of the members of the organization’s communities of interest Recovery Process Once the extent of the damage has been determined, the recovery process begins: Identify the vulnerabilities that allowed the incident to occur and spread and resolve them Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or install new monitoring capabilities Restore the data from backups as needed Restore the services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored Continuously monitor the system Restore the confidence of the members of the organization’s communities of interest Management of Information Security

29 After Action Review Before returning to routine duties, the IR team must conduct an after-action review, or AAR AAR: detailed examination of events that occurred All team members: Review their actions during the incident Identify areas where the IR plan worked, didn’t work, or should improve After Action Review Before returning to routine duties, the IR team must conduct an after-action review, or AAR. The after-action review is a detailed examination of the events that occurred from first detection to final recovery. All team members review their actions during the incident and identify areas where the IR plan worked, didn’t work, or should improve. Management of Information Security

30 Law Enforcement Involvement
When incident violates civil or criminal law, it is organization’s responsibility to notify proper authorities Selecting appropriate law enforcement agency depends on the type of crime committed: Federal, State, or Local Involving law enforcement has both advantages and disadvantages: Usually much better equipped at processing evidence, obtaining statements from witnesses, and building legal cases However, involvement can result in loss of control of chain of events following an incident Law Enforcement Involvement When an incident violates civil or criminal law, it is the organization’s responsibility to notify the proper authorities. Selecting the appropriate law enforcement agency depends on the type of crime committed. Federal State Local Involving law enforcement agencies has both advantages and disadvantages. Law enforcement agencies are usually much better equipped at processing evidence, obtaining statements from witnesses, and building legal cases. However, involving law enforcement can result in loss of control of the chain of events following an incident, including the collection of information and evidence, and the prosecution of suspects. Management of Information Security

31 Figure 3-3 Incident Response and Disaster Recovery
Management of Information Security

32 Disaster Recovery Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made In general, an incident is a disaster when: organization is unable to contain or control the impact of an incident OR level of damage or destruction from incident is so severe, the organization is unable to quickly recover Key role of DRP: defining how to reestablish operations at location where organization is usually located Disaster Recovery Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made. In general, an incident is a disaster when: 1) the organization is unable to contain or control the impact of an incident, or 2) the level of damage or destruction from an incident is so severe the organization is unable to quickly recover. The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located. Management of Information Security

33 Disaster Classifications
A DRP can classify disasters in a number of ways Most common method: separate natural disasters from man-made disasters Another way: by speed of development Rapid onset disasters Slow onset disasters Disaster Classifications A DRP can classify disasters in a number of ways. The most common method is to separate natural disasters, from man-made disasters. Another way of classifying disasters is by speed of development. Rapid onset disasters Slow onset disasters Management of Information Security

34 Planning for Disaster Scenario development and impact analysis are used to categorize the level of threat of each potential disaster DRP must be tested regularly Key points in the DRP: Clear delegation of roles and responsibilities Execution of alert roster and notification of key personnel Clear establishment of priorities Documentation of the disaster Action steps to mitigate the impact Alternative implementations for various systems components Planning for Disaster To plan for disaster, the CP team engages in scenario development and impact analysis, and thus categorizes the level of threat each potential disaster poses. When generating a disaster recovery scenario, start first with the most important asset – people. Do you have the human resources with the appropriate organizational knowledge to restore business operations? The DRP must be tested regularly so that the DR team can lead the recovery effort efficiently. The key points the CP team must build into the DRP include: 1) Clear delegation of roles and responsibilities. 2) Execution of the alert roster and notification of key personnel. 3) Clear establishment of priorities. 4) Documentation of the disaster. 5) Inclusion of action steps to mitigate the impact of the disaster on the operations of the organization. 6) Inclusion of alternative implementations for the various systems components, should primary versions be unavailable. Management of Information Security

35 Crisis Management. Crisis management: set of focused steps taken during and after a disaster that deal primarily with people involved Crisis management team manages event: Supporting personnel and their loved ones during crisis Determining event's impact on normal business operations When necessary, making a disaster declaration Keeping public informed about event Communicating with outside parties Two key tasks of crisis management team: Verifying personnel status Activating alert roster Crisis Management. Crisis management is a set of focused steps that deal primarily with the people involved taken during and after a disaster. The DR team works closely with the crisis management team to assure complete and timely communication during a disaster. The crisis management team “is responsible for managing the event from an enterprise perspective and covers the following major activities: Supporting personnel and their loved ones during the crisis Determining the event's impact on normal business operations and, if necessary, making a disaster declaration Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties.” Two key tasks of the crisis management team are: Verifying personnel status. Activating the alert roster. Management of Information Security

36 Responding to the Disaster
Actual events often outstrip even best of plans To be prepared, DRP should be flexible If physical facilities are intact, begin restoration there If organization’s facilities are unusable, take alternative actions When disaster threatens organization at the primary site, DRP becomes BCP Responding to the Disaster When a disaster strikes and the DRP is activated, actual events can at times outstrip even the best of plans. To be prepared, the CP team should incorporate a degree of flexibility into the DRP. If the physical facilities are intact, the DR team should begin the restoration of systems and data to work toward full operational capability. If the organization’s facilities are destroyed, alternative actions must be taken until new facilities can be acquired. When a disaster threatens the viability of an organization at the primary site, the disaster recovery process becomes a business continuity process. Management of Information Security

37 Business Continuity Planning (BCP)
Ensures critical business functions can continue in a disaster Most properly managed by CEO of organization Activated and executed concurrently with the DRP when needed Reestablishes critical functions at alternate site (DRP focuses on reestablishment at primary site) Relies on identification of critical business functions and the resources to support them Business Continuity Planning Business continuity planning ensures that critical business functions can continue if a disaster occurs. Unlike the DRP, which is usually managed by the IT community of interest, the business continuity plan (BCP) is most properly managed by the CEO of an organization. The BCP is activated and executed concurrently with the DRP when the disaster is major or long term and requires fuller and complex restoration of information and information resources. While the BCP reestablishes critical business functions at an alternate site, the DRP team focuses on the reestablishment of the technical infrastructure and business operations at the primary site. The identification of critical business functions and the resources to support them is the cornerstone of BCP, as these functions are the first that must be reestablished at the alternate site. Management of Information Security

38 Continuity Strategies
Several continuity strategies for business continuity Determining factor is usually cost Three exclusive-use options: Hot sites Warm sites Cold sites Three shared-use options: Timeshare Service bureaus Mutual agreements Continuity Strategies A CP team can choose from several continuity strategies in its planning for business continuity. The determining factor is usually cost. In general there are three exclusive-use options: hot sites, warm sites, and cold sites, and three shared-use options: timeshare, service bureaus, and mutual agreements. Management of Information Security

39 Exclusive Use Options Hot Sites Warm Sites Cold Sites
Fully configured computer facility with all services Warm Sites Like hot site, but software applications not kept fully prepared Cold Sites Only rudimentary services and facilities kept in readiness Exclusive Use Options Hot Sites. A fully configured computer facility, with all services, communications links, and physical plant operations. Warm Sites. Provides many of the same services and options of the hot site, but typically software applications are either not included, or not installed and configured. Cold Sites. Provides only rudimentary services and facilities. Management of Information Security

40 Shared Use Options Timeshares Service Bureaus Mutual Agreements
Like an exclusive use site but leased Service Bureaus Agency that provides physical facilities Mutual Agreements Contract between two organizations to assist Specialized alternatives: Rolling mobile site Externally stored resources Shared Use Options Timeshares. Operates like an exclusive use site, but is leased with a business partner or other organization. Service Bureaus. A service agency that, for a fee, provides physical facilities during a disaster. Mutual Agreements. A mutual agreement is a contract between two organizations for each to assist the other in the event of a disaster. Specialized alternatives: rolling mobile site externally stored resources Management of Information Security

41 Off-Site Disaster Data Storage
To get any BCP site running quickly, organization must be able to recover data Options include: Electronic vaulting: bulk batch-transfer of data to an off-site facility Remote Journaling: transfer of live transactions to an off-site facility Database shadowing: storage of duplicate online transaction data Off-Site Disaster Data Storage. To get any of these sites up and running quickly, the organization must be able to move data into the new site’s systems. Options include: Electronic vaulting - The bulk batch-transfer of data to an off-site facility. Remote Journaling - The transfer of live transactions to an off-site facility. Database shadowing - The storage of duplicate online transaction data, along with the duplication of the databases at the remote site to a redundant server. Management of Information Security

42 Figure 3-4 Disaster Recovery and Business Continuity Planning
Management of Information Security

43 Figure 3-5 Contingency Plan Implementation Timeline
Management of Information Security

44 Putting a Contingency Plan Together
The CP team should include: Champion Project Manager Team Members Business managers Information technology managers Information security managers Putting a contingency plan Together The CP team should include: Champion. Project manager. Team members. Business managers Information technology managers Information security managers. Management of Information Security

45 Figure 3-6 Major Tasks in Contingency Planning
Management of Information Security

46 Business Impact Analysis (BIA)
Provides information about systems/threats and detailed scenarios for each potential attack Not risk management focusing on identifying threats, vulnerabilities, and attacks to determine controls Assumes controls have been bypassed or are ineffective and attack was successful CP team conducts BIA in the following stages: Threat attack identification Business unit analysis Attack success scenarios Potential damage assessment Subordinate plan classification Business Impact Analysis The Business impact analysis (BIA) provides the CP team with information about systems and the threats they face, and is the first phase in the CP process. The BIA is a crucial component of the initial planning stages, as it provides detailed scenarios of the impact each potential attack can have on the organization. One of the fundamental differences between a BIA and the risk management process is that risk management focuses on identifying the threats, vulnerabilities, and attacks to determine what controls can protect the information. The BIA assumes that these controls have been bypassed, have failed, or are otherwise ineffective, and that the attack was successful. The CP team conducts the BIA in the following stages: Threat attack identification Business unit analysis Attack success scenarios Potential damage assessment Subordinate plan classification Management of Information Security

47 Threat/Attack Identification and Prioritization
An organization that uses risk management process will have identified and prioritized threats These organizations update threat list and add one additional piece of information -- the attack profile Attack profile: detailed description of activities that occur during an attack Threat/Attack Identification and Prioritization An organization that has followed the risk management process will have already identified and prioritized threats facing it. For the BIA, these organizations need only update the threat list and add one additional piece of information, the attack profile. An attack profile is a detailed description of the activities that occur during an attack. Management of Information Security

48 Business Unit Analysis
Second major BIA task is analysis and prioritization of business functions within the organization Business Unit Analysis The second major BIA task is the analysis and prioritization of business functions within the organization. Management of Information Security

49 Attack Success Scenario Development
Next create a series of scenarios depicting impact of successful attack on each functional area Attack profiles should include scenarios depicting typical attack including: Methodology Indicators broad consequences More details are added including alternate outcomes—best, worst, and most likely Attack Success Scenario Development Next the BIA team must create a series of scenarios depicting the impact of an occurrence of each threat on each functional area. Attack profiles should include scenarios depicting a typical attack, including its methodology, the indicators of attack, and the broad consequences. Then attack success scenarios with more detail are added to the attack profile, including alternate outcomes—best, worst, and most likely. Management of Information Security

50 Potential Damage Assessment
From detailed scenarios, the BIA planning team must estimate the cost of the best, worst, and most likely outcomes by preparing an attack scenario end case This will allow identification of what must be done to recover from each possible case Potential Damage Assessment From these detailed scenarios, the BIA planning team must estimate the cost of the best, worst, and most likely outcomes by preparing an attack scenario end case. This will allow you to identify what must be done to recover from each possible case. Management of Information Security

51 Related Plan Classification
Once the potential damage has been assessed, and each scenario and attack scenario end case has been evaluated, a related plan must be developed or identified from among existing plans already in place Each attack scenario end case is categorized as disastrous or not Attack end cases that are disastrous find members of the organization waiting out the attack and planning to recover after it is over Related Plan Classification Once the potential damage has been assessed, and each scenario and attack scenario end case has been evaluated, a related plan must be developed or identified from among existing plans already in place. Each attack scenario end case is categorized as disastrous or not. Attack end cases that are disastrous find members of the organization waiting out the attack, and planning to recover after it is over. Management of Information Security

52 Combining the DRP and the BCP
Because DRP and BCP are closely related, most organizations prepare them concurrently and may combine them into a single document Such a comprehensive plan must be able to support reestablishment of operations at two different locations Immediately at alternate site Eventually back at primary site Therefore, although a single planning team can develop combined DRP/BRP, execution requires separate teams Combining the DRP and the BCP Because the DRP and BCP are closely related, most organizations prepare them concurrently, and may combine them into a single document. Such a comprehensive plan must be able to support the reestablishment of operations at two different locations; one immediately at an alternate site, and one eventually back at the primary site. Therefore, although a single planning team can develop the combined DRP/BRP, execution requires separate teams. Management of Information Security

53 Sample Disaster Recovery Plan
Name of agency Date of completion or update of the plan and test date Agency staff to be called in the event of a disaster Emergency services to be called (if needed) in event of a disaster Locations of in-house emergency equipment and supplies Sources of off-site equipment and supplies Salvage Priority List Agency Disaster Recovery Procedures Follow-up Assessment Sample Disaster Recovery Plan Name of agency. Date of completion or update of the plan and test date. Agency staff to be called in the event of a disaster: Emergency services to be called (if needed) in event of a disaster Locations of in-house emergency equipment and supplies. Sources of off-site equipment and supplies. Salvage Priority List. Agency Disaster Recovery Procedures Follow-up Assessment Management of Information Security

54 Testing Contingency Plans
Once problems are identified during the testing process, improvements can be made, and the resulting plan can be relied on in times of need There are five testing strategies that can be used to test contingency plans: Desk Check Structured walkthrough Simulation Parallel testing Full interruption Testing Contingency Plans Once problems are identified during the testing process, improvements can be made, and the resulting plan can be relied on in times of need. There are five testing strategies that can be used to test contingency plans: Desk Check Structured walkthrough Simulation Parallel testing Full interruption Management of Information Security

55 Figure 3-8 A Single Contingency Plan Format
Management of Information Security

56 Continuous Improvement
Iteration results in improvement A formal implementation of this methodology is a process known as continuous process improvement (CPI) Each time plan is rehearsed, it should be improved Constant evaluation and improvement leads to an improved outcome Continuous Improvement As a closing thought, just as in all organizational efforts, iteration results in improvement. A formal implementation of this methodology is a process known as continuous process improvement (CPI). Each time the organization rehearses its plans, it should learn from the process, improve the plans, and then rehearse again. Through the constant evaluation and improvement, the organization continues to move forward, and continually improves upon the process, so that it can strive for an improved outcome. Management of Information Security

57 Summary Introduction What Is Contingency Planning?
Components of Contingency Planning Putting a Contingency Plan Together Testing Contingency Plans A Single Continuity Plan Management of Information Security

Download ppt "Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do."

Similar presentations

Introduction Creation of information security program begins with creation and/or review of organization’s information security policies, standards,

Introduction Creation of information security program begins with creation and/or review of organization’s information security policies, standards,
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Principles of Incident Response and Disaster Recovery

Principles of Incident Response and Disaster Recovery
Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 

Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Planning for Contingencies

Planning for Contingencies
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
Planning for Contingencies

Planning for Contingencies
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.

1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.
Planning for Continuity

Planning for Continuity
Contingency Planning Things which you do not hope happen more frequently than things which you do hope. -- PLAUTUS. (C. 254–184 B.C.), MOSTELLARIA, ACT.

Contingency Planning Things which you do not hope happen more frequently than things which you do hope. -- PLAUTUS. (C. 254–184 B.C.), MOSTELLARIA, ACT.
ITC358 ICT Management and Information Security

ITC358 ICT Management and Information Security
Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Similar presentations

Ads by Google