Tel: 020 8456 3550
CHAPTER 1 Security and Risk Management
AGENDA
Confidentiality, integrity, and availability concepts
IAAA
Security governance vs. Management
Compliance
Legal and regulatory issues
Professional ethics
Security policies, standards, procedures and guidelines
Business Continuity and Disaster Recovery
WELL KNOWN EXPLOITS
THE ROLE OF INFORMATION
SECURITY WITHIN AN ORGANIZATION
First priority is to support the mission of the organization
Requires judgment based on risk tolerance of organization, cost and benefit
Role of the security professional is that of a risk advisor, not a decision maker.
Planning Horizon
Strategic Goals Over-arching – supported by tactical goals and operationalTactical Goals Mid-Term – lay the necessary foundation to accomplish Strategic GoalsOperational Goals
Day-to-day – focus on productivity and task-oriented activities
SECURITY FUNDAMENTALS
C-I-A Triad
Confidentiality
Integrity
Availability
CONFIDENTIALITY
Prevent unauthorized disclosure
Threats against confidentiality:
Social Engineering
Training, Separation of Duties, Enforce Policies and Conduct Vulnerability Assessments
Media Reuse
Proper Sanitization Strategies
Eavesdropping
Encrypt
Keep sensitive information off the network
INTEGRITY
Detect modification of information
Corruption
Intentional or Malicious Modification
Message Digest (Hash)
MAC
Digital Signatures
AVAILABILITY
* Provide Timely and reliable access to resources
* Redundancy, redundancy, redundancy
* Prevent single point of failure
* Comprehensive fault tolerance (Data, Hard Drives, Servers, Network Links, etc..)
BEST PRACTICES (TO PROTECT C-I-A)
Separation of Duties (SOD)
Mandatory Vacations
Job rotation
Least privilege
Need to know
Dual control
DEFENSE IN DEPTH
* Also Known as layered Defence
* No One Device will PREVENT an attacker
* Three main types of controls:
* Technical (Logical)
* Administrative
* Physical
RISK
* Every decision starts with looking at risk
* Determine the value of your assets
* Look to identify the potential for loss
* Find cost effective solution reduce risk to an acceptable level (rarely can we eliminate risk)
* Safeguards are proactive
* Countermeasures are reactive
RISK DEFINITIONS * Asset: Anything of Value to the company
* Vulnerability: A weakness; the absence of a safeguard
* Threat: Something that could pose loss to all or part of an asset
* Threat Agent: What carries out the attack
* Exploit: An instance of compromise
* Risk: The probability of a threat materializing
* Controls: Physical, Administrative, and Technical Protections
* Safeguards
* Countermeasure
SOURCES OF RISK
* Weak or non-existing anti-virus software
* Disgruntled employees
* Poor physical security
* Weak access control
* No change management
* No formal process for hardening systems
* Lack of redundancy
* Poorly trained users
RISK MANAGEMENT
* Processes of identifying, analyzing, assessing, mitigating, or transferring risk. It’s main goal is the reduction of probability or impact of a risk.
* Summary topic that includes all risk-related actions
* Includes Assessment, Analysis, Mitigation, and Ongoing Risk Monitoring
RISK MANAGEMENT
* Risk Management
* Risk Assessment
Identify and Valuate Assets
Identify Threats and Vulnerabilities
* Risk Analysis
Qualitative
Quantitative
* Risk Mitigation/Response
* Reduce /Avoid
Transfer
Accept /Reject
Ongoing Risk Monitoring
RISK ASSESSMENT
* Identification and Valuation of Assets is the first step in risk assessment.
* What are we protecting and what is it worth * Is it valuable to me? To my competitors?
* What damage will be caused if it is compromised?
* How much time was spent in development
* Are there compliance/legal issues?
RISK ANALYSIS
* Determining a value for a risk
* Qualitative vs. Quantitative
* Risk Value is Probability * Impact
* Probability: How likely is the threat to materialize?
* Impact: How much damage will there be if it does?
* Could also be referred to as likelihood and severity.
RISK ANALYSIS
* Qualitative Analysis (subjective, judgment-based)
* Probability and Impact Matrix
* Quantitative Analysis (objective, numbers driven
QUALITATIVE ANALYSIS
* Subjective in Nature
* Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability
* Delphi technique is often used to solicit objective opinions
QUANTITATIVE ANALYSIS
More experience required than with Qualitative
Involves calculations to determine a dollar value associated with each risk event
Business Decisions are made on this type of analysis
Goal is to the dollar value of a risk and use that amount to determine what the best control is for a particular asset
Necessary for a cost/benefit analysis
QUANTITATIVE ANALYSIS
* AV (Asset Value)
* EF (Exposure Factor)
* ARO (Annual Rate of Occurrence)
* SLE (Single Loss Expectancy)=AV * EF
* ALE (Annual Loss Expectancy) SLE*ARO
* Cost of control should be the same or less than the potential for loss
MITIGATING RISK * Three Acceptable Risk Responses:
Reduce
Transfer
Accept
* Secondary Risks
* Residual Risks
* Continue to monitor for risks
* How we decide to mitigate business risks becomes the basis for Security Governance and Policy
SECURITY GOVERNANCE
* The IT Governance Institute in its Board Briefing on IT Governance, 2nd Edition, defines Security governance as follows:
“Security governance is the set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the
enterprise’s resources are used responsibly.”
SECURITY BLUEPRINTS
* For achieving “Security Governance”
* BS 7799, ISO 17799, and 27000 Series
* COBIT and COSO
* OCTAVE
* ITIL
COBIT AND COSO
* COBIT (Control Objectives for Information and related Technology.
* COSO (Committee of Sponsoring Organizations)
* Both of these focus on goals for security
ITIL
* Information Technology Infrastructure Library (ITIL) is the de facto standard for best practices for IT service management
* 5 Service Management Publications:
* Strategy
* Design
* Transition
* Operation
* Continual Improvement
**While the Publications of ITIL are not testable, it’s purpose and comprehensive approach are testable. It provides best practices for organization and the means in which to implement those practices
OCTAVE
* Operationally Critical Threat, Asset and Vulnerability Evaluation
* Self Directed risk evaluation developed by Carnegie Mellon. People within an organization are the ones who direct the risk analysis
* A suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.
* Identify Assets
* Identify Vulnerabilities
* Risk Analysis and Mitigation
BS 7799, ISO 17799, 27000 SERIES
* BS 7799-1, BS 7799-2
* Absorbed by ISO 17799
* Renamed ISO 27002 to fit into the ISO numbering standard
ISO 27000 SERIES
* ISO 27001: Establishment, Implementation, Control and improvement of the ISMS. Follows the PDCA (Plan, Do, Check, Act)
* ISO 27002: Replaced ISO 17799. Provides practical advice for how to implement security controls. Uses 10 domains to address ISMS.
* ISO 27004: Provides Metrics for measuring the success of
ISMS
* ISO 27005: A standards based approach to risk management
* ISO 27799: Directives on protecting personal health information
The Plan Do Check Act (PDCA) Model
INTERESTED PARTIES
DOInformationImplement andSecurityOperate ISMSRequirements
And
Expectations
PLAN
Establish ISMS
* Deming – TQM (basis for 6 Sigma)
* ISO 9001: 2008
* Best Practice for ISM Governance
CHECK
Monitor andReview ISMSCheck
INTERESTEDPARTIES
ACTMaintain andManagedImprove ISMSInformation
Security
MANAGEMENT
Top-Down Approach
Security practices are directed and supported at the senior management
level
Senior Management
Middle Management
Staff
Bottom-Up Approach
The IT department tries to implement security
Senior Management
Middle Management
Staff
SENIOR MANAGEMENT ROLE
* CEO, CSO, CIO, etc..
* Ultimately responsible for Security within an organization
Development and Support of Policies
Allocation of Resources
Decisions based on Risk
Prioritization of business processes
LIABILITIES
* Legal liability is an important consideration for risk assessment and analysis.
* Addresses whether or not a company is responsible for specific actions or inaction.
* Who is responsible for the security within an organization?
* Senior management
* Are we liable in the instance of a loss?
* Due diligence: Continuously monitoring an organizations practices to ensure they are meeting/exceeding the security requirements.
* Due care: Ensuring that “best practices” are implemented and followed.
Following up Due Diligence with action.
* Prudent man rule: Acting responsibly and cautiously as a prudent man would
* Best practices: Organizations are aligned with the favored practices within an industry
ORGANIZATIONAL SECURITY POLICY
* Also Known as a Program Policy
* Mandatory
* High level statement from management
* Should support strategic goals of an organization
* Explain any legislation or industry specific drivers
* Assigns responsibility
* Should be integrated into all business functions
* Enforcement and Accountability
ISSUE AND SYSTEM SPECIFIC POLICY
* Issue Specific policy, sometimes called Functional Implementation policy would include company’s stance on various employee issues. AUP, Email, Privacy would all be covered under issue specific
* System Specific policy is geared toward the use of network and system resources. Approved software lists, use of firewalls, IDS, Scanners, etc.
Security Policy Document Relationships
Laws, Regulationsand Best Practices
Program or Organizational Policy
Functional (Issue andSystem Specific) Policies
Management’s Security Directives
StandardsProceduresBaselinesGuidelines
STANDARDS
1. Mandatory
2. Created to support policy, while providing more specifics.
3. Reinforces policy and provides direction
4. Can be internal or external
PROCEDURES
* Mandatory
* Step by step directives on how to accomplish an end-result.
* Detail the “how-to” of meeting the policy, standards and guidelines
GUIDELINES
* Not Mandatory
* Suggestive in Nature
* Recommended actions and guides to users
* “Best Practices”
BASELINES
* Mandatory
* Minimum acceptable security configuration for a system or process
* The purpose of security classification is to determine and assign the necessary baseline configuration to protect the data
PERSONNEL SECURITY POLICIES (EXAMPLES)
* Hiring Practices and Procedures
* Background Checks/Screening
* NDA’s
* Employee Handbooks
* Formal Job Descriptions
* Accountability
* Termination
ROLES AND RESPONSIBILITIES
* Senior/Executive Management
* CEO: Chief Decision-Maker
* CFO: Responsible for budgeting and finances
* CIO: Ensures technology supports company’s objectives
* ISO: Risk Analysis and Mitigation
* Steering Committee: Define risks, objectives and approaches
* Auditors: Evaluates business processes
* Data Owner: Classifies Data
* Data Custodian: Day to day maintenance of data
* Network Administrator: Ensures availability of network resources
* Security Administrator: Responsible for all security-related tasks, focusing on Confidentiality and Integrity
RESPONSIBILITIES OF THE ISO * Responsible for providing C-I-A for all information assets.
* Communication of Risks to Senior Management
* Recommend best practices to influence policies, standards, procedures, guidelines
* Establish security measurements
* Ensure compliance with government and industry regulations
* Maintain awareness of emerging threats
LIABILITIES – WHO IS AT FAULT?
* Failure of management to execute Due Care and/or Due Diligence can be termed negligence Culpable negligence is often used to prove liability
* Prudent Man Rule
Perform duties that prudent people would exercise in similar circumstances
Example: Due Care: setting a policy; Due Diligence: enforcing that policy
* Downstream Liabilities
* Integrated technology with other companies can extend one’s responsibility outside the normal bounds
LEGAL LIABILITY
* Legally Recognized Obligation
A standard exists that outlines the conduct expected of a company to protect others from unreasonable risks
* Proximate Causation
Fault can actually be proven to be a direct result of one’s action or inaction
* Violation of Law
Regulatory, criminal, or intellectual property
* Violation of Due Care
Stockholders suits
* Violation of Privacy
Employee suits
TYPES OF LAWS
* Criminal Law
* Civil Law
* Regulatory
* Intellectual Property
CRIMINAL LAW
* Beyond a reasonable doubt—can be difficult to meet this burden of proof in computer-related crimes
* Penalties: Financial, Jail-time, death
Felonies: More serious of the two. Often penalty results in incarceration of at least a year.
Misdemeanors: Normally the less serious of the two with fines or jail-time of less than one year.
* The Goal of criminal penalties is:
Punishment
Deterrence
CIVIL (TORT) LAW * Preponderance of evidence
* Damages
Compensatory: Paid for the actual damage which was suffered by a victim, including attorney fees, loss of profits, medical costs, investigative costs, etc… Punitive: Designed as a punishment for the offender
Statutory: an amount stipulated within the law rather than calculated based on the degree of harm to the plaintiff. Often, statutory damages are awarded for acts in which it is difficult to determine the value of the harm to the victim.
* Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent to civil law , as well as administrative law
ADMINISTRATIVE (REGULATORY) LAW
* Defines standards of performance and regulates conduct for specific industries
Banking (Basel II)
Energy (EPAct) of 2005
Health Care (HIPAA)
* Burden of Proof is “More likely than not”
* Penalties consist of financial or imprisonment
INTELLECTUAL PROPERTY * Intellectual Property Law
Protecting products of the mind
Company must take steps to protect resources covered by these laws or these laws may not protect them
* Main international organization run by the UN is the World Intellectual Property Organization (WIPO)
* Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage
INTELLECTUAL PROPERTY PROTECTION
* Trade Secret
Resource must provide competitive value
Must be reasonably protected from unauthorized use or disclosure
Proprietary to a company and important for survival
Must be genuine and not obvious
COPYRIGHT
* Copyright
* Copyright protections lasts for the lifetime of the author plus 70 years or 75 years for corporations
* Work does not need to be registered or published to be protected.
* Protects expression of ideas rather than the ideas themselves
* Author to control how work is distributed, reproduced, used
* Protects the expression of the resource instead of the resource itself
* Two Limitations on Copyright:
* First sale
* Fair Use
INTELLECTUAL PROPERTY
PROTECTION CONTINUED
* Trademark
Protect word, name, symbol, sound, shape, color or combination used to identify product to distinguish from others
Protect from someone stealing another company’s “look and feel”
Corporate Brands and operating system logos
* Trademark Law Treaty Implementation Act protects trademarks internationally
INTELLECTUAL PROPERTY
PROTECTION CONTINUED
* Patent
Originally valid for 17 years, but are now valid for 20 years
Protection for those who have legal ownership of an invention
Invention must be novel and non-obvious
Owner has exclusive control of invention for 20 years
Cryptographic algorithm
The strongest form of protection
Published to stimulate other inventions
PCT (Patent Cooperation Treaty) has been adopted by over 130 countries to provide the international protection of patents
No organization enforces patents. It is up to the owner to purse the patent rights through the legal system
ATTACKS ON INTELLECTUAL
PROPERTY
* Piracy
* Copyright infringement
* Counterfeiting
* Cybersquatting
* Typosquatting
EXPORT/IMPORT RESTRICTIONS * Export restriction
WASSENAAR Agreement makes it illegal to export munitions to terrorist sponsored nations
Exporting of cryptographic software is allowed to non-government end-users of other countries
No exporting of strong encryption software to terrorists states
* Import restriction
In many countries, the import of cryptographic tools with strong encryption requires a copy of the private keys be provided to law enforcement
US Safe Harbor Laws
INTERNATIONAL ISSUES
* Trans border Issues
* Each country treats computer crimes differently
* Evidence rules differ between legal systems
* Governments may not assist each other in international cases
* Jurisdiction issues
PRIVACY ISSUES – EMPLOYEE MONITORING
* Local labor laws related to privacy cannot be violated
* Be mindful of the reasonable expectation of privacy (REP)
Gain an employee waiver by signature on policies, etc…
* Notify of monitoring that may be used, or do not monitor the employees at all Banner and security awareness
Ensure that monitoring is lawful
Do not target individuals in monitoring
* Monitor work-related events:
Keystroke, Cameras, Badges, Telephone, E-mail
HIPAA (HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT)
* Applies to
* Health Insurers
* Health Providers
* Health care clearing houses (claim processing agencies)
* As of 2009, covered entities must disclose security breaches regarding personal information
GRAMM-LEACH-BLILEY FINANCIAL
SERVICES MODERNIZATION ACT
* Known as GLBA
* Requires financial agencies to better protect customer’s PII
(Personally Identifiable Information) * Three Rules:
Financial Privacy rule-Requires financial institutions to provide information to customers regarding how PII is protected
Safeguards Rule-Requires each financial institution to have a formal written security plan detailing how customer PII will be safeguarded
Pretexting Protection-Addresses social engineering and requires methods be in place to limit information that can be obtained by this type of attack
PCI DSS (PAYMENT CARD INDUSTRY
DATA SECURITY STANDARD) * Not a legal mandate
* Payment Card Industry self-regulates its own security standards
* Applies to any business worldwide that transmits, processes or stores payment card transactions to conduct business with customers
* Compliance is enforced by the payment card vendor (Visa, MasterCard, American Express, etc..)
* Compliance requirements are dictated by the number of transactions, as well as any previous security issues
PCI DSS (PAYMENT CARD INDUSTRY DATA
SECURITY STANDARD) CONTINUED
* Six Core Principles:
Build and maintain a secure network
Protect card holder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test the networks
Maintain an Information security policy
DISCLOSURE
* Often Organizations prefer not to disclose security breaches
Advertises vulnerabilities
Causes loss of customer confidence
Liability issues
Difficulty of Prosecution
* Many states have now passed disclosure laws that legally require organizations to publicly disclose security breaches that might compromise personal data
Allow individuals to take corrective action
Additional motivation for organizations to protect customer data
AUDITING ROLE
* Objective Evaluation of controls and policies to ensure that they are being implemented and are effective.
* If internal auditing is in place, auditors should not report to the head of a business unit, but rather to legal or human resources–some other entity with out direct stake in result
Knowledge Transfer
Awareness, Training, Education
“People are often the weakest link in securing information.
Awareness of the need to protect information, training in the skills needed to operate them securely, and education in security measures and practices are of critical importance forthe success of an organization’s security program.”
The Goal of Knowledge Transfer is to modify employee behavior
BEING AWARE OF THE RULES
Security Awareness Training
Employees cannot and will not follow the directives and procedures, if they do not know about them
Employees must know expectations and ramifications, if not met
Employee recognition award program
Part of due care
Administrative control
AWARENESS/TRAINING/ EDUCATION
BENEFITS
Overriding Benefits:
Modifies employee behavior and improves attitudes towards information security
Increases ability to hold employees accountable for their actions
Raises collective security awareness level of the organization
CONTINUITY OF THE ENTERPRISE
Business Continuity and Disaster Recovery
Planning
BCP VS. DRP
* Business Continuity Planning: Focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long Term focused
* Disaster Recovery Planning: goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused. Short Term focused
BCP RELATIONSHIP TO RISK
MANAGEMENT
MITIGATE RISKS
* Reduce negative effects:
* – Life Safety is the number 1 priority!
* – Reputation: Is the second most important asset of an organization. Though specific systems are certainly essential, don’t forget to focus on the big picture—protect the company as a whole
BUSINESS CONTINUITY PLANNING
* Disaster recovery and continuity planning deal with uncertainty and chance
Must identify all possible threats and estimate possible damage
Develop viable alternatives
* Threat Types:
Man-made
Strikes, riots, fires, terrorism, hackers, vandals
Natural
Tornado, flood, earthquake
Technical
Power outage, device failure, loss of a T1 line
BUSINESS CONTINUITY PLANNING * Categories of Disruptions
Non-disaster: Inconvenience. Hard drive failure
Disruption of service
Device malfunction
Emergency/Crisis
Urgent, immediate event where there is the potential for loss of life or property
Disaster
Entire facility unusable for a day or longer
Catastrophe
Destroys facility
A company should understand and be prepared for each category
* ANYONE CAN DECLARE AN EMERGENCY, ONLY THE BCP COORDINATOR CAN
DECLARE A DISASTER (Anyone can pull the fire alarm or trigger an emergency alarm. Only the BCP coordinator or someone specified in the BCP can declare a disaster which will then trigger failover to another facility)
ISO 27031
* Approved in 2011
* Provides a standard that did not exist previously
* Will solve issues of inconsistency in terms, definitions and documents (so for now, there may be inconsistencies on the exam. Look for concepts more than specific terms)
* Until this ISO standard is included on the test, the following institutes will provide guidance on BCP/DRP: DRII (Disaster Recovery Institute International)
NIST 800-34
BCI GPG (Business Continuity International Good Practice
Guidelines)
BUSINESS CONTINUITY PLAN SUB-PLANS
* BCP
* Protect
Crisis Communication Plan
OEP (Occupant Emergency Plan)
* Recover
BRP (Business Recovery Plan)
DRP (Disaster Recovery Plan)
Continuity of Support Plan/IT Contingency Plan
* Sustain
COOP (Continuity of Operations Plan
PROTECT
* Crisis Communications Plan
Purpose: Provides procedures for disseminating status reports to personnel and the public
Scope: Addresses communications with personnel and the public; not IT focused
• Occupant Emergency Plan (OEP)
Purpose: Provide coordinated procedures for minimizing loss of life or injuryand protecting property damage in response to a physical threat
Scope: Focuses on personnel and property particular to the specific facility; not business process or IT system functionality based. May also be referred to as Crisis or Incident management plans. However, the OEP concept should be recognizable as the “initial response to the emergency event”
RECOVER
* Business Recovery (or Resumption) Plan (BRP)
Purpose: Provide procedures for recovering business operations immediately following a disaster Scope: Addresses business processes; not IT-focused; IT addressed based only on its support for business process
* Continuity of Support Plan/IT Contingency Plan
Purpose: Provide procedures and capabilities for recovering a major application or general support system
Scope: Same as IT contingency plan; addresses IT system disruptions; not business process focused
* Cyber Incident Response Plan
Purpose: Provide strategies to detect, respond to, and limit consequences of malicious cyber incident
Scope: Focuses on information security responses to incidents affecting systems and/or networks
* Disaster Recovery Plan (DRP)
Purpose: Provide detailed procedures to facilitate recovery of capabilities at an alternate site Scope: Often IT-focused; limited to major disruptions with long-term effects
SUSTAIN
Continuity of Operations Plan (COOP)
Purpose: Provide procedures and capabilities to sustain an organization’s
essential, strategic functions at an alternate site for up to 30 days.
This term is sometimes used in US Government to refer to the field of Business Continuity Management, but per NIST 800-34, it is a unique sub-plan of the BCP. **Note, BCP addresses ALL business processes, not just mission critical.
Scope: Addresses the subset of an organization’s missions that are
deemed most critical; usually written at headquarters level; not IT-focused
NIST 800-34
INTERRELATIONSHIP OF THE PLANS
ROLES AND RESPONSIBILITIES
* Senior Executive Management
* Consistent support and final approval of plans
* Setting the business continuity policy
* Prioritizing critical business functions
* Allocating sufficient resources and personnel
* Providing oversight for and approving the BCP
* Directing and reviewing test results
* Ensuring maintenance of a current plan
ROLES AND RESPONSIBILITIES * Senior Functional Management
Develop and document maintenance and testing strategy Identify and prioritize mission-critical systems
Monitor progress of plan development and execution
Ensure periodic tests
Create the various teams necessary to execute the plans
ROLES AND RESPONSIBILITIES
* BCP Steering Committee
Conduct the BIA
Coordinate with department representatives
Develop analysis group
Plan must be developed by those who will carry it out
Representatives from critical departments
BCP TEAMS
* Teams:
Rescue: Responsible for dealing with the immediacy of disaster—employee evacuation, “crashing” the server room, etc..
Recovery: Responsible for getting the alternate facility up and running and restoring the most critical services first.
Salvage: Responsible for the return of operations to the original or permanent facility (reconstitution)
DEVELOPING THE TEAMS * Management should appoint members
* Each member must understand the goals of the plan and be familiar with the department they are responsible for
* Agreed upon prior to the event:
Who will talk to the media, customers, share holders
Who will setup alternative communication methods
Who will setup the offsite facility
Established agreements with off-site facilities should be in place
Who will work on the primary facility
7 PHASES OF BUSINESS
CONTINUITY PLAN
* Phases of Plan:
Project Initiation
Business Impact Analysis
Recovery Strategy
Plan Design and Development
Implementation
Testing
Maintenance
7 PHASES OF BUSINESS CONTINUITY
PLAN
Project Initiation
Business ImpactRecovery StrategyAnalysis
Implementation Plan design and development
Testing Maintenance
PHASES OF THE PLAN:
PROJECT INITIATION
* Project Initiation
Obtain senior management’s support
Secure funding and resource allocation
Name BCP coordinator/Project Manager
Develop Project Charter
Determine scope of the plan
Select Members of the BCP Team
PHASES OF THE PLAN: BUSINESS IMPACT ANALYSIS
* BIA (Business Impact Analysis)
Initiated by BCP Committee
Identifies and prioritizes all business processes based on criticality
Addresses the impact on the organization in the event of loss of a specific services or process
Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc..
Qualitative: loss of service quality, competitive advantage, market share, reputation, etc..
Establishes key metrics for use in determining appropriate counter-measures and recovery strategy
IMPORTANCE (relevance) vs. CRITICALITY (downtime)
The Auditing Department is certainly important, though not usually critical.
THE BIA FOCUSES ON CRITICALITY
PHASES OF THE PLAN:
BUSINESS IMPACT ANALYSIS
* Key Metrics to Establish
* Service Level Objectives:
* RPO (Recovery Point Objective):
* MTD (Maximum Tolerable Downtime)
RTO (Recovery Time Objective)
WRT (Work Recovery Time)
* MTBF (Mean Time Between Failures) MTTR (Mean Time To Repair)MOR (Minimum Operating Requirements)
ELEMENTS OF THE PLAN:
BUSINESS IMPACT ANALYSIS
* Management should establish recovery priorities for business processes that identify:
Essential personnel
Succession Plans
MOAs/MOUs (Memorandums of Agreement/Understanding)
Technologies
Facilities
Communications systems
Vital records and data
RESULTS FROM THE BIA
* Results of Business Impact Analysis contain
Identified ALL business processes and assets, not just those considered critical. Impact company can handle dealing with each risk
Outage time that would be critical vs those which would not be critical
Preventive Controls
* Document and present to management for approval
* Results are used to create the recovery plans
BIA
Submit toDRP and BCPmanagementderived from BIA
PHASES OF THE PLAN:
IDENTIFY RECOVERY STRATEGIES
* When preventive controls don’t work, recovery strategies are necessary
* Facility Recovery
* Hardware and Software Recovery
* Personnel recovery
* Data Recovery
FACILITY RECOVERY
* Facility Recovery
Subscription Services
Hot, warm, cold sites
Reciprocal Agreements
Others
Redundant/Mirrored site (partial or full)
Outsourcing
Rolling hot site
Prefabricated building
Offsite Facilities should be no less than 15 miles away for low to medium environments. Critical operations should have an offsite facility 50-200 miles away
FACILITY RECOVERY OPTIONS
AlternativeTime toReadinessCost
Occupy
Mirrored SiteWithin 24Fully redundant in every wayHighest
hours
Hot SiteWithin 24Fully configured equipment andHigh
hourscommunications links; need only load
most recent data
Rolling Hot SiteUsually 24Similar to hot site, but supports dataHigh
hourscenter operations only
Warm SiteWithin aBetween a hot and cold site. PartiallyMedium
weekconfigured equipment and does not contain any live data; some activation activity needed
Cold SiteWithin 30Typically contains the appropriateLowest days electrical and heating/air conditioning systems, but does not contain equipment or active communication links
FACILITY RECOVERY:
RECIPROCAL AGREEMENTS
* How long will the facility be available to the company in need?
* How much assistance will the staff supply in the means of integrating the two environments and ongoing support?
* How quickly can the company in need move into the facility?
* What are the issues pertaining to interoperability?
* How many of the resources will be available to the company in need?
* How will differences and conflicts be addressed?
* How does change control and configuration management take place?
HARDWARE RECOVERY
* Technology Recovery is dependent upon good configuration management documentation
* May include
* PC’s/Servers
* Network Equipment
* Supplies
* Voice and data communications equipment
* SLA’s can play an essential role in hardware recovery—
See Below
SOFTWARE RECOVERY
* BIOS Configuration information
* Operating Systems
* Licensing Information
* Configuration Settings
* Applications
* Plans for what to do in the event that the operating system/applications are not longer available to be purchased
PERSONNEL RECOVERY
* Identify Essential Personnel—Entire staff is not always necessary to move into recovery operations
* How to handle personnel if the offsite facility is a great distance away
* Eliminate single points of failure in staffing and ensure backups are properly Trained
* Don’t forget payroll!
ADDITIONAL DATA REDUNDANCY
* Database Shadowing
* Remote Journaling
* Electronic Vaulting
DATA RECOVERY CONTINUED
* Database Backups
Disk-shadowing
Mirroring technology
Updating one or more copies of data at the same time
Data saved to two media types for redundancy
Master DataShadow DataRepositoryRepository
Database
106
DATA RECOVERY CONTINUED
* Electronic Vaulting
Copy of modified file is sent to a remote location where an original backup is stored
Transfers bulk backup information
Batch process of moving data
* Remote Journaling
Moves the journal or transaction log to a remote location, not the actual files
PHASES OF THE PLAN:
PLAN AND DESIGN DEVELOPMENT
* Now that all the research and planning has been done, this phase is where the actual plan is written
* Should address
Responsibility
Authority
Priorities
Testing
PHASES OF THE PLAN:
IMPLEMENTATION
* Plan is often created for an enterprise with individual functional managers responsible for plans specific to their departments
* Copies of Plan should be kept in multiple locations
* Both Electronic and paper copies should be kept
* Plan should be distributed to those with a need to know. Most employees will only see a small portion of the plan
PHASES OF THE PLAN:
IMPLEMENTATION
PHASES OF THE PLAN: IMPLEMENTATION
* Three Phases Following a Disruption
* Notification/Activation
Notifying recovery personnel
Performing a damage assessment
* Recovery Phase–Failover
Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities—performed by recovery team
* Reconstitution–Failback
Outlines actions taken to return the system to normal operating conditions—performed by Salvage team
111
PHASES OF THE PLAN:
TESTING
* Should happen once per year, or as the result of a major change (VERY TESTABLE)
* The purpose of testing is to improve the response (never to find fault or blame)
* The type of testing is based upon the criticality of the organization, resources available and risk tolerance
Testing: Happens before implementation of a plan. The goal is to ensure the accuracy and the effectiveness of the plan
Exercises/Drills: Employees walk through step by step. Happens periodically. Main goal is to train employees
Auditing: 3rd party observer ensures that components of a plan are being carried out and that they are effective.
TYPES OF TESTS * Checklist Test
* Copies of plan distributed to different departments
* Functional managers review
* Structured Walk-Through (Table Top) Test
* Representatives from each department go over the plan
* Simulation Test
* Going through a disaster scenario
* Continues up to the actual relocation to an offsite facility
TYPES OF TESTS
* Parallel Test
Systems moved to alternate site, and processing takes place there
* Full-Interruption Test
Original site shut down
All of processing moved to offsite facility
POST-INCIDENT REVIEW
* After a test or disaster has taken place:
Focus on how to improve
What should have happened
What should happen next
Not who’s fault it was; this is not productive
115
PHASES OF THE PLAN:
MAINTENANCE
* Change Management:
= Technical – hardware/software
= People
= Environment
= Laws
* Large plans can take a lot of work to maintain
* Does not have a direct line to profitability
PHASES OF THE PLAN:
MAINTENANCE
* Keeping plan in date
Make it a part of business meetings and decisions
Centralize responsibility for updates
Part of job description
Personnel evaluations
Report regularly
Audits
As plans get revised, original copies should be retrieved and destroyed
CHAPTER 1: SECURITY AND RISK MANAGEMENT REVIEW
* Security Basics
Confidentiality, integrity, and availability concepts
IAAA
Risks
Security governance principles
Compliance
Legal and regulatory issues
Professional ethics: download ISC2 code of ethics at https://www.isc2.org/uploadedfiles/(isc)2_public_content/code_of_ethics/isc2-code-of-ethics.pdf
* Business Continuity Planning
* Project Initiation
* Business Impact Analysis
* Recovery Strategy
* Plan Design and Development
* Implementation
* Testing
* Maintenance
