INFORMATION SECURITY MANAGEMENT

1
INFORMATION SECURITY MANAGEMENT
Lecture 3 Planning for Contingencies
You got to be careful if you dont know where
youre going, because you might not get there.
Yogi Berra
2
Principles of Information Security Mgmt

• Include the following characteristics that will
  be the focus of the current course (six Ps)
• Planning
• Policy
• Programs
• Protection
• People
• Project Management

Chapters 2 3
Chapter 4
http//csrc.nist.gov/publications/PubsTC.html
3
Introduction

• One study found that over 40 of businesses that
  don't have a disaster plan go out of business
  after a major loss
• Small Business Approaches

4
Introduction 2012 Natural Disaster Map
5
Contingency Planning

• Contingency planning (CP)
• The overall planning for unexpected events
• Involves preparing for, detecting, reacting to,
  and recovering from events that threaten the
  security of information resources and assets

6
Fundamentals of Contingency Planning
Incident Response
Disaster Recovery
Business Continuity
7
Developing a CP Document

• Develop the contingency planning policy statement
• Conduct the BIA
• Identify preventive controls
• Develop recovery strategies
• Develop an IT contingency plan
• Plan testing, training, and exercises
• Plan maintenance

8
Business Impact Analysis (BIA)

• Provides detailed scenarios of each potential
  attacks impact

9
Business Impact Analysis (contd.)

• The CP team conducts the BIA in the following
  stages
• Threat attack identification
• Business unit analysis
• Attack success scenarios
• Potential damage assessment
• Subordinate plan classification
• What are the goals of a BIA?

10
Business Impact Analysis (contd.)

• An organization that uses a risk management
  process will have identified and prioritized
  threats
• The second major BIA task is the analysis and
  prioritization of business functions within the
  organization
• Each should be categorized

11
Business Impact Analysis (contd.)

• Create a series of scenarios depicting impact of
  successful attack on each functional area
• Attack profiles should include scenarios
  depicting typical attack including
• (1) Methodology, (2) Indicators, (3) Broad
  consequences
• Estimate the cost
• Should this be done in-house or outsourced?

12
NIST Business Process and Recovery Criticality

• Key recovery measures
• Maximum Tolerable Downtime (MTD) - total amount
  of time the system owner is willing to accept for
  a mission/business process outage or disruption
• Recovery time objective (RTO) - maximum amount of
  time that a system resource can remain
  unavailable before there is an unacceptable
  impact on other system resources and processes
• Recovery point objective (RPO) - point in time,
  prior to a disruption or system outage, to which
  mission/business process data can be recovered
  after an outage

13
NIST Business Process and Recovery Criticality

• Work Recovery Time (WRT) - amount of effort that
  is necessary to get the business function
  operational AFTER the technology element is
  recovered
• Can be added to the RTO to determine the
  realistic amount of elapsed time before a
  business function is back in useful service
• Total time needed to place the business function
  back in service must be shorter than the MTD
• Must balance the cost of system inoperability
  against the cost of recovery

14
(No Transcript)
15
Timing and Sequence of CP Elements
Figure 3-6 Contingency planning implementation
timeline
Source Course Technology/Cengage Learning
16
Incident Response Plan

• The question is not will an incident occur,
• but rather when an incident will occur
• A detailed set of processes and procedures that
  commence when an incident is detected
• When a threat becomes a valid attack, it is
  classified as an information security incident if
  it
• directed against information assets
• a realistic chance of success
• threatens the confidentiality, integrity, or
  availability of information assets

17
Incident Response Plan (contd.)

• Who creates the incident response plan?
• Planners develop and document the procedures that
  must be performed during the incident and
  immediately after the incident has ceased
• Separate functional areas may develop different
  procedures

18
Incident Response Plan (contd.)

• Develop procedures for tasks that must be
  performed in advance of the incident
• Details of data backup schedules
• Disaster recovery preparation
• Training schedules
• Testing plans
• Copies of service agreements
• Business continuity plans

19
Incident Response Plan (contd.)
Figure 3-3 Incident response planning
Source Course Technology/Cengage Learning
20
Incident Response Plan (contd.)

• Planning requires a detailed understanding of the
  information systems and the threats they face
• The IR planning team seeks to develop pre-defined
  responses that guide users through the steps
  needed to respond to an incident

21
Incident Response Plan (contd.)

• Incident classification
• Determine whether an event is an actual incident
• Uses initial reports from end users, intrusion
  detection systems, host- and network-based virus
  detection software, and systems administrators
• (Example RSA Data Loss Prevention)

22
Incident Response Software
23
Incident Response Plan Tools
24
Incident Response Plan Tools
25
Incident Response Plan Indicators

• Possible indicators
• Probable indicators
• Definite indicators
• When the following occur, the corresponding IR
  must be immediately activated
• Loss of availability
• Loss of integrity
• Loss of confidentiality
• Violation of policy
• Violation of law

http//www.npr.org/blogs/thetwo-way/2013/01/16/169
528579/outsourced-employee-sends-own-job-to-china-
surfs-web
26
Incident Response Plan (contd.)

• Once an actual incident has been confirmed and
  properly classified
• IR team moves from the detection phase to the
  reaction phase
• A number of action steps must occur quickly and
  may occur concurrently

27
Incident Response Plan Action Steps

• Notification of key personnel (alert roster)
• Assignment of tasks
• Documentation of the incident

28
Incident Response Plan (contd.)

• The essential task of IR is to stop the incident
  or contain its impact
• Incident containment strategies focus on two
  tasks

29
IRP Stopping the Incident

• Containment strategies
• Once contained and system control regained,
  incident recovery can begin
• Incident damage assessment
• An incident may increase in scope or severity to
  the point that the IRP cannot adequately contain
  the incident

30
IRP Recovery Process

• Identify the vulnerabilities
• Address the safeguards that failed
• Evaluate monitoring capabilities (if present)
• Restore the data from backups as needed
• Restore the services and processes in use
• Continuously monitor the system
• Restore the confidence of the members

31
Incident Response Plan (contd.)

• When an incident violates civil or criminal law,
  it is the organizations responsibility to notify
  the proper authorities
• Involving law enforcement has both advantages and
  disadvantages

32
Article Incident Response SANS Survey
33
Disaster Recovery Plan

• The preparation for and recovery from a disaster,
  whether natural or man made
• In general, an incident is a disaster when

34
Disaster Recovery Plan (contd.)

• The key role of a DRP is defining how to
  reestablish operations at the location where the
  organization is usually located
• Common DRP classifications
• Natural Disasters
• Human-made Disasters
• Scenario development and impact analysis
• Used to categorize the level of threat of each
  potential disaster

35
Disaster Recovery Plan (contd.)
36
Disaster Recovery Plan (contd.)

• Discussion on Disaster Recovery Myths

37
Disaster Recovery Plan (contd.)

• Discussion on Disaster Recovery Checklist

38
Business Continuity Plan

• Ensures critical business functions can continue
  in a disaster
• Activated and executed concurrently with the DRP
  when needed
• Relies on identification of critical business
  functions and the resources to support them

39
BCP Strategies

• Continuity strategies

40
Business Continuity PlanSite Options

• Hot Sites
• Warm Sites
• Cold Sites
• Other Alternatives Timeshares, Service Bureaus,
  Mutual Agreements
• Ex. RSA data centers lease 2 - 10gig Ethernet
  lines between MA and NC

41
Business Continuity Plan (contd.)

• To get any BCP site running quickly organization
  must be able to recover data
• Options include

42
Timing and Sequence of CP Elements
Figure 3-4 Incident response and disaster recovery
Source Course Technology/Cengage Learning
43
Timing and Sequence of BCP
Source Course Technology/Cengage Learning
44
Timing and Sequence of CP Elements
Figure 3-6 Contingency planning implementation
timeline
Source Course Technology/Cengage Learning
45
Business Resumption Planning

• Because the DRP and BCP are closely related, most
  organizations prepare them concurrently

46
Business Resumption Planning (contd.)

• Components of a simple disaster recovery plan
• Name of agency
• Date of completion or update of the plan and test
  date
• Agency staff to be called in the event of a
  disaster
• Emergency services to be called (if needed) in
  event of a disaster

47
Business Resumption Planning (contd.)

• Components of a simple disaster recovery plan
  (contd.)
• Locations of in-house emergency equipment and
  supplies
• Sources of off-site equipment and supplies
• Salvage priority list
• Agency disaster recovery procedures
• Follow-up assessment

48
Testing Contingency Plans

• Problems are identified during testing
• Improvements can be made, resulting in a reliable
  plan
• Contingency plan testing strategies
• Desk check
• Structured walkthrough
• Simulation
• Parallel testing
• Full interruption testing

49
Contingency Planning Final Thoughts

• Iteration results in improvement
• A formal implementation of this methodology is a
  process known as continuous process improvement
  (CPI)
• Each time the plan is rehearsed it should be
  improved
• Constant evaluation and improvement lead to an
  improved outcome