Business Continuity Planning (BCP) and Disaster Recovery (DR) Phases

Business Continuity (BC)

• BC refers to the activities required to keep an organization running during a period of disruption or interruption of normal operations
• Offsite alternatives must be present to ensure BC
• BCP Implementation during a disaster involves:
  • Assessing the level of impact
  • Beginning continuity operations
  • Notifying stakeholders
  • Following the roadmap
  • Declaring the emergency over

Disaster Recovery (DR) Phases

• Phase I: Move operations to the DR Backup Site (within 24 hours)
• Phase II: Recover critical business functions
• Phase III: Return data processing activities to the primary facilities

Cryptography

• Plaintext: The original message
• Ciphertext: The coded message
• Enciphering/Encryption: The process of converting from plaintext to ciphertext
• Deciphering/Decryption: Restoring the plaintext from the ciphertext
• Key: A piece of information used in the encryption and decryption process
• Cryptography: The study of encryption

Hash Functions

• One-way mathematical algorithms that generate a digest to confirm message identity and integrity
• Have many uses, including saving passwords and verifying the integrity of digital files

Security Functions

• Identify: Assets to be secured and their associated risks
• Protect: Assets through controls and safeguards
• Detect: Security events that can compromise assets
• Respond: To security events to contain them
• Recover: From security events and return to normal operations

Physical Security

• Refers to the security of physical assets and resources
• Examples: Infrastructure, equipment, facilities, and people located in physical locations
• Physical security addresses design, implementation, and maintenance of countermeasures to protect physical resources
• Includes safeguards and controls to protect assets, mechanisms to detect incidents, and plans for responding and recovering from incidents

Physical Security Implementation

• Includes power, environmental control, windows, and fire prevention
• Critical areas to consider: Wiring closets, server rooms, media storage facilities, and evidence storage

Physical Security Threats & Countermeasures

• Threats: Fire, HVAC issues, power issues, water issues, structural issues, and locks and keys
• Countermeasures: Locks, including mechanical and electromechanical locks, and alternative procedures for controlling access

ID Cards & Badges

• Tie physical security with information access control
• Serve as authentication and authorization controls
• In some instances, biometric measures substitute or complement ID cards

Mobile Device Vulnerability Mitigation

• Both Android and Apple use sandboxing to compartmentalize the OS and apps
• Mitigation techniques and recommendations include:
  • Mobile device management
  • Remote wipe, lock, and GPS location services
  • Anti-malware and endpoint protection
  • Secure connection (VPN) to the workplace
  • Strong authentication
  • Digitally signed third-party software
  • Separating personal data from work data
  • Protection from theft and data loss
  • Protection of the data and company network in case the device is lost or stolen
  • Disallowing rooting/jailbreaking of the device
  • Not installing apps from unknown or untrusted sources
  • Recording the electronic serial number (ESN) of the device
  • Keeping the number handy in case the device is reported stolen

Mobile Device Management Recommendations

• Device provisioning in enterprise, including enrollment and authentication
• Remote device lock or wipe
• Account management
• Turn on/off device features
• GPS, Wi-Fi, and cellular device location
• Remote software deployment
• OS/application/firmware updates
• Application management
• Secure backup and information archiving
• Secure, encrypted "container" on device to segregate organizational access and data
• Jailbreak or root access protection

Physical Security of Mobile and Portable Systems

• Many devices can be configured to send their location if reported lost or stolen, wipe themselves of all user data, or disable themselves completely
• Examples: Apple's built-in mechanism to find and erase lost phones, Absolute Software's CompuTrace installed on laptops

Privacy Implications

• Personally Identifiable Information (PII): information about a person's history, background, and attributes that can be used to commit identity theft
• Loss of privacy may lead to Identity Theft: the act of impersonating a victim for illegal or unethical purposes

Employee Privacy

• Employees have an expectation of privacy in certain communications, such as with their doctors or banks
• Organizations must be transparent and clear about what they monitor
• Organizations must ensure they clearly outline the expectations of the employee in terms of privacy when it comes to employee-owned devices or employees using organizational equipment for personal use

Compromises to Intellectual Property (IP)

• Intellectual property (IP) is defined as the ownership of ideas and control over the tangible or virtual representation of those ideas
• The most common IP breaches involve software piracy
• Two watchdog organizations investigate software abuse: Software & Information Industry Association (SIIA) and Business Software Alliance (BSA)

Privacy Laws

• Most governments have privacy laws in place
• Laws provide citizens with more control over how PII is gathered, used, stored, and disseminated

Privacy in the UAE

• Article 21 of the UAE Federal Law 5 of 2012 addresses privacy