Information Security - Contingency Planning

Questions and Answers

What is contingency planning?

Contingency planning is a program developed to prepare for, react to, and recover from events that threaten the security of an organization's information assets.

What is the main goal of contingency planning?

The main goal of contingency planning is to restore normal modes of operation with minimal cost and disruption to normal business activities after an unexpected event.

What are the four major components of contingency planning?

• Business Impact Analysis (BIA), Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP) (correct)
• Risk Assessment, Security Audit, Incident Response, and Disaster Recovery
• Policy Development, Training, Implementation, and Evaluation
• Vulnerability Scanning, Penetration Testing, Firewall Management, and Data Backup

Contingency planning requires the active involvement of both IT and business managers.

True (A)

Which of the following are elements required to begin the contingency planning process?

A planning methodology, a policy environment, an understanding of the causes and effects of core precursor activity (BIA), and access to financial and other resources (D)

What does BIA stand for? What is it used for?

BIA stands for Business Impact Analysis. It is used to identify the potential impact of a disruption on the organization's critical business processes and information assets.

How does BIA differ from risk management?

BIA assumes controls have been bypassed, failed, ineffective, or the attack succeeded, while risk management focuses on identifying threats and vulnerabilities (A)

What is an Incident Response Plan (IRP) designed to do?

An IRP is designed to anticipate, detect, and mitigate the effects of an unexpected event, or incident, that might compromise information resources.

An Incident Response Plan (IRP) is only activated in the event of a major disruption or disaster.

False (B)

What is the purpose of incident classification?

Incident classification is the process of examining a possible incident and determining whether it is indeed an incident or a false alarm.

What are the three sets of incident-handling procedures created during the planning phase of an IRP?

During the incident, after the incident, before the incident (A)

What are the two main tasks involved in incident containment?

The two main tasks involved are stopping the incident and recovering control of the affected systems.

What is an alert roster?

An alert roster is a document containing contact information for individuals who need to be notified in the event of a security incident.

What is incident damage assessment, and when is it performed?

Incident damage assessment is the immediate determination of the scope of a security breach, assessing the impact on confidentiality, integrity, and availability of information assets.

A Disaster Recovery Plan (DRP) focuses on preventing disasters from occurring.

False (B)

Under what circumstances is a disaster considered to have occurred?

A disaster occurs when either the organization is unable to contain or control the impact of an incident, or the level of damage or destruction from an incident makes quick recovery impossible.

What is the main objective of a Disaster Recovery Plan (DRP)?

The main objective of a DRP is to define how to reestablish operations at the location where the organization is usually located, in case of a disaster.

What are the main steps involved in developing a Disaster Recovery Plan?

Develop a DR planning policy statement, review the BIA, identify preventive controls, develop recovery strategies, develop the DR plan document, and plan testing, training, and exercises. (B)

What is the primary role of the business manager in developing a Disaster Recovery Plan?

The business manager leads the DR team and is responsible for developing the DR policy, which outlines the plan's purpose, scope, roles and responsibilities, resources, training, exercises, maintenance, and special considerations.

Rapid-onset disasters occur over a longer period of time, allowing for more preparation.

False (B)

What is the purpose of a Business Continuity Plan (BCP)?

A BCP ensures that critical business functions can continue if a disaster occurs, enabling the organization to maintain operations despite disruptions.

A Business Continuity Plan (BCP) is typically managed by the Chief Information Officer (CIO) of the organization.

False (B)

When is a BCP activated and executed?

A BCP is activated and executed concurrently with the DR plan when a disaster is major or long-term, requiring a comprehensive and complex restoration of information and IT resources.

What are the three primary options for continuity strategies in a BCP?

Hot sites, warm sites, cold sites (C)

What is a hot site?

A hot site is a fully configured computer facility, including all services, communication links, and physical plant operations. It replicates critical computing resources, systems, peripherals, and applications, enabling a relatively quick and seamless transition in the event of a disaster.

What are the three primary shared-use contingency options for a BCP?

Timeshare, service bureau, mutual agreement (B)

A timeshare involves leasing a pre-configured facility from a business partner or a sister organization.

True (A)

A service bureau provides a service for a fee, but the disadvantage is that contracts cannot be renegotiated.

False (B)

What is a mutual agreement in the context of a BCP?

A mutual agreement is a contract between two organizations where each party agrees to assist the other in the event of a disaster, providing mutual support and resource sharing.

What is business resumption planning?

Business resumption planning refers to the combination of DR and BC plans into a single planning document, providing a comprehensive framework for disaster recovery and business continuity.

What are the five strategies commonly used to test contingency plans?

Desk check, structured walk-through, simulation, parallel testing, and full interruption (C)

What is a desk check?

A desk check is a simple review of the contingency plan documents to ensure that they are complete, well-organized, and consistent with current policies and procedures.

What is a structured walk-through?

A structured walk-through involves bringing together members of the contingency planning team and walking through each step of the plan, discussing roles, responsibilities, processes, and procedures.

What is a simulation?

A simulation involves simulating a disaster scenario, testing the plan in a controlled environment to assess how the organization responds and whether the procedures are effective.

What is parallel testing?

Parallel testing involves running both the primary system and the backup system simultaneously, testing the backup system's functionality and ensuring a smooth transition in the event of a disaster.

What is full interruption testing?

Full interruption testing involves shutting down the primary system and relying entirely on the backup system to operate, simulating a complete outage.

Flashcards

Contingency Planning

A program that helps organizations prepare for, respond to, and recover from events that threaten their information assets. It focuses on restoring normal operations with minimal disruption and cost.

Contingency Planning Teams

Four teams involved in planning and executing contingency plans: the CP team, incident response team, disaster recovery team, and business continuity team.

Business Impact Analysis (BIA)

The first step in contingency planning, which identifies critical business functions and their impact if disrupted.

Risk Management vs. BIA

Risk management focuses on preventing threats, while BIA assumes controls have failed and focuses on recovery.

BIA Stages

Three stages: determine mission/business processes and recovery criticality, identify resource requirements, and identify recovery priorities for system resources.

Weighted Table Analysis (WTA)

A method to rank criticality of business functions based on their impact on the organization.

Incident Response Plan (IRP)

A plan that outlines procedures to anticipate, detect, and mitigate the effects of unexpected incidents that threaten information resources.

IRP Policy

Defines roles, responsibilities, incident definitions, and response procedures for dealing with security incidents.

IRP Phases

Four phases: Planning, Detection, Reaction, and Recovery.

Incident Classification

Examining a possible incident to determine if it's a real threat or a false alarm.

Incident Indicators

Indicators that help distinguish between normal and potentially malicious activities: Possible, Probable, and Definite.

Incident Notification

Communicating an incident to key personnel through an alert roster.

Incident Containment

Preventing a security incident from spreading and regaining control of affected systems.

Incident Damage Assessment

Determining the extent of damage to confidentiality, integrity, and availability of information after an incident.

Disaster Recovery Plan (DRP)

A plan that outlines procedures for preparing for and recovering from a major disaster, natural or man-made.

DR Planning Policy Statement

Defines the purpose, scope, roles, responsibilities, resources, training, testing, and maintenance of the DR plan.

Disaster Classification

Categorizing disasters based on origin (natural or human-made) and speed of onset (rapid or slow).

DR Plan Elements

Key elements include delegation of roles, alert rosters, prioritization, documentation procedures, mitigation actions, and alternative system implementations.

Data Backup Methods

Various methods to protect data: traditional backups, electronic vaulting, remote journaling, and database shadowing.

Crisis Management

Actions taken during and after a disaster to manage the impact on both internal and external stakeholders.

Business Continuity Plan (BCP)

A plan that ensures critical business functions can continue operating even after a disaster.

BCP Policy Statement

Similar to DR policy, but focuses on maintaining critical business operations during and after a disaster.

BCP Continuity Strategies

Options for maintaining operations after a disaster: Hot site, Warm site, Cold site, Timeshare, Service bureau, and Mutual agreement.

Hot Site

A fully equipped backup facility with all necessary resources for immediate resumption of operations.

Warm Site

A backup facility with partial resources, requiring some setup and configuration for operations.

Cold Site

A basic facility with minimal resources, requiring significant setup for operations.

Business Resumption Planning

Combining DR and BC plans into a single document for comprehensive disaster recovery.

Contingency Plan Testing Strategies

Various methods for testing contingency plans: Desk check, Structured walk-through, Simulation, Parallel testing, and Full interruption.

Desk Check

A review of contingency plan documents to identify errors or inconsistencies.

Structured Walk-through

A step-by-step simulation of the contingency plan with team members.

Simulation

A realistic test of the contingency plan without disrupting actual operations.

Parallel Testing

Running a duplicate system alongside the original during a test.

Full Interruption

Testing the contingency plan by intentionally shutting down the primary system.

Study Notes

Information Security - Planning for Contingencies

• Contingency planning is a program designed to prepare for, react to, and recover from events threatening an organization's information assets.
• The main goal is to restore normal operations with minimal cost and disruption after unexpected events.
• Four teams are involved in contingency planning and operations: The CP team, the incident response team, the disaster recovery team, and the business continuity team.
• Contingency planning consists of four major components: Business Impact Analysis (BIA), Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP).
• Organizations can choose between a single plan or multiple interlocking plans.
• The CIO, system administrators, and CISO should actively participate in the creation and distribution of responsibilities.
• The contingency planning management team (CPMT) develops the CP document through these steps: Planning methodology, policy environment, understanding causes/effects of core issues(BIA), and financial/resource access. Develop the contingency planning policy statement, Conduct the BIA, Identify preventive controls, Develop recovery strategies, Develop an IT contingency plan, Plan testing, training, and exercises, and Plan maintenance.
• Contingency planning has hierarchies: Contingency planning, Business Impact Analysis, Disaster Recovery Planning, Business Continuity Planning, and Business Resumption Planning.
• The contingency planning lifecycle includes forming the CP team, conducting a BIA, developing subordinate planning policies, creating response strategies, developing subordinate plans, reviewing/revising as needed, developing the CP policy statement, identifying resource requirements, identifying recovery priorities, and identifying preventive controls. 
• The BIA is the first phase, providing information about systems and threats. It differentiates from risk management by focusing on identifying controls to protect information versus assuming controls have been bypassed or failed.
• BIA stages include determining mission/business processes and recovery criticality, evaluating each business department, unit or division, identifying resource requirements, and identifying each business process.
• The Incident Response Plan (IRP) is a documented set of processes and procedures for anticipating, detecting, and mitigating the effects of unexpected events that compromise information resources. It's usually activated when incidents cause minimal damage and focuses on immediate response.
• The IRP policy involves defining roles/responsibilities for incident response, determining personnel mobilization, and specifying management commitment, policy purpose/objectives, scope, incident definitions, organizational structure, incident prioritization, performance measures, and reporting forms.
• IRP phases include planning, detection, during the incident, and after the incident. 
• Incident detection is classifying possible incidents based on occurrences, e.g., overloaded network, or misbehaving system.
• Incident indicators include possible (unfamiliar files, unusual crashes), probable (unexpected activity, reported attacks), and definite (log changes, hacker tools).
• Reaction steps include notifying personnel, documenting the incident, defining incident containment strategies, and, recovering control of affected systems. 
• Incident notification uses alert messages, email, phone recording, and text messages.
• Disaster recovery involves preparing for and recovering from disasters, whether natural or human-made. Disasters occur when containment/control of an incident is impossible or when damage is severe. 
• Disaster recovery (DR) also involves defining how to reestablish operations, developing DR planning policy statements, reviewing BIAs, identifying preventive controls, developing recovery strategies, developing DR plan documents, and planning testing, training, and maintenance. 
• A DR policy includes disaster classification(natural vs human made, speed of development), prioritizing roles/responsibilities, creating an alert roster, establishing priorities, creating documentation, determining action steps, and implementing alternative implementations. 
• Disaster recovery backs up data/information/using traditional backups, electronic vaulting, remote journaling, and database shadowing.
• Crisis management covers actions taken during and after a disaster to affect people inside and outside the organization; involving supporting personnel, determining the event's impact, updating the public, communicating with stakeholders, and involving regulatory agencies and industry organizations.
• The Business Continuity Plan (BCP) ensures critical business functions continue during a disaster, is most effectively managed by the CEO, and is activated when major/long-term disaster recovery is needed. 
• BCP structures can be similar to DR structures with minor differences in implementation. 
• BCP strategies include hot sites (fully functional, duplicated resources), warm sites (similar to hot sites but less equipped), and cold sites (empty facility with minimal services).
• Business Resumption Planning (BRP) combines DR and BCP into a single planning document with separate teams for execution.
• Contingency plans are tested using five strategies: desk check, structured walk-through, simulation, parallel testing, and full interruption.

Description

Test your knowledge on contingency planning in information security. This quiz covers essential components like Business Impact Analysis, Incident Response Plans, and more. Understand the roles of various teams involved in ensuring the continuity and recovery of organizational operations.