Information Security - Contingency Planning

Questions and Answers

What is contingency planning?

Contingency planning is a program developed to prepare for, react to, and recover from events that threaten the security of an organization's information assets.

What is the main goal of contingency planning?

The main goal of contingency planning is to restore normal modes of operation with minimal cost and disruption to normal business activities after an unexpected event.

What are the four major components of contingency planning?

Business Impact Analysis (BIA), Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP) (correct)

Risk Assessment, Security Audit, Incident Response, and Disaster Recovery

Policy Development, Training, Implementation, and Evaluation

Vulnerability Scanning, Penetration Testing, Firewall Management, and Data Backup

Contingency planning requires the active involvement of both IT and business managers.

True

Which of the following are elements required to begin the contingency planning process?

A planning methodology, a policy environment, an understanding of the causes and effects of core precursor activity (BIA), and access to financial and other resources

What does BIA stand for? What is it used for?

BIA stands for Business Impact Analysis. It is used to identify the potential impact of a disruption on the organization's critical business processes and information assets.

How does BIA differ from risk management?

BIA assumes controls have been bypassed, failed, ineffective, or the attack succeeded, while risk management focuses on identifying threats and vulnerabilities

What is an Incident Response Plan (IRP) designed to do?

An IRP is designed to anticipate, detect, and mitigate the effects of an unexpected event, or incident, that might compromise information resources.

An Incident Response Plan (IRP) is only activated in the event of a major disruption or disaster.

False

What is the purpose of incident classification?

Incident classification is the process of examining a possible incident and determining whether it is indeed an incident or a false alarm.

What are the three sets of incident-handling procedures created during the planning phase of an IRP?

During the incident, after the incident, before the incident

What are the two main tasks involved in incident containment?

The two main tasks involved are stopping the incident and recovering control of the affected systems.

What is an alert roster?

An alert roster is a document containing contact information for individuals who need to be notified in the event of a security incident.

What is incident damage assessment, and when is it performed?

Incident damage assessment is the immediate determination of the scope of a security breach, assessing the impact on confidentiality, integrity, and availability of information assets.

A Disaster Recovery Plan (DRP) focuses on preventing disasters from occurring.

False

Under what circumstances is a disaster considered to have occurred?

A disaster occurs when either the organization is unable to contain or control the impact of an incident, or the level of damage or destruction from an incident makes quick recovery impossible.

What is the main objective of a Disaster Recovery Plan (DRP)?

The main objective of a DRP is to define how to reestablish operations at the location where the organization is usually located, in case of a disaster.

What are the main steps involved in developing a Disaster Recovery Plan?

Develop a DR planning policy statement, review the BIA, identify preventive controls, develop recovery strategies, develop the DR plan document, and plan testing, training, and exercises.

What is the primary role of the business manager in developing a Disaster Recovery Plan?

The business manager leads the DR team and is responsible for developing the DR policy, which outlines the plan's purpose, scope, roles and responsibilities, resources, training, exercises, maintenance, and special considerations.

Rapid-onset disasters occur over a longer period of time, allowing for more preparation.

False

What is the purpose of a Business Continuity Plan (BCP)?

A BCP ensures that critical business functions can continue if a disaster occurs, enabling the organization to maintain operations despite disruptions.

A Business Continuity Plan (BCP) is typically managed by the Chief Information Officer (CIO) of the organization.

False

When is a BCP activated and executed?

A BCP is activated and executed concurrently with the DR plan when a disaster is major or long-term, requiring a comprehensive and complex restoration of information and IT resources.

What are the three primary options for continuity strategies in a BCP?

Hot sites, warm sites, cold sites

What is a hot site?

A hot site is a fully configured computer facility, including all services, communication links, and physical plant operations. It replicates critical computing resources, systems, peripherals, and applications, enabling a relatively quick and seamless transition in the event of a disaster.

What are the three primary shared-use contingency options for a BCP?

Timeshare, service bureau, mutual agreement

A timeshare involves leasing a pre-configured facility from a business partner or a sister organization.

True

A service bureau provides a service for a fee, but the disadvantage is that contracts cannot be renegotiated.

False

What is a mutual agreement in the context of a BCP?

A mutual agreement is a contract between two organizations where each party agrees to assist the other in the event of a disaster, providing mutual support and resource sharing.

What is business resumption planning?

Business resumption planning refers to the combination of DR and BC plans into a single planning document, providing a comprehensive framework for disaster recovery and business continuity.

What are the five strategies commonly used to test contingency plans?

Desk check, structured walk-through, simulation, parallel testing, and full interruption

What is a desk check?

A desk check is a simple review of the contingency plan documents to ensure that they are complete, well-organized, and consistent with current policies and procedures.

What is a structured walk-through?

A structured walk-through involves bringing together members of the contingency planning team and walking through each step of the plan, discussing roles, responsibilities, processes, and procedures.

What is a simulation?

A simulation involves simulating a disaster scenario, testing the plan in a controlled environment to assess how the organization responds and whether the procedures are effective.

What is parallel testing?

Parallel testing involves running both the primary system and the backup system simultaneously, testing the backup system's functionality and ensuring a smooth transition in the event of a disaster.

What is full interruption testing?

Full interruption testing involves shutting down the primary system and relying entirely on the backup system to operate, simulating a complete outage.

Study Notes

Information Security - Planning for Contingencies

• Contingency planning is a program designed to prepare for, react to, and recover from events threatening an organization's information assets.
• The main goal is to restore normal operations with minimal cost and disruption after unexpected events.
• Four teams are involved in contingency planning and operations: The CP team, the incident response team, the disaster recovery team, and the business continuity team.
• Contingency planning consists of four major components: Business Impact Analysis (BIA), Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP).
• Organizations can choose between a single plan or multiple interlocking plans.
• The CIO, system administrators, and CISO should actively participate in the creation and distribution of responsibilities.
• The contingency planning management team (CPMT) develops the CP document through these steps: Planning methodology, policy environment, understanding causes/effects of core issues(BIA), and financial/resource access. Develop the contingency planning policy statement, Conduct the BIA, Identify preventive controls, Develop recovery strategies, Develop an IT contingency plan, Plan testing, training, and exercises, and Plan maintenance.
• Contingency planning has hierarchies: Contingency planning, Business Impact Analysis, Disaster Recovery Planning, Business Continuity Planning, and Business Resumption Planning.
• The contingency planning lifecycle includes forming the CP team, conducting a BIA, developing subordinate planning policies, creating response strategies, developing subordinate plans, reviewing/revising as needed, developing the CP policy statement, identifying resource requirements, identifying recovery priorities, and identifying preventive controls. 
• The BIA is the first phase, providing information about systems and threats. It differentiates from risk management by focusing on identifying controls to protect information versus assuming controls have been bypassed or failed.
• BIA stages include determining mission/business processes and recovery criticality, evaluating each business department, unit or division, identifying resource requirements, and identifying each business process.
• The Incident Response Plan (IRP) is a documented set of processes and procedures for anticipating, detecting, and mitigating the effects of unexpected events that compromise information resources. It's usually activated when incidents cause minimal damage and focuses on immediate response.
• The IRP policy involves defining roles/responsibilities for incident response, determining personnel mobilization, and specifying management commitment, policy purpose/objectives, scope, incident definitions, organizational structure, incident prioritization, performance measures, and reporting forms.
• IRP phases include planning, detection, during the incident, and after the incident. 
• Incident detection is classifying possible incidents based on occurrences, e.g., overloaded network, or misbehaving system.
• Incident indicators include possible (unfamiliar files, unusual crashes), probable (unexpected activity, reported attacks), and definite (log changes, hacker tools).
• Reaction steps include notifying personnel, documenting the incident, defining incident containment strategies, and, recovering control of affected systems. 
• Incident notification uses alert messages, email, phone recording, and text messages.
• Disaster recovery involves preparing for and recovering from disasters, whether natural or human-made. Disasters occur when containment/control of an incident is impossible or when damage is severe. 
• Disaster recovery (DR) also involves defining how to reestablish operations, developing DR planning policy statements, reviewing BIAs, identifying preventive controls, developing recovery strategies, developing DR plan documents, and planning testing, training, and maintenance. 
• A DR policy includes disaster classification(natural vs human made, speed of development), prioritizing roles/responsibilities, creating an alert roster, establishing priorities, creating documentation, determining action steps, and implementing alternative implementations. 
• Disaster recovery backs up data/information/using traditional backups, electronic vaulting, remote journaling, and database shadowing.
• Crisis management covers actions taken during and after a disaster to affect people inside and outside the organization; involving supporting personnel, determining the event's impact, updating the public, communicating with stakeholders, and involving regulatory agencies and industry organizations.
• The Business Continuity Plan (BCP) ensures critical business functions continue during a disaster, is most effectively managed by the CEO, and is activated when major/long-term disaster recovery is needed. 
• BCP structures can be similar to DR structures with minor differences in implementation. 
• BCP strategies include hot sites (fully functional, duplicated resources), warm sites (similar to hot sites but less equipped), and cold sites (empty facility with minimal services).
• Business Resumption Planning (BRP) combines DR and BCP into a single planning document with separate teams for execution.
• Contingency plans are tested using five strategies: desk check, structured walk-through, simulation, parallel testing, and full interruption.

Description

Test your knowledge on contingency planning in information security. This quiz covers essential components like Business Impact Analysis, Incident Response Plans, and more. Understand the roles of various teams involved in ensuring the continuity and recovery of organizational operations.