Information Security Planning for Contingencies PDF

Summary

This document provides an overview of information security, focusing on contingency planning. It covers various aspects, including the definition of contingency planning, components, business resumption planning, and testing methods. It also delves into the fundamentals of contingency planning, outlining teams involved, major components like BIA (Business Impact Analysis), IRP (Incident Response Plan), DRP (Disaster Recovery Plan), and BCP (Business Continuity Plan).

Full Transcript

Information Security Chapter 3 Planning for Contingencies Content What is contingency planning? Components of contingency planning Business Resumption Planning Testing contingency planning Fundamentals of Contingency Planning Contingency planning refer to the program developed...

Information Security Chapter 3 Planning for Contingencies Content What is contingency planning? Components of contingency planning Business Resumption Planning Testing contingency planning Fundamentals of Contingency Planning Contingency planning refer to the program developed to prepare for, react to, and recover from events that threaten the security of the information assets of an organization. The main goal – to restore normal modes of operation with minimal cost and disruption to normal business activities after an unexpected events. Fundamentals of Contingency Planning Four teams involved in contingency planning and contingency operation: The CP team The incident response team The disaster recovery team The business continuity team Consist of four major components: Business impact analysis (BIA) Incident response plan (IRP) Disaster recovery plan (DRP) Business continuity plan (BCP) Fundamentals of Contingency Planning Depend on the organization whether to adopts the one-plan method or the multiple-plan method with interlocking procedures. The Chief Information Officer (CIO), system administrators, the Chief Information Security Officer (CISO) and key IT and business managers should be actively involved during the creation and development of all CP components, as well as during the distribution of responsibilities among the three communities of interests. Fundamentals of Contingency Planning The elements required to begin the CP process: A planning methodology A policy environment to enable the planning process An understanding of the causes and effects of core precursor activity, BIA Access to financial and other resources The contingency planning management team (CPMT) begins developing a CP document using the following process: Develop the contingency planning policy statement Conduct the BIA Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercises Plan maintenance Components of Contingency Planning Contingency Planning Life Cycle Business Impact Analysis (BIA) The first phase in the CP process. Provides the CP team with information about systems and the threats they face. The differences between BIA and risk management: Risk management – focuses on identifying the threats, vulnerabilities, and attacks to determine which controls can protect the information. BIA – assumes the controls have been bypassed, failed, ineffective or the attack succeeded. Business Impact Analysis The CP team conducts the BIA in the following stages: Determine mission/business processes and recovery criticality The analysis and prioritization of business processes within the organization, based on their relationship to the organization’s mission. Each business department, unit or division must be independently evaluated to determine how important its function are to the organization as whole. The weighted table analysis (WTA) can be useful in resolving the issue of what business function is the most critical. Identify resource requirements. For each business process (and information assets) identified in the previous stage, the organization should identify and describe the relevant resource provided Business Impact Analysis Business Impact Analysis Identify recovery priorities for system resources Last stage is prioritizing the resources associated with the mission/business process, which provides a better understanding of what must be recovered first, even within the most critical processes. With the information from previous stage in hand, the organization can create additional weighted tables of the resources needed to support the individual processes. By assigning values to each resource, the organization will have a custom- designed “to-do” list available once the recovery phase commences. Incident Response Plan A documented set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event (incident) that might compromise information resources. Usually activated when incident causes minimal damage – little or no disruption to business operations. Focuses on immediate response Incident Response Plan (IRP) Incident response policy will be developed: To define the roles and responsibilities for IR. To determine who will be mobilized in the activation of the plan. Key components of IR policy includes: Statement of management commitment. Purpose and objectives of the policy. Scope of the policy Definition of information security incidents and their consequences within the context of the organization. Organizational structure – roles, and levels of authority. Prioritization or severity ratings of incidents. Performance measures Reporting and contact forms. Incident Response Plan (IRP) IR consist of the following four phase: Planning Team seek to develop a series of predefined responses that will guide the team and information security staff through the incident response step. During this planning process, for every incident scenario, the CP team creates three sets of incident-handling procedures: During the incident After the incident Before the incident Detection Incident classification – is the process of examining a possible incident or incident candidate. A number of occurrences signal the presence of an incident candidate. It can result from an overloaded network, computer, or server and some are similar to the normal operation of these information assets. Other incident candidates mimic the actions of a misbehaving computing system, software package, or other less serious threat. Example of IRP Incident-handling Procedures Incident Response Plan (IRP) To help make detection of actual incidents more reliable, three incident indicators are used: Possible indicators – example : presence of unfamiliar files, unusual system crashes Probable indicators – example: activities at unexpected times, presence of new accounts and reported attacks Definite indicators – example: changes to logs, presence of hacker tools Incident Response Plan (IRP) Reaction Steps include: Notification of key personnel Most an organization maintain an alert roster – is a document containing contact information on the individuals to be notified in the event of an actual incident. There are two ways to activate: Sequentially Hierarchically Assignment of tasks Documentation of the incident Should record the who, what, when, why, and how of each action taken while the incident is occurring. Incident containment strategies Focus on two tasks: stopping the incident and recovering control of the affected systems. Example : disabling compromised user accounts, reconfiguring a firewall and stopping all computer and network devices. Incident escalation Ways to handle incident escalation : escalate the incident to disaster and /or transfer the incident to an outside authority. Must include point to escalate and criteria in the IR plan. Incident Notification Incident Response Plan (IRP) Recovery Perform incident damage assessment – is the immediate determination of the scope of the breach of confidentiality, integrity and availability of information and information assets. Once incident damage assessment done, proceed with recovery process with the following steps: Identify the vulnerabilities Address the safeguards that failed to stop incident Evaluate monitoring capabilities Restore the data from backups Restore the services and process in use Continuously monitor the system Restore the confidence of the members of the organization’s communities of interest. Law enforcement involvement Depends on type of crime committed. Advantages Better equipped to process evidence than a business. Prepared to handle warrants and subpoenas necessary when documenting a case. Incident Response Plan (IRP) Disadvantages: Possible loss of control of the chain of events following an incident, including the collection of information and evidence and the prosecution of suspects. The organization may not hear about the case for weeks or even months due to heavy caseloads or resource shortages. Disaster Recovery Plan The preparation for and recovery from a disaster, whether natural or human-made. The disaster has occurred when either of two criteria is met: The organization is unable to contain or control the impact of an incident The level damage or destruction from an incident is so severe that organization cannot quickly recover from it. Disaster Recovery Plan The key role is defining how to reestablish operations at the location where the organization is usually located. The step involves: Develop the DR planning policy statement. Review the BIA Identify preventive controls Develop recovery strategies Develop the disaster recovery plan document Plan testing, training and exercises. Plan maintenance. Disaster Recovery Plan The DR team will be led by the business manager begins with development of the DR policy. The content includes: Purpose Scope Roles and responsibilities Resources requirements Training requirements Exercises and testing schedules Plan maintenance schedule Special consideration Disaster Recovery Plan Disaster classification Natural disaster vs human-made disaster Speed of development Rapid-onset disasters occurs suddenly, with little warning, taking the lives of people and destroying the means of production. It may caused by floods, storm winds and tornadoes. Slow-onset disasters occur over time and gradually degrade conditions typically include droughts, famines, environmental degradation, deforestation. Planning for disaster The key element of DR plan include: Clear delegation of roles and responsibilities Execution of the alert roster and notification of key personnel Clear establishment of priorities Procedures for documentation of the disaster Action step to mitigate the impact of the disaster on the operation of the organization Alternative implementation of the various systems component, should primary versions be unavailable. Disaster Recovery Plan Back-up data/information : Traditional data backups Electronic vaulting Remote journaling Database shadowing Disaster Recovery Plan Crisis management Refer to the action taken during and after a disaster that effect the people both inside and outside the organization. Crisis management team – manage the event from an enterprise perspective and covers the following major activities: Supporting personnel during the crisis Determining the event’s impact on normal business operations. Update the public about the event and the actions taken Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties. Business Continuity Plan (BCP) BCP ensures that the critical business functions can continue if a disaster occurs. Most properly managed by the CEO of an organization. Activated and executed concurrently with the DR plan when the disaster is major or long term and requires fuller and complex restoration of information and IT resources. Business Continuity Plan (BCP) BC planning policy statement The structures is similar to DR policy and plan, there are minor differences in implementation. Continuity strategies Three exclusive-use option exist: Hot site Is a fully configured computer facility, with all services, communication links and physical plant operation. It duplicates computing resources, peripherals, phone system, application and workstation. Warm site Provides many of the same services and options as the hot site, but typically software application are not included or are not installed and configured. Business Continuity Plan (BCP) Cold site Provides only rudimentary services and facilities. No computer hardware or peripheral are provided. Is an empty room with standard heating , air conditioning, and electrical services. There are also three shared-use contingency options: Timeshare Operates like one of the three sites described above but is leased in conjunction with a business partner or sister organization. Service bureau Is a service agency that provides a service for a fee. The disadvantage is that service contracts must be renegotiated periodically, and rates can change. Mutual agreement Is a contract between two organization in which each party agrees to assist the other in the event of a disaster. Contingency Planning Implementation Timeline Business Resumption Planning Refer to the combination of DR and BC plan into a single planning document. The execution of plan requires separate execution teams. Testing Contingency Plans Five strategies can be used to test contingency plan: Desk check Structured walk-through Simulation Parallel testing Full interruption

Use Quizgecko on...
Browser
Browser