Incident Response Plan

sepola
bd_ch_10_sect_01.html
Home>Computer Science homework help>Incident Response Plan

Introduction to Contingency Planning

You were introduced to planning in Chapter 3, when you learned about planning for the organization in general and for the information security (InfoSec) program in particular. This chapter focuses on another type of planning—plans that are made for unexpected adverse events—when the use of technology is disrupted and business operations can come to a standstill. Because technology drives business, planning for an unexpected adverse event usually involves managers from general business management as well as the information technology (IT) and InfoSec communities of interest. They collectively analyze and assess the entire technological infrastructure of the organization using the mission statement and current organizational objectives to drive their planning activities. But, for a plan to gain the support of all members of the organization, it must also be sanctioned and actively supported by the general business community of interest.

The need to have a plan in place that systematically addresses how to identify, contain, and resolve any possible unexpected adverse event was identified in the earliest days of IT. Professional practice in the area of contingency planning continues to evolve, as reflected in “Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems,” issued by the National Institute of Standards and Technology (NIST). NIST is a non-regulatory federal agency within the U.S. Department of Commerce that serves to enhance innovation and competitiveness in the United States by acting as a clearinghouse for standards related to technology.* The Computer Security Division of NIST facilitates sharing of information about practices that can be used to secure information systems.* NIST advises the following:

“NIST General Information.” National Institute of Standards and Technology. Accessed 7/11/15 from www.nist.gov/public_affairs/general_information.cfm.

“Computer Security Division Mission Statement.” NIST Computer Security Division. Accessed 7/11/15 from http://csrc.nist.gov/mission/index.html.

Because information system resources are essential to an organization’s success, it is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption.*

Swanson, M., P. Bowen, A. Phillips, D. Gallup, and D. Lynes. “Special Publication 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems.” National Institute of Standards and Technology. Accessed 7/11/15 from http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.

Some organizations—particularly federal agencies for national security reasons—are charged by law or other mandate to have such plans and procedures in place at all times.

Organizations of every size and purpose should also prepare for the unexpected. In general, an organization’s ability to weather losses caused by an unexpected event depends on proper planning and execution of such a plan; without a workable plan, an unexpected event can cause severe damage to an organization’s information resources and assets from which it may never recover. The Hartford insurance company estimates that, on average, over 40 percent of businesses that don’t have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm.*

“Disaster Recovery Tips.” The Hartford. Accessed 7/12/15 from www.thehartford.com/business/disaster-recovery-guide.

The development of a plan for handling unexpected events should be a high priority for all managers. The plan should account for the possibility that key members of the organization will not be available to assist in the recovery process. In 1991, as a tragic example, two key executives of the Bruno’s Supermarket chain, Angelo and Lee Bruno, were killed in a plane crash. After that point, the company’s steady growth from its founding during the Great Depression reversed course. In fact, it declared bankruptcy in 2000. Although the brand still has a presence in a few southern markets, the business as it operated before the incident no longer exists.

There is a growing emphasis on the need for comprehensive and robust planning for adverse circumstances. In the past, organizations tended to focus on defensive preparations, using comprehensive threat assessments combined with defense in depth to harden systems and networks against all possible risks. More organizations now understand that preparations against the threat of attack remain an urgent and important activity, but that defenses will fail as attackers acquire new capabilities and systems reveal latent flaws. When—not if—defenses are compromised, prudent security managers have prepared the organization in order to minimize losses and reduce the time and effort needed to recover. Sound risk management practices dictate that organizations must be ready for anything.

Listen webReader by ReadSpeaker Open/close toolbar