management and info security

biratpant

chapter3.pptx

Home >Information Systems homework help >management and info security

ITC358 ICT Management and Information Security

Chapter 3

Planning for Contingencies

Objectives

Upon completion of this material, you should be able to:

Recognise the need for contingency planning

Describe the major components of contingency planning

Create a simple set of contingency plans, using business impact analysis (BIA)

Prepare and execute a test of contingency plans

Explain the combined contingency plan approach

Introduction

Planning for the unexpected event is the focus of this chapter

When the use of technology is disrupted and business operations come close to a standstill

Procedures are required to permit the organisation to continue essential functions if information technology support is interrupted

Over 40% of businesses that don't have a disaster plan go out of business after a major loss **

Fundamentals of Contingency Planning

Contingency planning (CP)

The overall planning for unexpected events

Involves preparing for, detecting, reacting to, and recovering from events that threaten the security of information resources and assets

Main goal

The restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event

Incident response planning (IRP)

Focuses on immediate response

Disaster recovery planning (DRP)

Focuses on restoring operations at the primary site after disasters occur

Business continuity planning (BCP)

Facilitates establishment of operations at an alternate site

Fundamentals of Contingency Planning (cont’d.)

To ensure continuity across all of the CP processes, contingency planners should

Identify the mission- or business-critical functions and the resources that support them

Anticipate potential contingencies or disasters

Select contingency planning strategies

Implement the selected strategy

Test and revise contingency plans

Fundamentals of Contingency Planning (cont’d.)

Develop the contingency planning policy statement

Provides the authority and guidance necessary to develop an effective contingency plan

Conduct the BIA

Helps to identify and prioritise critical IT systems and components

Fundamentals of Contingency Planning (cont’d.)

Identify preventive controls

Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs

Develop recovery strategies

Ensure that the system may be recovered quickly and effectively following a disruption

Fundamentals of Contingency Planning (cont.)

Develop an IT contingency plan

Contains detailed guidance and procedures for restoring a damaged system

Plan testing, training, and exercises

Testing the plan identifies planning gaps

Training prepares recovery personnel for plan activation

Both activities improve plan effectiveness and overall agency preparedness

Plan maintenance

The plan should be updated regularly to remain current with system enhancements

Fundamentals of Contingency Planning (cont’d.)

Elements of a contingency planning policy statement

An introductory statement of philosophical perspective by senior management

A statement of the scope and purpose of the CP operations

A call for periodic risk assessment and business impact analysis by the CP Team

Fundamentals of Contingency Planning (cont’d.)

Elements of a contingency planning policy statement (cont’d.)

A specification of the major components of the CP

A call for, and guidance in, the selection of recovery options and business continuity strategies

A requirement to test the various plans on a regular basis

Fundamentals of Contingency Planning (cont’d.)

Elements of a contingency planning policy statement (cont’d.)

Identification of key regulations and standards that impact CP planning and a brief overview of their relevancy

Identification of key individuals responsible for CP operations

A challenge to the individual members of the organisations

Additional administrative information

Four teams are involved in contingency planning and contingency operations

The CP team

The incident recovery (IR) team

The disaster recovery (DR) team

The business continuity plan (BC) team

Fundamentals of Contingency Planning (cont’d.)

The CP team should include

Champion

Project Manager

Team Members

Business managers

Information technology managers

Information security managers

Fundamentals of Contingency Planning (cont’d.)

NIST describes the need for this type of planning as:

“These procedures (contingency plans, business interruption plans, and continuity of operations plans) should be coordinated with the backup, contingency, and recovery plans of any general support systems, including networks used by the application. The contingency plans should ensure that interfacing systems are identified and contingency/disaster planning coordinated.”

Components of Contingency Planning

Figure 3-1 Contingency planning hierarchies

Source: Course Technology/Cengage Learning

Business Impact Analysis (BIA)

Provides the CP team with information about systems and the threats they face

Second phase in the CP process

A crucial component of the initial planning stages

Provides detailed scenarios of each potential attack’s impact

Business Impact Analysis (BIA)

BIA is not risk management (which focuses on identifying threats, vulnerabilities, and attacks to determine controls)

BIA assumes controls have been bypassed or are ineffective, and attack was successful

Business Impact Analysis (cont’d.)

Figure 3-2 Major tasks in contingency planning

Source: Course Technology/Cengage Learning

Business Impact Analysis (cont’d.)

The CP team conducts the BIA in the following stages:

Threat attack identification

Business unit analysis

Attack success scenarios

Potential damage assessment

Subordinate plan classification

Business Impact Analysis (cont’d.)

An organisation that uses a risk management process will have identified and prioritised threats

Update threat list and add one additional piece of information - the attack profile

An attack profile is a detailed description of activities that occur during an attack

The second major BIA task is the analysis and prioritisation of business functions within the organisation

Table 3-1 Example attack profile

Source: Course Technology/Cengage Learning

Management of Information Security, 3rd ed.

Business Impact Analysis (cont’d.)

Create a series of scenarios depicting impact of successful attack on each functional area

Attack profiles should include scenarios depicting typical attack including:

Methodology

Indicators

Broad consequences

Add alternate outcomes

Best case, worst case, and most likely

Business Impact Analysis (cont’d.)

Estimate the cost of the best, worst, and most likely outcomes

By preparing an attack scenario end case

Allows identification of what must be done to recover from each possible case

Business Impact Analysis (cont’d.)

A related plan must be developed or identified from among existing plans already in place

Each attack scenario end case is categorised as disastrous or not

Attack end cases that are disastrous find members of the organisation waiting out the attack, and planning to recover after it is over

Incident Response Plan

A detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets

Procedures commence when an incident is detected

Incident Response Plan (cont’d.)

When a threat becomes a valid attack, it is classified as an information security incident if:

It is directed against information assets

It has a realistic chance of success

It threatens the confidentiality, integrity, or availability of information assets

Incident response is a reactive measure, not a preventative one

Incident Response Plan (cont’d.)

Planners develop and document the procedures that must be performed during the incident

These procedures are grouped and assigned to various roles

The planning committee drafts a set of function-specific procedures

Planners develop and document the procedures that must be performed immediately after the incident has ceased

Separate functional areas may develop different procedures

Incident Response Plan (cont’d.)

Develop procedures for tasks that must be performed in advance of the incident

Details of data backup schedules

Disaster recovery preparation

Training schedules

Testing plans

Copies of service agreements

Business continuity plans

Incident Response Plan (cont’d.)

Figure 3-3 Incident response planning

Source: Course Technology/Cengage Learning

Incident Response Plan (cont’d.)

Planning requires a detailed understanding of the information systems and the threats they face

The IR planning team seeks to develop pre-defined responses that guide users through the steps needed to respond to an incident

Enables rapid reaction without confusion or wasted time and effort

Incident Response Plan (cont’d.)

The IR team consists of professionals capable of handling the information systems and functional areas affected by an incident

Each member of the IR team must know his or her specific role, work in concert with each other, and execute the objectives of the IRP

Incident classification

Determine whether an event is an actual incident

May be challenging

Uses initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators

Careful training allows everyone to relay vital information to the IR team

Incident Response Plan (cont’d.)

Possible indicators

Presence of unfamiliar files

Presence or execution of unknown programs or processes

Unusual consumption of computing resources

Unusual system crashes

Incident Response Plan (cont’d.)

Probable indicators

Activities at unexpected times

Presence of new accounts

Reported attacks

Notification from IDS

Incident Response Plan (cont’d.)

Definite indicators

Use of dormant accounts

Changes to logs

Presence of hacker tools

Notifications by partner or peer

Notification by hacker

Incident Response Plan (cont’d.)

Occurrences of actual incidents

When these occur, the corresponding IR must be immediately activated

Loss of availability

Loss of integrity

Loss of confidentiality

Violation of policy

Violation of law

Incident Response Plan (cont’d.)

Once an actual incident has been confirmed and properly classified

IR team moves from the detection phase to the reaction phase

A number of action steps must occur quickly and may occur concurrently

These steps include notification of key personnel, the assignment of tasks, and documentation of the incident

Incident Response Plan (cont’d.)

Alert roster

A document containing contact information on the individuals to be notified in the event of an actual incident either sequentially or hierarchically

The alert message is a scripted description of the incident

Other key personnel must be notified of the incident after the incident has been confirmed, but before media or other external sources learn of it

Incident Response Plan (cont’d.)

Documentation

Begins once an incident has been confirmed and the notification process is underway

Record the who, what, when, where, why and how of each action taken during the incident

Serves as a case study after the fact to determine if the right actions were taken, and if they were effective

Can also prove the organisation did everything possible to deter the spread of the incident

The essential task of IR is to stop the incident or contain its impact

Incident containment strategies focus on two tasks

Stopping the incident

Recovering control of the systems

Incident Response Plan (cont’d.)

Containment strategies(?)

Disconnect the affected communication circuits

Dynamically apply filtering rules to limit certain types of network access

Disabling compromised user accounts

Reconfiguring firewalls to block the problem traffic

Temporarily disabling the compromised process or service

Incident Response Plan (cont’d.)

Containment strategies (cont’d.)

Taking down the conduit application or server

Stopping all computers and network devices

Incident Response Plan (cont’d.)

An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident

Each organisation will have to determine, during the business impact analysis, the point at which the incident becomes a disaster

The organisation must also document when to involve outside response

Incident Response Plan (cont’d.)

Once contained and system control regained, incident recovery can begin

The IR team must assess the full extent of the damage in order to determine what must be done to restore the systems

Incident damage assessment

Determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets

Incident Response Plan (cont’d.)

Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action

Incident Response Plan (cont’d.)

Recovery process

Identify the vulnerabilities that allowed the incident to occur and spread and resolve them

Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them

Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or install new monitoring capabilities

Incident Response Plan (cont’d.)

Recovery process (cont’d.)

Restore the data from backups as needed

Restore the services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored

Continuously monitor the system

Restore the confidence of the members of the organisation’s communities of interest

Incident Response Plan (cont’d.)

Before returning to routine duties, the IR team must conduct an after-action review (AAR)

A detailed examination of the events that occurred

All team members review their actions during the incident and identify areas where the IR plan worked, didn’t work, or should improve

Incident Response Plan (cont’d.)

When an incident violates civil or criminal law, it is the organisation’s responsibility to notify the proper authorities

Selecting the appropriate law enforcement agency depends on the type of crime committed: Federal, State, or local

Incident Response Plan (cont’d.)

Involving law enforcement has both advantages and disadvantages

They are usually much better equipped at processing evidence, obtaining statements from witnesses, and building legal cases

However, involvement can result in loss of control of the chain of events following an incident

Disaster Recovery Plan

The preparation for and recovery from a disaster, whether natural or man made

In general, an incident is a disaster when:

The organisation is unable to contain or control the impact of an incident, or

The level of damage or destruction from an incident is so severe the organisation is unable to quickly recover

The key role of a DRP is defining how to reestablish operations at the location where the organisation is usually located

Disaster Recovery Plan (cont’d.)

A DRP can classify disasters in a number of ways

The most common method is to separate natural disasters from man-made disasters

Another way of classifying disasters is by speed of development

Rapid onset disasters

Slow onset disasters

Disaster Recovery Plan (cont’d.)

Scenario development and impact analysis

Used to categorise the level of threat of each potential disaster

DRP must be tested regularly

Key points in the DRP

Clear delegation of roles and responsibilities

Execution of the alert roster and notification of key personnel

Disaster Recovery Plan (cont’d.)

Key points in the DRP (cont’d.)

Clear establishment of priorities

Documentation of the disaster

Action steps to mitigate the impact

Alternative implementations for the various systems components

Disaster Recovery Plan (cont’d.)

Actual events often outstrip even the best of plans

To be prepared, DRP should be flexible

If physical facilities are intact, begin restoration

If organisation’s facilities are unusable, take alternative actions

When disaster threatens the organisation at the primary site, DRP becomes BCP

Business Continuity Plan

Ensures critical business functions can continue in a disaster

Managed by CEO of the organisation

Activated and executed concurrently with the DRP when needed

While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site

Business Continuity Plan (cont’d.)

Relies on identification of critical business functions and the resources to support them

Continuity strategies

Exclusive-use options: hot, warm and cold sites

Shared-use options: timeshare, service bureaus, mutual agreements

Determining factor is usually cost

Business Continuity Plan (cont’d.)

Hot Sites

Fully configured computer facility with all services

Warm Sites

Like hot site, but software applications not kept fully prepared

Cold Sites

Only rudimentary services and facilities kept in readiness

Business Continuity Plan (cont’d.)

Timeshares

Like an exclusive use site but leased

Service bureaus

Agency that provides physical facilities

Mutual agreements

Contract between two organisations to assist

Specialised alternatives

Rolling mobile site

Externally stored resources

Business Continuity Plan (cont’d.)

To get any BCP site running quickly organisation must be able to recover data

Options include:

Electronic vaulting

Bulk batch-transfer of data to an off-site facility

Remote journaling

Transfer of live transactions to an off-site facility

Database shadowing

Storage of duplicate online transaction data

Timing and Sequence of CP Elements

Figure 3-4 Incident response and disaster recovery

Source: Course Technology/Cengage Learning

Timing and Sequence of CP Elements (cont’d.)

Figure 3-5 Disaster recovery and business continuity planning

Source: Course Technology/Cengage Learning

Timing and Sequence of CP Elements (cont’d.)

Figure 3-6 Contingency planning implementation timeline

Source: Course Technology/Cengage Learning

Crisis Management

Crisis management

A set of focused steps that deal primarily with the people involved during and after a disaster

Crisis management team actions

Supporting personnel and their loved ones during the crisis

Determining the event's impact on normal business operations

Making a disaster declaration

Crisis Management (cont’d.)

Crisis management team actions (cont’d.)

Keeping the public informed about the event

Communicating with outside parties

Key tasks of the crisis management team

Verifying personnel status

Activating the alert roster

Business Resumption Planning

Because the DRP and BCP are closely related, most organisations prepare them concurrently

May combine them into a single document, the business resumption plan (BRP)

Although a single planning team can develop the BRP, execution requires separate teams

Source: (http://csrc.nist.gov/fasp/FASPDocs/contingency-plan/contingencyplan-template.doc)

Table 3-3Contingency plan template

Business Resumption Planning (cont’d.)

Components of a simple disaster recovery plan

Name of agency

Date of completion or update of the plan and test date

Agency staff to be called in the event of a disaster

Emergency services to be called (if needed) in event of a disaster

Business Resumption Planning (cont’d.)

Components of a simple disaster recovery plan (cont’d.)

Locations of in-house emergency equipment and supplies

Sources of off-site equipment and supplies

Salvage priority list

Agency disaster recovery procedures

Follow-up assessment

Testing Contingency Plans

Problems are identified during testing

Improvements can be made, resulting in a reliable plan

Contingency plan testing strategies

Desk check

Structured walkthrough

Simulation

Parallel testing

Full interruption testing

Contingency Planning: Final Thoughts

Iteration results in improvement

A formal implementation of this methodology is a process known as continuous process improvement (CPI)

Each time the plan is rehearsed it should be improved

Constant evaluation and improvement lead to an improved outcome

Summary

Introduction

What Is Contingency Planning?

Components of Contingency Planning

Putting a Contingency Plan Together

Testing Contingency Plans

A Single Continuity Plan