Disaster Recovery Plan PowerPoint
DISASTER RECOVERY 14
Disaster Recovery
Student Name
Institutional Affiliations
Table of Contents 1. Executive Summary 3 2. Introduction 3 2.1. Purpose and Scope 3 2.2. Audience 3 2.3. Structure 4 3. Computer Security Incident Response 4 3.1. Events and Incidents 4 3.2. Need for Incident Response 4 3.3. Incident Response Planning, Policy, and Procedure 4 3.3.1. Policy Elements 5 3.3.2. Plan Elements 5 3.3.3. Procedure Elements 5 3.3.4. Information Sharing with other Parties 5 3.4. Incident Response Team 6 3.4.1. Team Models 6 3.4.2. Team Selection 6 3.4.3. Incident Response Personnel 6 3.4.4. Dependencies 7 3.4.5. Incident Response Team Services 7 3.4.6. Recommendations 7 4. Handling Incidents 7 4.1. Preparation 8 4.1.1. Handling incidents 8 4.1.2. Preventing Incidents 8 4.2. Detection and Analysis 8 4.2.1. Attack Vectors 9 4.2.2. Signs of an Incident 9 4.2.3. Sources 9 4.2.4. Incident Analysis 9 4.2.5. Incident Documentation 10 4.2.6. Incident Prioritization 10 4.2.7. Incident Notification 10 4.3. Containment, Eradication, and Recovery 10 4.3.1. Containment Strategy 10 4.3.2. Evidence Gathering and Handling 11 4.3.3. Identifying Attack Hosts 11 4.3.4. Eradication and Recovery 11 4.4. Post-Incident Activity 11 4.4.1. Lessons Learned 11 4.4.2. Using Collected Incident Data 12 4.4.3. Evidence Retention 12 4.5. Incident Handling Checklist 12 4.6. Recommendation 12 5. Coordination and Information Sharing 12 5.1. Coordination 13 5.1.1. Relationships 13 5.1.2. Sharing Agreements and Requirements 13 5.2. Information Sharing Techniques 13 5.2.1. Ad Hoc 13 5.2.2. Automated 13 5.2.3. Security Considerations 14 5.3. Granular Information Sharing 14
1. Executive Summary
Disaster recovery plan offers the necessity of focusing on computer incident reporting. This is a plan focusing on addressing every aspect of computer security incident reports and how to achieve the necessary services as provided by the computer security systems. Also, a common consideration is on how to ensure the effectiveness of the recovery plans through handling incidents, recovery and eradication, and finally, information sharing.
2. Introduction
2.1. Purpose and Scope
The purpose of this disaster recovery plan is to articulate all the incidents, which if they occur will affect the normal services and functions of the company. The disaster recovery plan is also a plan aiming to provide any mitigation, prevention, and incident analysis for the company to ensure a quick recovery from an attack or incident. The plan covers all the incidents, which the company might face in the course of its operations.
2.2. Audience
The disaster recovery plan is a plan for the company’s top management to use for planning and allocation of resources both financial and human resources. The management will also be able to ensure the company understand the necessary challenges facing the company in operations. It is a plan for all company employees to ensure they understand the normal functions of a company and its related incidents.
2.3. Structure
The structure of this disaster recovery plan offers the necessary information on how the plan is organized and applied by the company. The introduction offers its aims, goals, and purpose with the audience. The computer incident response is all about the processes, plans, and any measures which the company should take. Handling incidents is about how the company should recover the normal services. Finally, it is information sharing and communication which is about how the company can effectively communicate in case of incident.
3. Computer Security Incident Response
3.1. Events and Incidents
Events and incidents can range from the violation of the normal computer policies, compute crashes, packet floods, launching of malware with the intention of destruction and copying company information, and accessing unauthorized information and data. Computer based incidents can be many, for instance, security violations by using unauthorized computer devices and accessing information from insecure computer devices and networks.
3.2. Need for Incident Response
There is a rise in computer attacks and it is important to focus on the processes of handling these threats and attacks systematically, this can be accomplished by incident response plans. The importance of having a plan is to provide a way of handling and probably protecting the company’s database and intellectual information. More so, it is about effective communication during the process of a computer incident.
3.3. Incident Response Planning, Policy, and Procedure
Incident response has common elements of incident planning, policy, and the procedure. The elements below are essential for developing incident policy, plan, and procedures.
3.3.1. Policy Elements
These are the core elements, which are used to communicate about the importance of having an incident policy. It includes information on the commitment of the management, the purpose and scope of the policy, and its aim and structure for the company. The company should use this to develop an incident policy for ensuring effective prevention and mitigation of any incidents.
3.3.2. Plan Elements
The mission of the company is to develop an effective disaster recovery plan, which focuses on handling the incidents and providing a methodological process for handling all incidents. This can be implemented through effective cooperation and coordination between the top management and company employees. The process is to ensure a productive process of mitigating company incident events.
3.3.3. Procedure Elements
The standard operating procedures should be aligned with the availability of the company’s resources and its mission towards incident recovery. It is also important to convey the generally accepted standards of operations in case of computer security incident within the company. The aim is to ensure effective communication can be attained, and the necessary processes for incident recovery can achieved. This should follow checklists and recovery plans.
3.3.4. Information Sharing with other Parties
Information sharing is a core aspect when dealing computer incidents in the company. Sharing information should be based on the incident communication plans, which will help in determination, assessment, and identification of the common incidence factors. It is also a way of assessing the incident and determining the damage and loss to the company.
3.4. Incident Response Team
The incident response teams are responsible for assessing the damages and causes of the computer security incident. They will come up with necessary plans and mitigation strategies based on incident response plan.
3.4.1. Team Models
The company can use a central, distributed, and coordinating teams. These are the teams, who are responsible for effective mitigation of any incidents, which are related to the performance of the teams. The models will be at the core of ensuring the necessary implementation of the incident response plans. It comprises employees and other management with outside helps, such as law enforcement and suppliers.
3.4.2. Team Selection
The company should also consider using employees based on their expertise and roles and responsibilities. Sometimes, handling incidents is expensive and tiring. It is important to focus on employees who have the capability to work around the clock. Working conditions also need to be effective based on how to ensure the teams work in coordination and conjunction with the company’s objectives.
3.4.3. Incident Response Personnel
Computer incidents are related to the digital information and assets of the company. The team manager should be based on the company’s IT department. The employee selection will also be essential based on expertise needed and the roles within the information and communication department. This will be a common way to ensure effective distribution of information and resources. The company’s managers will be in the coordinating team who offers support, but, they do not have authority in overseeing incident recovery.
3.4.4. Dependencies
The company has dependencies from one department to another. Management has the policies and responsibilities for handling incident planning. The allocation of resources and other human resources is the process and role of human resources. The information support and department offers staffing in terms of IT support and computer security managers. Dependencies are essential to ensure adequate handling of computer incidents in the company.
3.4.5. Incident Response Team Services
The incident response team have different services. These services are based on the incident policy roles and recommendations. Some of the common services are detection and prevention of intrusion in the company’s network and communication systems, education and awareness on the incidents, advisory through coordination, and finally, on information sharing, such as through public relations and IT department.
3.4.6. Recommendations
To effectively handle computer security incidents, there is the need of developing disaster policies and recovery procedures. This will effectively result in the development of teams to handle and ensure effective communication within the company. It will also ensure the normal distribution, planning, and creative development to ensure sufficient resource allocations for effective incident handling in the company.
4. Handling Incidents
Computer security incidents might vary from violation of the normal computer policies, compute crashes, packet floods, launching of malware with the intention of destruction and copying company information, and accessing unauthorized information and data. Computer based incidents can be many, for instance, security violations by using unauthorized computer devices and accessing information from insecure computer devices and networks. Thus, handing these incidents is vital.
4.1. Preparation
Preparation is the development of the initial steps, which will ensure an effective strategy for handing incidents and computers related issues. Therefore, what is common and essential is to focus on the company’s network, system, and applications. These will ensure all the handling of incidents can be achieved effectively with ease.
4.1.1. Handling incidents
The company needs to have tools for handling software based incidents. These tools will consider the collection of incident facts, scanning, and network monitoring systems. Hardware is another core concept to consider during incident handling. Asset assessments and analysis of all computer devices, scanning and threat analysis. Finally, it is the implementation of security mitigation processes and strategies during incident assessment and planning.
4.1.2. Preventing Incidents
It is vital for the company to keep the incident risks as low as possible. This can be through conducting effective risk assessment and host security monitoring. Scanning and identification of all vulnerabilities will be the central aspect. There is also the consideration of malware and network security planning and deployment. For instance, defense in depth can be a policy and security process.
4.2. Detection and Analysis
With the company’s tools and awareness on the threat levels and incidents, it needs to be able to detect, analyses, and determine the critical threats.
4.2.1. Attack Vectors
This is how the incident occurs. The incident response team identifies the vectors of attack. This could be through emails, hardware configurations, and loopholes in the company’s network. The attack vectors will be a vital source for information on how the company can be effective in mitigation of attacks and events.
4.2.2. Signs of an Incident
It is unusual for a company’s detection systems to receive more than normal alerts per day. It is also important and unusual to determine how the attacks occurs in terms of frequency of alerts. The common way for choosing and determining the process of attacks is to choose the signs and determine what is a common trend and pattern.
4.2.3. Sources
Consider identifying threats and attacks from the software applications and system logs, reviews, and alerts. It is important to use IDPS and these tools can be used with network monitoring and system feedback and performance to determine the common point of action of the threats and what might be at risk.
4.2.4. Incident Analysis
Some incidents and reports might not be true. It is now critical to ensure all information can be correlated. Understand the normal conditions and behavior of systems. It is also a common process to understand and determine the ways of communication, determine clock synchronization, network monitoring, optimum system performance, and always consider on understanding profiling of the network. This will help in the determination of the incident analysis.
4.2.5. Incident Documentation
Incident response team will be able to develop effective documentation to help in incident tracking. Incident tracking can be effective through employing incident status, tracking the events of an incident and considering on the effects of the incident from its start and end period.
4.2.6. Incident Prioritization
Incident prioritization is also a common consideration on how the incident response team can be able to handle and promote incident management. Consider the criticality of the affected systems and the damage or magnitude of a loss. This will help in the determination of the priority based on the risk indicators and magnitude of loss.
4.2.7. Incident Notification
The incident notification will consider all the individuals who should be contacted after the identification of an incident or attack. This will contact the personnel and ensure all the necessary processes, policies, and plans have been implemented effectively. Notification will allow the triggering of the incident response plan.
4.3. Containment, Eradication, and Recovery
This will help the company to develop the right strategy and methodology for containing the attack. The strategy is to focus on the type of attack and then choose the type of methodology for handling the attack. Thus, incident response team should be to make the necessary decisions.
4.3.1. Containment Strategy
The containment strategy as defined will be based on the type of attack. For instance, email borne attack can be different from network attacks. Hence, the right containment strategy can be determined by considering the actions of the incident team towards handling incident reports and information obtained.
4.3.2. Evidence Gathering and Handling
Make the necessary use of the incident documentation and attack vector. This will be information and facts normal to understanding the changes on how the system can be used effectively. Sometimes, it is hard, but use the right detection tools and analysis to collect the necessary information, evidence of the attack, and determine how to handle the incident.
4.3.3. Identifying Attack Hosts
Although it will time consuming and affect the business impact on recovery and containment, it is important to determine the attack host. This is looking through the host databases and determine the origin of the attack and this will help in future incident mitigations and detection.
4.3.4. Eradication and Recovery
After determining the right containment strategy, the response team considers the necessary mitigation attempts and ensure the threat or attack has been mitigated. The follow-up is on recovery and ensuring the company’s core functions have been returned to a functional state. This helps in the recovery and mitigation strategies.
4.4. Post-Incident Activity
After the eradication and recovery, it is important to develop post-incident with the aim on the importance of the incident to the company’s recovery processes.
4.4.1. Lessons Learned
This is a common and potential process for understanding the value of incident reports and how to ensure progress. The company’s incident response team is able to effectively determine the lessons and what the incident has helped the company to learn about its security policies. These are the lessons, which the response team and management have learnt from the incidents and how they will act in the future.
4.4.2. Using Collected Incident Data
The collected incident data can be a vital of important information for the future references and can also be used to study incidents. It is a potential source of information, which can be used to effectively increase effective computer security incident planning and preparations.
4.4.3. Evidence Retention
Consequently, the company should use all the evidence obtained from an incident. If the company seeks to make and take legal actions against the incident attack host, then, the company has a basis for making its claims. This is important for the future processes of a company in regard to incident attacks and how to recover any losses.
4.5. Incident Handling Checklist
The checklist is to determine the activities, which have been carried to ensure a successful mitigation of an incident. This is checking on the services offered, ways, and means of contemplating on incident analysis. This will entail all the services from detection of threat or incidents till recovery and eradication.
4.6. Recommendation
Finally, handling of incidents is the challenge for many companies. It is important to focus on the core processes for handling and determining incidents. There is the need for ensuring a productive culture, methodology, and how to ensure incident handling and detection can be done based on effective management.
5. Coordination and Information Sharing
Coordination deals with information sharing between the incident response team and the management. The company should also consider important information on how to ensure proper performance and effective communication.
5.1. Coordination
5.1.1. Relationships
Coordination is another way of ensuring the progress on reporting. This can be done and carried between legal teams, management, public relations, and stakeholders. The impact on the company’s functions can be affected due to lack of effective communication. Thus, communication should be about dependency and sharing company information.
5.1.2. Sharing Agreements and Requirements
Agreements also needs to be achieved and defined by the processes and ways of communication. It is a process for ensuring and devising on the ways, means, and how to ensure effective contemplation on company information and vital cues. There is the need for a formal communication between the company, legal department, and the public relations on information sharing.
5.2. Information Sharing Techniques
5.2.1. Ad Hoc
This is the internal communication between the company’s internal systems. This can be accomplished through information processing, and implementing the overall system structure, such as emails and internal processes through networks.
5.2.2. Automated
These the automated communication systems, which are controlled by the system reports and feedback from the company’s interactions. The public relations should ensure the processes of communication and help in the mitigation strategies. This can be through media outlets and internal memos, which can be produced through communication about the incident to the company and its stakeholders.
5.2.3. Security Considerations
There are security considerations in terms of the security of the information shared. The security is to the impact on the company and its investment. This can also be the release on the confidential company information and how to share the information. The incident might affect investor information, hence, legal proceedings and the company might be sued.
5.3. Granular Information Sharing
Finally, information sharing can be used effectively to determine the processes of information processing. The challenge is on how to ensure information flow and how to achieve, develop, and create effective communication. Thus, information can range from business, technical, and legal information. Thus, it is important to make correct decisions, especially, when sharing information.
Ab Rahman, N. H., & Choo, K. K. R. (2015). A survey of information security incident handling in the cloud. Computers & security, 49, 45-69.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication, 800(61), 1-147.
Stouffer, K., & Falco, J. (2006). Guide to supervisory control and data acquisition (SCADA) and industrial control systems security. National institute of standards and technology.
Tøndel, I. A., Line, M. B., & Jaatun, M. G. (2014). Information security incident management: Current practice as reported in the literature. Computers & Security, 45, 42-57.
Wallace, M., & Webber, L. (2017). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets. Amacom.