Ch 3 Contingency Planning

7/23/2019 Ch 3 Contingency Planning

1/49

INFORMATION SECURITYMANAGEMENT

LECTURE 3:

PLANNING FOR

CONTINGENCIESYou got to be careful if you dont know where youre going,

because you might not get there. Yogi Berra


2/49

Principles of Information SecurityMgmtInclude the following characteristics that will bethe focus of the current course (six Ps):

1. Planning

2. Policy

3. Programs4. Protection

5. People

6. Project Management

http://csrc.nist.gov/publications/PubsTC.html

Chapters 2 & 3

Chapter 4
http://csrc.nist.gov/publications/PubsTC.htmlhttp://csrc.nist.gov/publications/PubsTC.html


3/49

Introduction

One study found that oer !"# of businesses

that don$t hae a disaster plan go out of businessafter a ma%or loss

Small &usiness 'pproaches
http://www.informationweek.com/smb/security/57-of-smbs-have-no-disaster-recovery-pla/229000461http://www.informationweek.com/smb/security/57-of-smbs-have-no-disaster-recovery-pla/229000461


4/49

Introduction "* +atural ,isaster Map


5/49

-ontingency Planning

-ontingency planning (-P)

.he oerall planning for unexpected eents

Inoles preparing for/ detecting/ reacting to/ andrecoering from eents that threaten the security ofinformation resources and assets


6/49

0undamentals of -ontingency Planning

Incient !esponse

"isaster !ecover#

Business Continuit#


7/49

,eeloping a -P ,ocument

,eelop the contingency planning policystatement

-onduct the &I'

Identify preentie controls

,eelop recoery strategies ,eelop an I. contingency plan

Plan testing/ training/ and exercises

Plan maintenance


8/49

&usiness Impact 'nalysis (&I')Proides detailed scenarios of each potential attac1s

impact


9/49

&usiness Impact 'nalysis (contd2)

.he -P team conducts the &I' in the followingstages:

.hreat attac1 identi3cation

&usiness unit analysis

'ttac1 success scenarios

Potential damage assessment Subordinate plan classi3cation

4hat are the goals of a &I'5

$anagement o% In%ormation ecurit#' 3r e.


10/49


'n organi6ation that uses a ris1 managementprocess will hae identi3ed and prioriti6ed threats

.he second ma%or &I' tas1 is the analysis andprioriti6ation of business functions within theorgani6ation

7ach should be categori6ed


11/49


-reate a series of scenarios depicting impact of

successful attac1 on each functional area

'ttac1 pro3les should include scenarios depictingtypical attac1 including:

(*) Methodology/ () Indicators/ (8) &roadconse9uences

7stimate the cost

Should this be done in-house or outsourced


12/49

+IS. &usiness Process and ecoery -riticality

;ey recoery measures: Maximum .olerable ,owntime (M.,) < total amount of

time the system owner is willing to accept for amission=business process outage or disruption

ecoery time ob%ectie (.O) < maximum amount oftime that a system resource can remain unaailablebefore there is an unacceptable impact on other systemresources and processes

ecoery point ob%ectie (PO) < point in time/ prior to adisruption or system outage/ to which mission=businessprocess data can be recoered after an outage


13/49

+IS. &usiness Process and ecoery -riticality

!or" #eco$ery %ime &!#%' < amount of e>ort

that is necessary to get the business functionoperational '0.7 the technology element isrecoered -an be added to the .O to determine the realistic

amount of elapsed time before a business function isbac1 in useful serice

.otal time needed to place the business functionbac1 in serice must be shorter than the M.,

Must balance the cost of system inoperability

against the cost of recoery


14/49


15/49

.iming and Se9uence of -P 7lements

$anagement o% In%ormation ecurit#' 3r e.

Figure 3-6 Contingency planning implementation timeline

ource: Course Technolog#/Cengage (earning


16/49

Incident esponse Plan

The question is not will an incident occur,

but rather when an incident will occur

' detailed set of processes and procedures thatcommence when an incident is detected

4hen a threat becomes a alid attac1/ it is classi3edas an information security incident if it:

directed against information assets

a realistic chance of success

threatens the con3dentiality/ integrity/ or aailability ofinformation assets


17/49

Incident esponse Plan (contd2)

Who creates the incident response plan?

Planners deelop and document the proceduresthat must be performed duringthe incident andimmediately a(terthe incident has ceased

Separate functional areas may deelop di>erentprocedures


18/49


,eelop procedures for tas1s that must be

performed in adance of the incident ,etails of data bac1up schedules

,isaster recoery preparation

.raining schedules

.esting plans -opies of serice agreements

&usiness continuity plans


19/49


$anagement o% In%ormation ecurit#' 3r e.Figure 3-3 Incident response planning



20/49


Planning re9uires a detailed understanding of theinformation systems and the threats they face

.he I planning team see1s to deelop pre


21/49


Incident classi3cation ,etermine whether an eent is an actual incident

?ses initial reports from end users/ intrusion detectionsystems/ host< and networ1


22/49

Incident esponse Software


23/49

Incident esponse Plan .ools


24/49

Incident esponse Plan .ools


25/49

Incident esponse Plan: Indicators

Possible indicators

Probable indicators )e*nite indicators

4hen the following occur/ the corresponding I mustbe immediately actiated

@oss of aailability

@oss of integrity

@oss of con3dentiality

Aiolation of policy

Aiolation of law

http://))).npr.org/blogs/thet)o*)a#/2+,3/+,/,-/,-201/outsource*emplo#ee*sens*o)n*ob*to *

china*sur%s*)eb
http://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china-surfs-webhttp://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china-surfs-webhttp://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china-surfs-webhttp://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china-surfs-web


26/49


Once an actual incident has been con3rmed and

properly classi3ed

I team moes from the detection phase to the reactionphase

' number of action steps must occur 9uic1ly and mayoccur concurrently


27/49

Incident esponse Plan: 'ction Steps

*2 +oti3cation of 1ey personnel (alert roster)

2 'ssignment of tas1s

82 ,ocumentation of the incident


28/49


.he essential tas1 of I is to stop the incident or

contain its impact

Incident containment strategies focus on twotas1s:


29/49

IP: Stopping the Incident

+ontainment strategies

Once contained and system control regained/ incident

recoery can begin

Incident damage assessment

'n incident may increase in scope or seerity to thepoint that the IP cannot ade9uately contain the incident


30/49

IP: ecoery Process

Identify the ulnerabilities

'ddress the safeguards that failed

7aluate monitoring capabilities (if present)

estore the data from bac1ups as needed

estore the serices and processes in use

-ontinuously monitor the system

estore the con3dence of the members


31/49


4hen an incident iolates ciil or criminal law/ it is

the organi6ations responsibility to notify theproper authorities Inoling law enforcement has both adantages and

disadantages


32/49

'rticle: Incident esponse S'+S Surey


33/49

,isaster ecoery Plan

.he preparation for and recoery from a disaster/

whether natural or man made

In general/ an incident is a disaster when:


34/49

,isaster ecoery Plan (contd2)

.he 1ey role of a ,P is de3ning how to reestablish

operations at the location where the organi6ation isusually located

-ommon ,P classi3cations:

+atural ,isasters Buman


35/49



36/49


,iscussion on ,isaster ecoery Myths


37/49


,iscussion on ,isaster ecoery -hec1list


38/49

&usiness -ontinuity Plan

7nsures critical business functions can

continue in a disaster

'ctiated and executed concurrently with the,P when needed

elies on identi3cation of critical businessfunctions and the resources to support them


39/49

&-P: Strategies

-ontinuity strategies


40/49

&usiness -ontinuity Plan:Site Options

Bot Sites

4arm Sites

-old Sites

Other 'lternaties: .imeshares/ Serice &ureaus/Mutual 'greements

7x2 S' data centers lease < *"gig 7thernet lines

between M' and +-


41/49

&usiness -ontinuity Plan (contd2)

.o get any &-P site running 9uic1ly organi6ation

must be able to recoer data

Options include:


42/49


Figure 3-4 Incident response and disaster recovery



43/49

.iming and Se9uence of &-P



44/49


$anagement o% In%ormation ecurit#' 3r e.Figure 3-6 Contingency planning implementation timeline



45/49

&usiness esumption Planning

&ecause the ,P and &-P are closely related/

most organi6ations prepare them concurrently


46/49

&usiness esumption Planning (contd2)

-omponents of a simple disaster recoery plan

+ame of agency ,ate of completion or update of the plan and test date

'gency sta> to be called in the eent of a disaster

7mergency serices to be called (if needed) in eent of adisaster


47/49

&usiness esumption Planning (contd2)

-omponents of a simple disaster recoery plan

(contd2) @ocations of in


48/49

.esting -ontingency Plans

Problems are identi3ed during testing

Improements can be made/ resulting in a reliable plan

-ontingency plan testing strategies

,es1 chec1

Structured wal1through

Simulation

Parallel testing

0ull interruption testing


49/49

-ontingency Planning: 0inal .houghts

Iteration results in improement

' formal implementation of this methodology is aprocess 1nown as continuous processimproement (-PI)

7ach time the plan is rehearsed it should beimproed

-onstant ealuation and improement lead to animproed outcome

Ch 3 Contingency Planning

Documents

Transcript of Ch 3 Contingency Planning