(APA format)(250 words)
1. What are five key elements that a security policy should have in order to remain viable over time?
2. Briefly describe three key downtime metrics
APA Format250 wordscomputer science
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 02
Planning for Organizational
Readiness
1
1
Objectives
Discuss why an individual or group needs to be appointed to create a contingency policy and plan
Describe the elements needed to begin the contingency planning process
Define business impact analysis and describe each of its components
List the steps needed to create and maintain a budget used for the contingency planning process
Principles of Incident Response and Disaster Recovery, 2nd Edition
2
2
Introduction
Planning for contingencies
Complex and demanding process
Systematic methodology
Organize the planning process
Prepare detailed and complete plans
Commit to maintaining those plans
Rehearse plans with a military rigor
Completed after normal working hours
Maintain the processes
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Beginning the Contingency Planning Process
Contingency planning management team (CPMT)
Consists of an individual or team
CPMT responsibilities
Obtain commitment and support
Manage and conducting the overall CP process
Write the master CP document
Conduct the business impact analysis (BIA)
Assist in identifying and prioritizing threats and attacks
Assist in identifying and prioritizing business functions
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Beginning the Contingency Planning Process (cont’d.)
CPMT responsibilities (cont’d.)
Organize and staff subordinate teams leadership
Incident response
Disaster recovery
Business continuity
Crisis management
Provide guidance to and integrate the work of the subordinate teams
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Beginning the Contingency Planning Process (cont’d.)
CPMT positions
Champion
Project manager
Team members
Representatives from other business units
Business managers
Information technology managers
Information security managers
Representatives from subordinate teams
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Beginning the Contingency Planning Process (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Commitment and Support of Senior Management
Clear and formal senior executive management commitment required
Prevents CP process failure
Managers and employees provide time and resources
Support gained from communities of interest
Each should complement the others
Information security communities of interest
Information security managers and professionals
Information technology managers and professionals
General management managers and professional
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
8
Information Security Management and Professionals
Protect information systems and stored information from attacks
Tightly focused on protecting system integrity and confidentiality
Sometimes lose sight of availability
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
9
Information Technology Management and Professionals
Design, build, or operate information systems
IT managers and skilled professionals
Systems design, programming, networks
Related disciplines categorized as information technology (IT)
Same objectives as information security community
Focus
System creation and operation costs
System users ease of use
System creation timeliness; transaction response time
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
10
Organizational Management and Professionals
Includes executive management, production management, human resources, accounting, legal, and others
IT community category reference
Users of information technology systems
Information security community category reference
Security subjects
All IT systems and information security objectives
Implement broader organizational community objectives and safeguard effective use and operation
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
11
Elements Required to Begin Contingency Planning
Four required CP process elements
Planning methodology
Policy environment (enables planning process)
Understanding causes and effects of core precursor activities (business impact analysis)
Access to financial and other resources
Articulated and outlined by the planning budget
Development of CP policies and plans
Occurs once CPMT organized and staffed
Expands the four elements
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
12
Elements Required to Begin Contingency Planning (cont’d.)
Complete CP development methodology adaption
NIST Special Publications 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems (2010)
Special Publications 800-61, Rev. 2, Computer Security Incident Handling Guide (2012)
Complete process
Form the CPMT
Develop contingency planning policy statement
Conduct the business impact analysis (BIA)
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
13
Elements Required to Begin Contingency Planning (cont’d.)
Form subordinate planning teams
Develop subordinate planning policies
Integrate the BIA
Identify preventive controls
Organize response teams
Create contingency strategies
Develop subordinate plans
Ensure plan testing, training, and exercises
Ensure plan maintenance
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
14
Contingency Planning Policy
Required for effective contingency planning
Purpose of policy
Define the CP operations scope
Establish managerial intent with regard to timetables for incident response
Recovery from disasters
Reestablishment of operations for continuity
Establish responsibility for the development and operations of the CPMT in general
Provide specifics on CP-related team constituencies
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
15
Contingency Planning Policy (cont’d.)
CP policy sections
Introductory statement
Scope and purpose statement
Call for periodic risk assessment and BIA
Specification of major CP components to be designed
Call for, and guidance in, selection of recovery options and BC strategies
Requirement to test the plans on a regular basis
Identification of key regulations and standards impacting CP planning
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
16
Contingency Planning Policy (cont’d.)
Identification of key individuals responsible for CP operations
Challenge to individual members
Asking for their support
Reinforcing their importance in the overall CP process
Additional administrative information
Each CP meeting should be documented
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
17
Business Impact Analysis
Business impact analysis (BIA)
Investigation and assessment of the impact that various events or incidents can have on the organization
Provides detailed identification and prioritization of critical business functions
Different from the risk management process
Begins with prioritized list of threats and vulnerabilities
Question
If an attack succeeds, what do you do next?
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
18
Business Impact Analysis (cont’d.)
Five “keys to BIA success”
Set the project scope carefully
Initiate data-gathering process
Find information senior managers need
Seek out objective rather than subjective data
Determine higher management needs prior to data collection
Gain validation of the results:
Derived from risk assessment and BIA
From owners of the business processes being examined
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
19
Business Impact Analysis (cont’d.)
CPMT conducts the BIA in three stages
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
20
Determine Mission/Business Processes and Recovery Criticality
First major BIA task
Analyze and prioritize business processes
Based on relationships to mission
Evaluate independently to compare with organization as a whole
Business process = “mission/business process”
Task performed in support of the overall mission
Collect critical information before prioritizing
Avoid “turf war”
Useful tool: BIA questionnaire
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
21
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
Weighted analysis table resolves most critical issues
Weighted analysis process
Identify organization categories
Assign weights to each category
Assigned weights add to a value of one (100 percent)
Identify various business functions
Importance value assessed on a scale of one to 10
Weights are multiplied by the scores in each category
Weights summed to obtain that business function’s overall value to the organization
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
22
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
23
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
NIST Business Process and Recovery Criticality
NIST Special Publication 800-34 Rev. 1
Large quantities of information needed
BIA data collection process needed
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
24
Determine Mission/Business Processes and Recovery Criticality (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
25
Key Downtime Metrics
Maximum tolerable downtime (MTD)
Total amount of time the system owner/authorizing official willing to accept for a process outage
Includes all impact considerations
Recovery time objective (RTO)
Time period within which systems, applications, or functions must be recovered after an outage
Recovery point objective (RPO)
Point in time to which lost systems and data can be recovered after outage; determined by business unit
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
26
Key Downtime Metrics (cont’d.)
NIST Special Publication 800-34 Rev. 1
Contains additional definitions for MTD, RTO, RPO
Reducing RTO requires mechanisms to shorten start-up time or provisions
To make data available online at a failover site
Reducing RPO requires mechanisms to increase data replication synchronicity between production systems and backup implementations
Critical need: avoid exceeding MTD
RTO must be shorter than MTD
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
27
Cost Balance Point
Different for every organization and system
Based on financial constraint, operating requirement
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
28
Prioritize Information Assets
Helpful to understand information assets used by prioritized processes
High-value information assets
May influence a particular business process valuation
Task normally performed as part of the risk-assessment function of risk management
Perform task now if organization has not performed this task
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
29
Identify Resource Requirements
Need to determine resources needed to recover prioritized processes and associated assets
Resource intensive processes: IT functions
Resources require extensive sets of information processing, storage, and transmission
Supporting customer data, production data, and other organizational information
Business production-oriented processes
Require complex or expensive components to operate
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
30
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
31
Identify System Resource Recovery Priorities
Last stage of the BIA
Prioritize resources associated with the mission/business processes
Brings better understanding of what must be recovered first
Create additional weighted tables of the resources
Develop a custom-designed “to-do” list
Use a simple valuation scale
Primary/Secondary/Tertiary
Critical/Very important/Important/Routine
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
32
BIA Data Collection
Not a discrete step
Methods
Online questionnaires
Facilitated data-gathering sessions
Process flows and interdependency studies
Risk assessment research
IT application or system logs
Financial reports and departmental budgets
BCP/DRP audit documentation
Production schedule
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
33
Online Questionnaires
Online or printed questionnaire
Identify and classify
Business functions and impact they have on other organization areas
Enables a structured collection method
Collect information directly from those most knowledgeable
Examples
Web site for the Texas State Office of Risk Management BIA questionnaire areas
See Table 2-3 and Table 2-4
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
34
Online Questionnaires (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
35
Online Questionnaires (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
36
Facilitated Data-Gathering Sessions
Focus group (facilitated data-gathering session)
Collecting information directly from the end users and business managers
Individuals brought together
Brainstorm answers to BIA process questions
To yield quantity or quality of information desired
Ensure a relaxed, productive session
Provide clear session structure
Encourage dialog
Restrict managers’ ability to take control
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
37
Process Flows and Interdependency Studies
Systems diagramming
Documents ways systems operate
Charts process flows and interdependency studies
Used for both manual and automated systems
Common diagramming techniques
Use case diagrams and supporting use cases
Specifically designed to help understand interactions between entities and business functions
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
38
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
39
Process Flows and Interdependency Studies (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
40
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
41
Process Flows and Interdependency Studies (cont’d.)
Uniform modeling language (UML) models
Class diagrams, sequence diagrams, collaboration diagrams
Traditional systems analysis and design approaches
Workflow, functional decomposition, and dataflow diagrams
Quite complex
Only use if organization has them in place
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
42
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
43
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
44
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
45
Risk Assessment Research
Risk assessment and risk management effort
Provides a wealth of information for BIA effort
Some modification may be necessary
Risk management process
Primary starting point for the BIA
Alternative efforts required if risk assessment not performed
Teams may collect information from outside sources on risk assessment
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
46
IT Application or System Logs
IT staff
Valuable in determining categorical data
Frequency of occurrence
Probability of success
Provide information from various logs
Logs collect and provide reports
Failed login attempts, probes, scans, denial-of-service attacks, malware detected
Provides more accurate attack environment description
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
47
Financial Reports and Departmental Budgets
Documents from normal operations
Provide insight into business operations
Costs and revenues provided by each functional area
Useful in prioritizing business areas and functions
Provides insight into the area’s profitability and revenues contribution
Calculating business impact most common method
Review financial reports and budgets
Lost sales, idle personnel costs, and other opportunity costs easily obtained
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
48
Audit Documentation
Paid external consultant audits
Used by larger organizations and publicly traded firms
Audit function compliance
Federal and state regulations
National or international standards,
Part of proactive ongoing improvement program
Audit reports
Provide additional information for the BIA process
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
49
Production Schedules
Information valuable in the completion of the BIA
Production schedules, marketing forecasts, productivity reports, other business documents
Include information collected from multiple sources
Rather than redundantly re-collecting it from the same sources
If information not collected directly by the BIA team
Make sure it is current and accurate
Undated information often worse than no information
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
50
Budgeting for Contingency Operations
Incident response
May not require dedicated budgeting
Disaster recovery and business continuity
Require ongoing expenditures, investment, and service contracts to support their implementation
Many organizations are “self-insured”
Put money into an account
Draw upon it should replacements be required
Some organization forego “self-insured” investments
Due to tight budgets and drops in revenues
Principles of Incident Response and Disaster Recovery, 2nd Edition
51
51
Incident Response Budgeting
IR capabilities
Part of a normal IT budget
Data protection and response, backup and recovery methods
Uninterruptible power supplies (UPSs)
Antivirus/antispyware/antimalware software
Redundant arrays of independent disks (RAID)
Network-attached storage (NAS) or storage area networks (SANs)
Additional expenses
Protection of user data outside common storage areas
Principles of Incident Response and Disaster Recovery, 2nd Edition
52
52
Incident Response Budgeting (cont’d.)
Required budgeting
Maintenance of redundant equipment
Use the “rule of three”
Keep an online production system
Keep an online or very nearly online backup system
Keep an offline testing and development system
Online “hot” servers have redundancy incorporated
Backup or “warm ”server
Provides redundant functions standing by in a near-online state
Principles of Incident Response and Disaster Recovery, 2nd Edition
53
53
Disaster Recovery Budgeting
Number one DR budgetary expense
Insurance policies
Provide for the capabilities to rebuild and reestablish operations at the primary site
Data loss policies
Many organizations cannot afford them
Losses from a distributed denial-of-service attack (DDoS) not so familiar
Insurance difficult to estimate exactly
Many expenses not covered by insurance
Loss of water, electricity, data, and the like
Principles of Incident Response and Disaster Recovery, 2nd Edition
54
54
Business Continuity Budgeting
Requires the largest budget expenditure
Staggering cost to maintain high level of redundancy
Example: service level agreements (SLAs) for hot sites
Set aside “war chest” of funds for items needed during continuity operations
Safety deposit boxes at a local bank
Store corporate credit cards, purchase orders, cash
Consider nonsalaried employee overtime
Principles of Incident Response and Disaster Recovery, 2nd Edition
55
55
Crisis Management Budgeting
Fundamentals of crisis management
Focused physical and psychological losses associated with catastrophic disasters
Primary budget item
Employee salaries if unable to come to work
Establish a minimum budget for paid leave
Other items
Funeral and burial expenses; employee counseling services
Principles of Incident Response and Disaster Recovery, 2nd Edition
56
56
Summary
Approach CP using a systematic methodology
CPMT responsible for contingency policy and plans
Obtains commitment and support, manages the overall process, writes documents, conducts the BIA, organizes and staffs leadership, provides guidance
Roster includes champion, project manager, others
Effective CP begins with effective policy
Policy provides guidance from executives
Policy contains statements, calls for action, guidelines and additional administrative information
Principles of Incident Response and Disaster Recovery, 2nd Edition
57
57
Summary (cont’d.)
BIA: investigation and assessment of event impact
Detailed identification and prioritization of critical business functions
Key element: placing priorities and values on mission/business process
Insurance : number-one budgetary expense for DR
Larger deductibles provide lower monthly premiums
Set aside funds to cover deductibles
Business continuity: largest budget expenditure
Consider employee overtime, employee loss expenses
Principles of Incident Response and Disaster Recovery, 2nd Edition
58
58
About the Presentations
The presentations cover the objectives found in the opening of each chapter.
All chapter objectives are listed in the beginning of each presentation.
You may customize the presentations to fit your class needs.
Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.
1
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design, implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Key Information Security Concepts (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
8
Key Information Security Concepts (cont’d.)
Trespass
Broad category of electronic and human activities
Can breach information confidentiality
Leads to unauthorized real or virtual actions
Results in unauthorized access to premises or system
Software attacks
Malicious code, malicious software, malware
Designed to damage, destroy, deny service to the target systems
Example: hackers
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
9
Key Information Security Concepts (cont’d.)
Common malicious code instances
Viruses and worms, Trojan horses, logic bombs, bots, rootkits, back doors, denial-of-service (DoS) attack, distributed DoS (DDoS) attack
Malicious code threats: sources of confusion
Method of propagation, payload, vector of infection
Viruses
Segments of code that perform malicious actions
Macro virus: embedded automatically in macrocode
Boot virus: infects key operating systems files
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
10
Key Information Security Concepts (cont’d.)
Worms
Replicate themselves constantly
No other program needed
Can replicate until available resources filled
Back doors and trap doors
Installed by virus or worm payload
Provides at will special privilege system access
Polymorphism
Threat changes apparent shape over time
Elude antivirus software detection
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
11
Key Information Security Concepts (cont’d.)
Propagation vectors
Manner by which malicious code spreads can vary
May use social engineering: Trojan horse looks desirable, but is not
May leverage open network connection, file shares or software vulnerability
Malware hoaxes
Well-meaning people send random e-mails warning of fictitious dangerous malware
Wastes a lot of time and energy
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
12
Key Information Security Concepts (cont’d.)
Human error or failure
Introduces acts performed by an authorized user
No malicious intent or purpose
Human error
Small mistakes produce extensive damage with catastrophic results
Human failure
Intentional refusal or unintentional inability to comply with policies, guidelines, and procedures, with a potential loss of information
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
13
Key Information Security Concepts (cont’d.)
Theft
Illegal taking of another’s property
Property: physical, electronic, intellectual
Includes acts of espionage and breach of confidentiality
Methods
Competitive intelligence or industrial espionage
Theft or loss of mobile devices
Phones, tablets, and computers
Stored information more important than devices
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
14
Key Information Security Concepts (cont’d.)
Compromises to intellectual property
FOLDOC intellectual property (IP) definition
The ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person’s intellectual property may or may not involve royalty payments or permission but should always include proper credit to the source
Includes
Trade secrets, copyrights, trademarks, patents
Exfiltration, or unauthorized removal of information
Software piracy
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
15
Key Information Security Concepts (cont’d.)
Sabotage or vandalism
Destroys asset or damages an organization’s image
Assault on an organization’s Web site
Cyberterrorism (more sinister hacking)
Technical software failures or errors
Software with unknown hidden faults
Code sold before security-related bugs detected
Trap doors
Helpful Web sites
Bugtraq and National Vulnerability Database
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
16
Key Information Security Concepts (cont’d.)
Technical hardware failures or errors
Equipment distributed with known or unknown flaw
System performs outside expected parameters
Errors can be terminal or intermittent
Forces of nature
Known as force majeure, or acts of God
Pose most dangerous threats imaginable
Occur with very little warning
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
17
Key Information Security Concepts (cont’d.)
Deviations in quality of service by service providers
Product or service not delivered as expected
Support systems interrupted by storms, employee illnesses, unforeseen events
Technological obsolescence
Antiquated or outdated infrastructure
Leads to unreliable and untrustworthy systems
Risk loss of data integrity from attacks
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
18
Key Information Security Concepts (cont’d.)
Information extortion
Attacker or trusted insider steals information from a computer system
Demands compensation for its return or for an agreement to not disclose the information
Common in credit card number theft
Other threats
See Table 1-2
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
19
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
20
Overview of Risk Management
Risk management process
Identifying and controlling information asset risks
Security managers play the largest roles
Includes contingency planning
Risk identification process
Examining, documenting, and assessing the security posture of an organization’s IT and the risks it faces
Risk control process
Applying controls to reduce the risks
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
21
Overview of Risk Management (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
22
Overview of Risk Management (cont’d.)
Risk management redefined
Process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
– Chinese General Sun Tzu
Source: Oxford University Press
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
23
Overview of Risk Management (cont’d.)
Know yourself
Identify, examine, and understand the information and systems currently in place
Asset: information and systems that use, store, and transmit information
Question to ask when protecting assets
What are they?
How do they add value to the organization?
To which vulnerabilities are they susceptible?
Have periodic review, revision, and maintenance of control mechanisms
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
24
Overview of Risk Management (cont’d.)
Know the enemy
Identify, examine, and understand threats
Determine threat aspects affecting the organization and the security of the assets
List threats prioritized by importance
Conduct periodic management reviews
Verify completeness and accuracy of asset inventory
Review and verify identified threats and vulnerabilities
Review current controls and mitigation strategies
Review cost effectiveness and deployment issues
Verify ongoing effectiveness of every control
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
25
Risk Identification
Identify, classify, and prioritize information assets
Threat identification process begins afterwards
Asset examined to identify vulnerabilities
Controls identified
Controls assessed
Regarding capability to limit possible losses should attack occur
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
26
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
27
Asset Identification and Value Assessment
Iterative process of identifying assets and assessing their value
Information asset classification
Classify with respect to security needs
Components must be specific for the creation of various priority levels
Components ranked according to criteria established by the categorization
Use comprehensive and mutually exclusive categories
Establish clear and comprehensive category sets
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
28
Asset Identification and Value Assessment (cont’d.)
Information asset valuation
Is this asset the most critical to the organizations’ success?
Does it generate the most revenue?
Does it generate the most profit?
Would it be the most expensive to replace?
Will it be the most expensive to protect?
If revealed, would it cause the most embarrassment or greatest damage?
Does the law or other regulation require us to protect this asset?
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
29
Asset Identification and Value Assessment (cont’d.)
Answers determine weighting criteria
Used for asset valuation and impact evaluation
Must decide criteria best suited to establish the information asset value
Perform weighted factor analysis
Calculates relative importance of each asset
Assign score from 0.1 to 1.0 for each critical factor
Assign each critical factor a weight from 1 to 100
Identify, document and add company-specific criteria
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
30
Asset Identification and Value Assessment (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
31
Data Classification and Management
(cont’d.)
Data classification schemes
Procedures requiring organizational data to be classified into mutually exclusive categories
Based on need to protect data category confidentiality
Military specialized classification ratings
“Public” to “For Official Use Only” to “Confidential“ to “Secret” to “Top Secret”
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
32
Data Classification and Management (cont’d.)
Alternative information classification scheme
Public: for general public dissemination
For official use: Not particularly sensitive but not for public release
Sensitive: important to the business and could cause embarrassment or loss of market share if revealed
Classified: requires utmost security; disclosure could severely impact the organization
Personnel information security clearances
On a need-to-know basis
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
33
Threat Identification
Conduct a threat assessment
Which threats present a danger to the organization’s assets in the given environment?
Which threats represent the most danger to the organization’s information?
Which threats would cost the most to recover from if there was an attack?
Which threats require the greatest expenditure to prevent?
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
34
Vulnerability Identification
Review each asset and each threat it faces
Create list of vulnerabilities
Examine how each threat could be perpetrated
List organization’s assets and its vulnerabilities
Notes
Threat may yield multiple vulnerabilities
People with diverse backgrounds should participate
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
35
Risk Assessment
Process of assigning a risk rating or score to each information asset
Goal
Determine relative risk of each vulnerability using various factors
Likelihood
Probability that a specific vulnerability will be successfully attacked
Many asset/vulnerability combinations have external references for likelihood values
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
36
Valuation of Information Assets
Assign weighted scores for the value to the organization of each information asset
Re-ask questions described in the “Threat Identification” section
Which of these questions is most important to the protection of the organization’s information?
Examine how current controls can reduce risk faced by specific vulnerabilities
Impossible to know everything about each vulnerability
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
37
Risk Determination
Risk = (likelihood of vulnerability x value) – percent of risk currently controlled + uncertainty of assumptions
Qualitative Risk Management
General categories and ranking used to evaluate risk
Factor Analysis of Information Risk (FAIR) strategy
Promoted by CXOWARE
Residual risk
Remaining risk after control applied
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
38
Identify Possible Controls
Controls, safeguards, and countermeasures
Represent security mechanisms, policies, and procedures that reduce risk
Three types of security policies
Enterprise information security policy
Issue-specific policies
Systems-specific policies
Programs
Activities performed within the organization to improve security
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
39
Risk Control Strategies
Defense approach (preferred approach)
Attempts to prevent vulnerability exploitation
Risk defense methods
Defense through application of policy
Defense through training and education programs
Defense through technology application
Usually requires technical solutions
Eliminate asset exposure
Attempt to reduce risk to an acceptable level
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
40
Risk Control Strategies (cont’d.)
Implement security controls and safeguards
Deflect attacks to minimize the successful probability
Transference
Attempts to shift risk to other assets, processes, organizations
Rethink how services offered
Revise deployment models
Outsource to other organizations
Purchase insurance
Implement service contracts with providers
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
41
Risk Control Strategies (cont’d.)
Mitigation
Attempts to reduce impact caused by the vulnerability exploitation
Through planning and preparation
Includes contingency planning
Business impact analysis
Incident response plan
Disaster recovery plan
Business continuity plan
Requires quick attack detection and response
Relies on existence and quality of the other plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
42
Risk Control Strategies (cont’d.)
Acceptance
Do nothing to protect an information asset
Accept the outcome of its potential exploitation
Only valid when the organization has:
Determined the level of risk
Assessed the probability of attack
Estimated potential damage that could occur
Performed a thorough cost-benefit analysis
Evaluated controls
Decided asset did not justify the cost of protection
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
43
Risk Control Strategies (cont’d.)
Termination
Difference from acceptance
Remove asset from the environment representing risk
Two main reasons
Cost of protecting an asset outweighs its value
Too difficult or expensive to protect asset compared to value or advantage asset offers
Termination must be a conscious business decision
Not simple asset abandonment
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
44
Contingency Planning and Its Components
Contingency plan
Used to anticipate, react to, and recover from events threatening events
Restores organization to normal modes of business operations
Four subordinate functions
Business impact assessment (BIA)
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
45
Business Impact Analysis
Business impact analysis (BIA)
Investigation and assessment of the impact of attacks
Adds detail to prioritized threat and vulnerability list created in the risk management process
Provides detailed scenarios of potential impact of each type of attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
46
Incident Response Plan
Incident
Any clearly identified attack on assets
Incident response plan (IRP)
Deals with the identification, classification, response, and recovery from an incident
Assesses the likelihood of imminent damage
Informs key decision makers
Enables the organization to take coordinated action
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
47
Disaster Recovery Plan
Preparation for and recovery from natural or man-made disaster
Includes:
Preparations for the recovery process
Strategies to limit losses during the disaster
Detailed steps to follow after immediate danger
Focus
Preparation before the incident
Actions taken after the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
48
BCP and BRP
Business continuity plan (BCP)
Expresses how to ensure critical business functions continue at an alternate location
After catastrophic incident or disaster
Used when DRP cannot restore primary site operations
Most strategic and long-term plan
Business resumption plan (BRP)
Emerging new concept in contingency planning
Merges the DRP and BCP into a single process
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
49
Contingency Planning Timeline
Steps in contingency planning
IR plan focuses on immediate response
May move to DRP and BCP if disastrous
DR plan focuses on restoring systems at original site
BC runs concurrently with DRP
When major or long-term damage occurs
IRP, DRP, and BCP distinction
When each comes into play during the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
50
Principles of Incident Response and Disaster Recovery, 2nd Edition
51
51
Principles of Incident Response and Disaster Recovery, 2nd Edition
52
52
Contingency Planning Timeline (cont’d.)
Seven steps in NIST SP 800-34, Revision 1
Principles of Incident Response and Disaster Recovery, 2nd Edition
53
53
Role of Information Security Policy in Developing Contingency Plans
Policy needs to enforce information protection requirements
Before, during, and after incident
Quality security programs
Begin and end with policy
Information security
A management problem
Difficulties in shaping policy
Must never conflict with laws; must stand up in court if challenged; must be properly administered
Principles of Incident Response and Disaster Recovery, 2nd Edition
54
54
Key Policy Definitions
Policy
Plan or course of action
Conveys instructions from senior management to those who make decisions, take action, perform duties
Organizational law
Dictates acceptable and unacceptable behavior
Defines penalties for violations
Standard
Detailed statement of what must be done to comply
De facto standard (informal standard)
De jure standard (formal standard)
Principles of Incident Response and Disaster Recovery, 2nd Edition
55
55
Principles of Incident Response and Disaster Recovery, 2nd Edition
56
56
Key Policy Definitions (cont’d.)
Mission
Written statement of an organization’s purpose
Vision
Written statement about organization’s goals
Strategic planning
Process of moving organization toward its vision
Information security policy
Provides rules for protecting information assets
Enterprise information security policy, issue-specific security policy, systems-specific security policy
Principles of Incident Response and Disaster Recovery, 2nd Edition
57
57
Enterprise Information Security Policy
Enterprise information security policy (EISP)
Based on and directly supports the mission, vision, and direction of the organization
Executive-level
Sets strategic direction, scope, and tone for all security efforts
Contains requirements to be met
Defines purpose, scope, constraints, and applicability
Assigns responsibilities
Addresses legal compliance
Principles of Incident Response and Disaster Recovery, 2nd Edition
58
58
Issue-Specific Security Policy
Issue-specific security policy (ISSP)
Addresses specific areas of technology
Three common approaches to creating ISSPs
Independent ISSP documents, each tailored to a specific issue
A single comprehensive ISSP document covering all issues
Modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements
Principles of Incident Response and Disaster Recovery, 2nd Edition
59
59
Principles of Incident Response and Disaster Recovery, 2nd Edition
60
60
Issue-Specific Security Policy (cont’d.)
Statement of policy
Defines scope, responsibility for implementation, technologies and issues being addressed
Authorized access and usage of equipment
Addresses who can use technology and for what it can be used
Defines “fair and responsible use”
Addresses key legal issues
Prohibited usage of equipment
Outlines what technology cannot be used for
Principles of Incident Response and Disaster Recovery, 2nd Edition
61
61
Issue-Specific Security Policy (cont’d.)
Systems management
Focuses on users’ relationship to management
Violations of policy
Specifies penalties and how to report violations
Policy review and modification
Procedures and a timetable for periodic review so users do not circumvent it as it grows obsolete
Limitations of liability
States company will not protect user and is not liable for their actions
Principles of Incident Response and Disaster Recovery, 2nd Edition
62
62
Systems-Specific Policy
Systems-specific security policies (SysSPs)
Standards and procedures used when configuring or maintaining systems
Access control lists (ACLs)
Govern rights and privileges of particular users to particular systems
Configuration rules
Specific configuration codes entered into security systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
63
63
Systems-Specific Policy (cont’d.)
ACL policies
Translated into configuration sets
Controls access to systems
Regulate the who, what, when, and where of access
ACL rules
Known as capability tables, user profiles, user policies
Specify what a user can and cannot do with resources
Rule policies
More specific than ACLs
May or may not deal with users directly
Principles of Incident Response and Disaster Recovery, 2nd Edition
64
64
Policy Management
Policies
Constantly changing and growing
Must be properly disseminated
Security policies must have the following
Individual responsible for creation, revision, distribution, and storage
Schedule of reviews
Mechanism for recommendations for revisions
Policy/revision date; possibly “sunset” expiration date
Policy management software (optional)
Principles of Incident Response and Disaster Recovery, 2nd Edition
65
65
Summary
Information security protects information and its critical elements
C.I.A. triangle: basis for CNSS model
Threat: entity posing potential for loss to an asset
Asset: has value to the organization
Vulnerability: weakness in protection mechanisms
Risk management process: identify vulnerabilities and taking steps to protect assets
Principles of Incident Response and Disaster Recovery, 2nd Edition
66
66
Summary (cont’d.)
Risk identification: process of identifying risks
Risk control: applying controls to reduce risk
Contingency planning: avoidance, transference, mitigation, acceptance strategies
Business impact analysis: assess attack type impact
Incident response plan: actions taken when an incident in progress
Disaster recovery plan: preparation for and recovery from a disaster
Principles of Incident Response and Disaster Recovery, 2nd Edition
67
67
Summary (cont’d.)
Business continuity plan: ensures critical business functions continue after a disaster
Policies: organizational laws dictating behavior
Enterprise information security policy: sets strategic scope, direction, tone
Issue-specific security policy: addresses specific areas of technology
Systems-specific security policy: used when configuring or maintaining systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
68
68
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
