480 likes | 502 Vues
INFORMATION SECURITY MANAGEMENT. Lecture 3: Planning for Contingencies. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Introduction.
E N D
INFORMATION SECURITY MANAGEMENT Lecture 3: Planning for Contingencies You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Introduction One study found that over 40% of businesses that don't have a disaster plan go out of business after a major loss Small Business Approaches
Contingency Planning • Contingency planning (CP) • The overall planning for unexpected events • Involves preparing for, detecting, reacting to, and recovering from events that threaten the security of information resources and assets Main goal: Restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event
Fundamentals of Contingency Planning Incident Response Disaster Recovery Business Continuity
Developing a CP Document • Develop the contingency planning policy statement • Conduct the BIA • Identify preventive controls • Develop recovery strategies • Develop an IT contingency plan • Plan testing, training, and exercises • Plan maintenance
Business Impact Analysis (BIA) Provides detailed scenarios of each potential attack’s impact
Business Impact Analysis (cont’d.) • The CP team conducts the BIA in the following stages: • Threat attack identification • Business unit analysis • Attack success scenarios • Potential damage assessment • Subordinate plan classification Management of Information Security, 3rd ed.
Business Impact Analysis (cont’d.) • An organization that uses a risk management process will have identified and prioritized threats • The second major BIA task is the analysis and prioritization of business functions within the organization
Business Impact Analysis (cont’d.) • Create a series of scenarios depicting impact of successful attack on each functional area • Attack profiles should include scenarios depicting typical attack including: (1) Methodology, (2) Indicators, (3) Broad consequences • Estimate the cost of the best, worst, and most likely outcomes
Timing and Sequence of CP Elements Figure 3-6 Contingency planning implementation timeline Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Incident Response Plan • A detailed set of processes and procedures that commence when an incident is detected • When a threat becomes a valid attack, it is classified as an information security incident if it: • directed against information assets • a realistic chance of success • threatens the confidentiality, integrity, or availability of information assets
Incident Response Plan (cont’d.) • Planners develop and document the procedures that must be performed during the incident and immediately after the incident has ceased • Separate functional areas may develop different procedures
Incident Response Plan (cont’d.) • Develop procedures for tasks that must be performed in advance of the incident • Details of data backup schedules • Disaster recovery preparation • Training schedules • Testing plans • Copies of service agreements • Business continuity plans
Incident Response Plan (cont’d.) Figure 3-3 Incident response planning Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Incident Response Plan (cont’d.) • Planning requires a detailed understanding of the information systems and the threats they face • The IR planning team seeks to develop pre-defined responses that guide users through the steps needed to respond to an incident
Incident Response Plan (cont’d.) • Incident classification • Determine whether an event is an actual incident • Uses initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators (Example: RSA Data Loss Prevention)
Incident Response Plan: Indicators • Possible indicators • Probable indicators • Definite indicators • When the following occur, the corresponding IR must be immediately activated • Loss of availability • Loss of integrity • Loss of confidentiality • Violation of policy • Violation of law http://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china-surfs-web
Incident Response Plan (cont’d.) • Once an actual incident has been confirmed and properly classified • IR team moves from the detection phase to the reaction phase • A number of action steps must occur quickly and may occur concurrently
Incident Response Plan:Action Steps • Notification of key personnel (alert roster) • Assignment of tasks • Documentation of the incident
Incident Response Plan (cont’d.) • The essential task of IR is to stop the incident or contain its impact • Incident containment strategies focus on two tasks: • Stopping the incident • Recovering control of the systems
IRP: Stopping the Incident • Containment strategies • Once contained and system control regained, incident recovery can begin • Incident damage assessment • An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident
IRP: Recovery Process • Identify the vulnerabilities • Address the safeguards that failed • Evaluate monitoring capabilities (if present) • Restore the data from backups as needed • Restore the services and processes in use • Continuously monitor the system • Restore the confidence of the members
Incident Response Plan (cont’d.) • When an incident violates civil or criminal law, it is the organization’s responsibility to notify the proper authorities • Involving law enforcement has both advantages and disadvantages
Disaster Recovery Plan • The preparation for and recovery from a disaster, whether natural or man made • In general, an incident is a disaster when: • The organization is unable to contain or control the impact of an incident, or • The level of damage or destruction from an incident is so severe the organization is unable to quickly recover
Disaster Recovery Plan (cont’d.) • The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located • Common DRP classifications: • Natural Disasters • Human-made Disasters • Scenario development and impact analysis • Used to categorize the level of threat of each potential disaster
Disaster Recovery Plan (cont’d.) Actual events often outstrip even the best of plans • If physical facilities are intact, begin restoration • If organization’s facilities are unusable, take alternative actions • When disaster threatens the organization at the primary site, DRP becomes BCP
Business Continuity Plan • Ensures critical business functions can continue in a disaster • Activated and executed concurrently with the DRP when needed • Relies on identification of critical business functions and the resources to support them
BCP: Strategies • Continuity strategies • Exclusive-use options: hot, warm and cold sites • Shared-use options: timeshare, service bureaus, mutual agreements
Business Continuity Plan:Site Options • Hot Sites • Warm Sites • Cold Sites • Other Alternatives: Timeshares, Service Bureaus, Mutual Agreements Ex. RSA data centers – 2 10gig ethernet lines between MA and NC
Business Continuity Plan (cont’d.) • To get any BCP site running quickly organization must be able to recover data • Options include: • Electronic vaulting • Remote journaling • Database shadowing
Timing and Sequence of CP Elements Figure 3-4 Incident response and disaster recovery Source: Course Technology/Cengage Learning
Timing and Sequence of BCP Source: Course Technology/Cengage Learning
Timing and Sequence of CP Elements Figure 3-6 Contingency planning implementation timeline Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Business Resumption Planning • Because the DRP and BCP are closely related, most organizations prepare them concurrently • May combine them into a single document, the business resumption plan (BRP) • Although a single planning team can develop the BRP, execution requires separate teams
Business Resumption Planning (cont’d.) • Components of a simple disaster recovery plan • Name of agency • Date of completion or update of the plan and test date • Agency staff to be called in the event of a disaster • Emergency services to be called (if needed) in event of a disaster
Business Resumption Planning (cont’d.) • Components of a simple disaster recovery plan (cont’d.) • Locations of in-house emergency equipment and supplies • Sources of off-site equipment and supplies • Salvage priority list • Agency disaster recovery procedures • Follow-up assessment
Testing Contingency Plans • Problems are identified during testing • Improvements can be made, resulting in a reliable plan • Contingency plan testing strategies • Desk check • Structured walkthrough • Simulation • Parallel testing • Full interruption testing
Contingency Planning: Final Thoughts • Iteration results in improvement • A formal implementation of this methodology is a process known as continuous process improvement (CPI) • Each time the plan is rehearsed it should be improved • Constant evaluation and improvement lead to an improved outcome
BYOD http://www.cio.com/article/705880/The_Consumerization_of_IT_and_BYOD_Guide MDM http://www.air-watch.com/solutions/mobile-device-management MAM http://www.air-watch.com/solutions/mobile-application-management
BYOD – Mobile Device Mgmt Management of Information Security, 3rd ed.
BYOD – Mobile Device Mgmt Management of Information Security, 3rd ed.
BYOD: Final Thoughts If the solution that you apply is too restrictive, then as much as everyone wants BYOD, it's simply not going to be a practical solution because no one will use it.