information security management l ecture 3: p lanning for c ontingencies you got to be careful if...
TRANSCRIPT
![Page 1: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/1.jpg)
INFORMATION SECURITY MANAGEMENT
LECTURE 3: PLANNING FOR CONTINGENCIES
You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
![Page 2: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/2.jpg)
Principles of Information Security Mgmt
Include the following characteristics that will be the focus of the current course (six P’s):
1. Planning2. Policy3. Programs4. Protection5. People6. Project Management
http://csrc.nist.gov/publications/PubsTC.html
Chapters 2 & 3
Chapter 4
![Page 3: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/3.jpg)
Introduction
One study found that over 40% of businesses that don't have a disaster plan go out of business
after a major loss
Small Business Approaches
![Page 4: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/4.jpg)
Introduction – 2012 Natural Disaster Map
![Page 5: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/5.jpg)
Introduction – 2012 Natural Disaster Map
![Page 6: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/6.jpg)
Contingency Planning
• Contingency planning (CP)– The overall planning for unexpected events– Involves preparing for, detecting, reacting to, and
recovering from events that threaten the security of information resources and assets
![Page 7: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/7.jpg)
Fundamentals of Contingency Planning
Incident Response
Disaster Recovery
Business Continuity
![Page 8: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/8.jpg)
Developing a CP Document
• Develop the contingency planning policy statement
• Conduct the BIA • Identify preventive controls• Develop recovery strategies• Develop an IT contingency plan• Plan testing, training, and exercises• Plan maintenance
![Page 9: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/9.jpg)
Business Impact Analysis (BIA)
Provides detailed scenarios of each potential attack’s impact
![Page 10: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/10.jpg)
Business Impact Analysis (cont’d.)
• The CP team conducts the BIA in the following stages:– Threat attack identification– Business unit analysis– Attack success scenarios– Potential damage assessment– Subordinate plan classification
• What are the goals of a BIA?
Management of Information Security, 3rd ed.
![Page 11: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/11.jpg)
Business Impact Analysis (cont’d.)
• An organization that uses a risk management process will have identified and prioritized threats
• The second major BIA task is the analysis and prioritization of business functions within the organization• Each should be categorized
![Page 12: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/12.jpg)
Business Impact Analysis (cont’d.)
• Create a series of scenarios depicting impact of successful attack on each functional area
• Attack profiles should include scenarios depicting typical attack including:(1) Methodology, (2) Indicators, (3) Broad consequences
• Estimate the cost
Should this be done in-house or outsourced?
![Page 13: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/13.jpg)
![Page 14: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/14.jpg)
Timing and Sequence of CP Elements
Management of Information Security, 3rd ed.Figure 3-6 Contingency planning implementation timeline
Source: Course Technology/Cengage Learning
![Page 15: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/15.jpg)
Incident Response Plan
The question is not will an incident occur, but rather when an incident will occur
•A detailed set of processes and procedures that commence when an incident is detected
•When a threat becomes a valid attack, it is classified as an information security incident if it:
directed against information assets a realistic chance of success threatens the confidentiality, integrity, or availability of
information assets
![Page 16: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/16.jpg)
Incident Response Plan (cont’d.)
Who creates the incident response plan?
•Planners develop and document the procedures that must be performed during the incident and immediately after the incident has ceased
•Separate functional areas may develop different procedures
![Page 17: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/17.jpg)
Incident Response Plan (cont’d.)
• Develop procedures for tasks that must be performed in advance of the incident– Details of data backup schedules– Disaster recovery preparation– Training schedules– Testing plans– Copies of service agreements– Business continuity plans
![Page 18: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/18.jpg)
Incident Response Plan (cont’d.)
Management of Information Security, 3rd ed.Figure 3-3 Incident response planning
Source: Course Technology/Cengage Learning
![Page 19: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/19.jpg)
Incident Response Plan (cont’d.)
• Planning requires a detailed understanding of the information systems and the threats they face
• The IR planning team seeks to develop pre-defined responses that guide users through the steps needed to respond to an incident
![Page 20: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/20.jpg)
Incident Response Plan (cont’d.)
• Incident classification – Determine whether an event is an actual incident
– Uses initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators
(Example: RSA Data Loss Prevention)
![Page 21: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/21.jpg)
Incident Response Software
![Page 22: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/22.jpg)
Incident Response Plan Tools
![Page 23: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/23.jpg)
Incident Response Plan Tools
![Page 24: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/24.jpg)
Incident Response Plan: Indicators
• Possible indicators• Probable indicators• Definite indicators
• When the following occur, the corresponding IR must be immediately activated Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law
http://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china-surfs-web
![Page 25: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/25.jpg)
Incident Response Plan (cont’d.)
• Once an actual incident has been confirmed and properly classified
– IR team moves from the detection phase to the reaction phase
– A number of action steps must occur quickly and may occur concurrently
![Page 26: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/26.jpg)
Incident Response Plan: Action Steps
1. Notification of key personnel (alert roster)
2. Assignment of tasks
3. Documentation of the incident
![Page 27: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/27.jpg)
Incident Response Plan (cont’d.)
• The essential task of IR is to stop the incident or contain its impact
• Incident containment strategies focus on two tasks:
![Page 28: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/28.jpg)
IRP: Stopping the Incident
Containment strategies
•Once contained and system control regained, incident recovery can begin
•Incident damage assessment
•An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident
![Page 29: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/29.jpg)
IRP: Recovery Process
• Identify the vulnerabilities• Address the safeguards that failed• Evaluate monitoring capabilities (if present)• Restore the data from backups as needed• Restore the services and processes in use • Continuously monitor the system• Restore the confidence of the members
![Page 30: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/30.jpg)
Incident Response Plan (cont’d.)
• When an incident violates civil or criminal law, it is the organization’s responsibility to notify the proper authorities• Involving law enforcement has both advantages and
disadvantages
![Page 31: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/31.jpg)
Disaster Recovery Plan
• The preparation for and recovery from a disaster, whether natural or man made
• In general, an incident is a disaster when:
![Page 32: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/32.jpg)
Disaster Recovery Plan (cont’d.)
• The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located
• Common DRP classifications:• Natural Disasters• Human-made Disasters
• Scenario development and impact analysis– Used to categorize the level of threat of each potential
disaster
![Page 33: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/33.jpg)
Disaster Recovery Plan (cont’d.)
![Page 34: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/34.jpg)
Disaster Recovery Plan (cont’d.)
Discussion on Disaster Recovery Myths
![Page 35: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/35.jpg)
Business Continuity Plan
• Ensures critical business functions can continue in a disaster
• Activated and executed concurrently with the DRP when needed
• Relies on identification of critical business functions and the resources to support them
![Page 36: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/36.jpg)
BCP: Strategies
• Continuity strategies
![Page 37: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/37.jpg)
Business Continuity Plan:Site Options
• Hot Sites• Warm Sites• Cold Sites
• Other Alternatives: Timeshares, Service Bureaus, Mutual Agreements
Ex. RSA data centers – lease 2 - 10gig Ethernet lines between MA and NC
![Page 38: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/38.jpg)
Business Continuity Plan (cont’d.)
• To get any BCP site running quickly organization must be able to recover data
• Options include:
![Page 39: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/39.jpg)
Timing and Sequence of CP Elements
Figure 3-4 Incident response and disaster recovery
Source: Course Technology/Cengage Learning
![Page 40: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/40.jpg)
Timing and Sequence of BCP
Source: Course Technology/Cengage Learning
![Page 41: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/41.jpg)
Timing and Sequence of CP Elements
Management of Information Security, 3rd ed.Figure 3-6 Contingency planning implementation timeline
Source: Course Technology/Cengage Learning
![Page 42: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/42.jpg)
Business Resumption Planning
• Because the DRP and BCP are closely related, most organizations prepare them concurrently
![Page 43: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/43.jpg)
Business Resumption Planning (cont’d.)
• Components of a simple disaster recovery plan – Name of agency– Date of completion or update of the plan and test date– Agency staff to be called in the event of a disaster – Emergency services to be called (if needed) in event of a
disaster
![Page 44: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/44.jpg)
Business Resumption Planning (cont’d.)
• Components of a simple disaster recovery plan (cont’d.) – Locations of in-house emergency equipment and supplies– Sources of off-site equipment and supplies– Salvage priority list– Agency disaster recovery procedures– Follow-up assessment
![Page 45: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/45.jpg)
Testing Contingency Plans
• Problems are identified during testing– Improvements can be made, resulting in a reliable plan
• Contingency plan testing strategies– Desk check– Structured walkthrough – Simulation – Parallel testing– Full interruption testing
![Page 46: INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might](https://reader035.vdocument.in/reader035/viewer/2022070400/56649f145503460f94c28590/html5/thumbnails/46.jpg)
Contingency Planning: Final Thoughts
• Iteration results in improvement
• A formal implementation of this methodology is a process known as continuous process improvement (CPI)
• Each time the plan is rehearsed it should be improved
• Constant evaluation and improvement lead to an improved outcome