Ch 3 Contingency Planning

Date post: 17-Feb-2018
    LECTURE 3:


    CONTINGENCIES

    because you might not get there. Yogi Berra

    Principles of Information Security Mgmt
Include the following characteristics that will be the focus of the current course (six Ps):

    1. Planning

    2. Policy

    3. Programs4. Protection

    5. People

    6. Project Management


    Chapters 2 & 3

    Chapter 4

    One study found that oer !"# of businesses

    that don$t hae a disaster plan go out of businessafter a ma%or loss

    Small &usiness 'pproaches

    Introduction "* +atural ,isaster Map

    -ontingency Planning

    -ontingency planning (-P)

    .he oerall planning for unexpected eents

    Inoles preparing for/ detecting/ reacting to/ andrecoering from eents that threaten the security ofinformation resources and assets

    0undamentals of -ontingency Planning

    Incient !esponse

    "isaster !ecover#

    Business Continuit#

    ,eeloping a -P ,ocument

    ,eelop the contingency planning policystatement

    -onduct the &I'

    Identify preentie controls

    ,eelop recoery strategies ,eelop an I. contingency plan

    Plan testing/ training/ and exercises

    Plan maintenance

    &usiness Impact 'nalysis (&I')Proides detailed scenarios of each potential attac1s


    &usiness Impact 'nalysis (contd2)

    .he -P team conducts the &I' in the followingstages:

    .hreat attac1 identi3cation

    &usiness unit analysis

    'ttac1 success scenarios

    Potential damage assessment Subordinate plan classi3cation

    4hat are the goals of a &I'5

    Management of Information Security, 3rd ed.

    &usiness Impact 'nalysis (contd2)

    'n organi6ation that uses a ris1 managementprocess will hae identi3ed and prioriti6ed threats

    .he second ma%or &I' tas1 is the analysis andprioriti6ation of business functions within theorgani6ation

    7ach should be categori6ed

    &usiness Impact 'nalysis (contd2)

    -reate a series of scenarios depicting impact of

    successful attac1 on each functional area

    'ttac1 pro3les should include scenarios depictingtypical attac1 including:

    (*) Methodology/ () Indicators/ (8) &roadconse9uences

    7stimate the cost

    Should this be done in-house or outsourced

    +IS. &usiness Process and ecoery -riticality

    ;ey recoery measures: Maximum .olerable ,owntime (M.,) < total amount of

    time the system owner is willing to accept for amission=business process outage or disruption

    ecoery time ob%ectie (.O) < maximum amount oftime that a system resource can remain unaailablebefore there is an unacceptable impact on other systemresources and processes

    ecoery point ob%ectie (PO) < point in time/ prior to adisruption or system outage/ to which mission=businessprocess data can be recoered after an outage

    +IS. &usiness Process and ecoery -riticality

    !or" #eco$ery %ime &!#%' < amount of e>ort

    that is necessary to get the business functionoperational '0.7 the technology element isrecoered -an be added to the .O to determine the realistic

    amount of elapsed time before a business function isbac1 in useful serice

    .otal time needed to place the business functionbac1 in serice must be shorter than the M.,

    Must balance the cost of system inoperability

    against the cost of recoery

  • 7/23/2019 Ch 3 Contingency Planning


    .iming and Se9uence of -P 7lements

    Management of Information Security, 3rd ed.

    Figure 3-6 Contingency planning implementation timeline

    Source: Course Technology/Cengage Learning

    Incident esponse Plan

    The question is not will an incident occur,

    but rather when an incident will occur

    ' detailed set of processes and procedures thatcommence when an incident is detected

    4hen a threat becomes a alid attac1/ it is classi3edas an information security incident if it:

    directed against information assets

    a realistic chance of success

    threatens the con3dentiality/ integrity/ or aailability ofinformation assets

    Incident esponse Plan (contd2)

    Who creates the incident response plan?

    Planners deelop and document the proceduresthat must be performed duringthe incident andimmediately a(terthe incident has ceased

    Separate functional areas may deelop di>erentprocedures

    Incident esponse Plan (contd2)

    ,eelop procedures for tas1s that must be

    performed in adance of the incident ,etails of data bac1up schedules

    ,isaster recoery preparation

    .raining schedules

    .esting plans -opies of serice agreements

    &usiness continuity plans

    Incident esponse Plan (contd2)

    Management of Information Security, 3rd ed.
Figure 3-3 Incident response planning

    Source: Course Technology/Cengage Learning

    Incident esponse Plan (contd2)

    Planning re9uires a detailed understanding of theinformation systems and the threats they face

    .he I planning team see1s to deelop pre

    Incident esponse Plan (contd2)

    Incident classi3cation ,etermine whether an eent is an actual incident

    ?ses initial reports from end users/ intrusion detectionsystems/ host< and networ1

    Incident esponse Software

    Incident esponse Plan .ools

    Incident esponse Plan .ools

    Incident esponse Plan: Indicators

    Possible indicators

    Probable indicators )e*nite indicators

    4hen the following occur/ the corresponding I mustbe immediately actiated

    @oss of aailability

    @oss of integrity

    @oss of con3dentiality

    Aiolation of policy

    Aiolation of law

    http://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-to-china


    Incident esponse Plan (contd2)

    Once an actual incident has been con3rmed and

    properly classi3ed

    I team moes from the detection phase to the reactionphase

    ' number of action steps must occur 9uic1ly and mayoccur concurrently

    Incident esponse Plan: 'ction Steps

    *2 +oti3cation of 1ey personnel (alert roster)

    2 'ssignment of tas1s

    82 ,ocumentation of the incident

    Incident esponse Plan (contd2)

    .he essential tas1 of I is to stop the incident or

    contain its impact

    Incident containment strategies focus on twotas1s:

  • 7/23/2019 Ch 3 Contingency Planning


    IP: Stopping the Incident

    +ontainment strategies

    Once contained and system control regained/ incident

    recoery can begin

    Incident damage assessment

    'n incident may increase in scope or seerity to thepoint that the IP cannot ade9uately contain the incident

    IP: ecoery Process

    Identify the ulnerabilities

    'ddress the safeguards that failed

    7aluate monitoring capabilities (if present)

    estore the data from bac1ups as needed

    estore the serices and processes in use

    -ontinuously monitor the system

    estore the con3dence of the members

    Incident esponse Plan (contd2)

    4hen an incident iolates ciil or criminal law/ it is

    the organi6ations responsibility to notify theproper authorities Inoling law enforcement has both adantages and


  • 7/23/2019 Ch 3 Contingency Planning


    'rticle: Incident esponse S'+S Surey

    ,isaster ecoery Plan

    .he preparation for and recoery from a disaster/

    whether natural or man made

    In general/ an incident is a disaster when:

  • 7/23/2019 Ch 3 Contingency Planning


    ,isaster ecoery Plan (contd2)

    .he 1ey role of a ,P is de3ning how to reestablish

    operations at the location where the organi6ation isusually located

    -ommon ,P classi3cations:

    +atural ,isasters Buman

  • 7/23/2019 Ch 3 Contingency Planning


    ,isaster ecoery Plan (contd2)

    ,isaster ecoery Plan (contd2)

    ,iscussion on ,isaster ecoery Myths

    ,isaster ecoery Plan (contd2)

    ,iscussion on ,isaster ecoery -hec1list

  • 7/23/2019 Ch 3 Contingency Planning


    &usiness -ontinuity Plan

    7nsures critical business functions can

    continue in a disaster

    'ctiated and executed concurrently with the,P when needed

    elies on identi3cation of critical businessfunctions and the resources to support them

    &-P: Strategies

    -ontinuity strategies

  • 7/23/2019 Ch 3 Contingency Planning


    &usiness -ontinuity Plan:Site Options

    Bot Sites

    4arm Sites

    -old Sites

    Other 'lternaties: .imeshares/ Serice &ureaus/Mutual 'greements

    7x2 S' data centers lease < *"gig 7thernet lines

    between M' and +-

    &usiness -ontinuity Plan (contd2)

    .o get any &-P site running 9uic1ly organi6ation

    must be able to recoer data

    Options include:

    .iming and Se9uence of -P 7lements

    Figure 3-4 Incident response and disaster recovery

    Source: Course Technology/Cengage Learning

    .iming and Se9uence of &-P

    Source: Course Technology/Cengage Learning

    .iming and Se9uence of -P 7lements

    Management of Information Security, 3rd ed.
Figure 3-6 Contingency planning implementation timeline

    Source: Course Technology/Cengage Learning

    &usiness esumption Planning

    &ecause the ,P and &-P are closely related/

    most organi6ations prepare them concurrently

    &usiness esumption Planning (contd2)

    -omponents of a simple disaster recoery plan

    +ame of agency ,ate of completion or update of the plan and test date

    'gency sta> to be called in the eent of a disaster

    7mergency serices to be called (if needed) in eent of adisaster

    &usiness esumption Planning (contd2)

    -omponents of a simple disaster recoery plan

    (contd2) @ocations of in

    .esting -ontingency Plans

    Problems are identi3ed during testing

    Improements can be made/ resulting in a reliable plan

    -ontingency plan testing strategies

    ,es1 chec1

    Structured wal1through


    Parallel testing

    0ull interruption testing

    -ontingency Planning: 0inal .houghts

    Iteration results in improement

    ' formal implementation of this methodology is aprocess 1nown as continuous processimproement (-PI)

    7ach time the plan is rehearsed it should beimproed

    -onstant ealuation and improement lead to animproed outcome
