INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3
Overview InfoSec Planning Why Plan? Contingency Planning – Business Impact Analysis (BIA) – Incident Response Planning (IRP) – Disaster Recovery Planning (DRP) – Business Continuity Planning (BCP) Continuity Strategies
InfoSec Planning “…a systematic study of the organisational IS assets, possible threats, existing countermeasures and the proposal of new countermeasures” (Zviran, Hoge & Micucci (1990)) “… a document that describes how an organisation will address its security needs.” (Pfleeger 2 nd Ed. P. 471) An InfoSec plan contains: – Risk Objectives – Policy – Current Status of Security – Risk Analysis Results – Requirements – Recommendations – Responsibilities – Timetable – Implementation Strategy – Maintenance Schedule
Why Plan? 2-3% loss within 8 days outage > 10 days outage can threaten survival Increased dependence on continuous, available systems Clients may demand it (e.g. EDS & SA Govt.) Insurance Company may demand it (for lower premiums) Company Directors are not exposed to law suits Legal, statutory responsibilities
What is at stake? Inability to run critical applications. (i.e. cash flow operations, management tools) Loss of industry image Loss of investor confidence Loss of competitive edge Legal violations
What Is Contingency Planning? The overall planning for unexpected events is called contingency planning (CP) It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets The main goal is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event
Slide 7 CP Components Business Impact Analysis (BIA) Incident response planning (IRP) focuses on immediate response Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur Business continuity planning (BCP) facilitates establishment of operations at an alternate site
Slide 8 Business Impact Analysis (BIA) BIA provides information about systems and threats and provides detailed scenarios for each potential attack BIA is not risk management, which focuses on identifying threats, vulnerabilities, and attacks to determine controls (what might go wrong) BIA assumes controls have been bypassed or are ineffective, and attack was successful (when something does go wrong)
Business Impact Analysis Define critical applications Define tolerance levels Consider different disaster scenarios Consider intangible effects, cash flow effects, extra expenses, future effects – Loss of customers – Missed sales enquiries – Blown deadlines – Dissatisfied customers – Loss of market share – Loss of investor confidence
Incident Response Planning Incident response planning covers identification of, classification of, and response to an incident Attacks classified as incidents if they: – Are directed against information assets – Have a realistic chance of success – Could threaten confidentiality, integrity, or availability of information resources Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident
Slide 11 Incident Response Plan The IRP is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets Incident response (IR) is a set of procedures that commence when an incident is detected
Slide 12 Incident Response Plan When a threat becomes a valid attack, it is classified as an information security incident if: – It is directed against information assets – It has a realistic chance of success – It threatens the confidentiality, integrity, or availability of information assets It is important to understand that IR is a reactive measure, not a preventative one
Disaster Recovery Planning What is a disaster? – When the “outage” greater than the tolerance. – The interruption of business due to loss or denial of the information assets required for normal operation Examples: – National Library fire – Flood in Sydney Stock Exchange – 9-11 Twin Towers terrorist attack The question is not “if” a disaster occurs but “when” a disaster occurs – We must forget about “probability” and emphasise “impact”
Disaster Recovery Planning An InfoSec Management control which helps to “recover from” a man-made or natural disaster A process which does NOT prevent threats but addresses the impact when they occur A control that addresses NOT confidentiality, NOT integrity, but availability of information The objective is to minimise down-time or the amount of time that critical IS services are unavailable (i.e. denied)
Management of Information Security, 2nd ed. - Chapter 3 Slide 15 Disaster Recovery Planning Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made In general, an incident is a disaster when: – The organization is unable to contain or control the impact of an incident – The level of damage or destruction from an incident is so severe the organization is unable to quickly recover The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located
What is a DR Plan? A tested set of procedures for reacting to and recovering from a catastrophe. Addresses 2 timeframes: – The present – maintenance, testing & training before a disaster occurs – The future – what to do when a disaster occurs A “roadmap” which details procedures, responsibilities, contacts etc. in the event of a disaster It is a basis for decision making
Business Continuity Planning Outlines re-establishment of critical business operations during a disaster that impacts operations If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy
Management of Information Security, 2nd ed. - Chapter 3 Slide 18 Business Continuity Planning BCP ensures critical business functions can continue in a disaster BCP most properly managed by CEO of organization BCP is activated and executed concurrently with the DRP when needed While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site BCP relies on identification of critical business functions and the resources to support them
Management of Information Security, 2nd ed. - Chapter 3 Slide 19 Continuity Strategies Several continuity strategies for business continuity, determining factor is usually cost Three exclusive-use options: – Hot sites – Warm sites – Cold sites Three shared-use options: – Timeshare – Service bureaus – Mutual agreements
Slide 20 Exclusive Use Options Hot sites – Fully configured computer facility with all services Warm sites – Like hot site, but software applications not kept fully prepared Cold sites – Only rudimentary services and facilities kept in readiness
Slide 21 Shared Use Options Timeshares – Like an exclusive use site but leased Service bureaus – Agency that provides physical facilities Mutual agreements – Contract between two organizations to assist Specialized alternatives – Rolling mobile site – Externally stored resources
Recovery Strategies In-house hot site – Duplicate site – Solely for recovery – Sometimes used for development – Sometimes extra in-house capacity at branch sites Commercial hot site – International, interstate or local – With or without communications, office space or maintained O/S parallelism In-house cold site – A partially developed site – A space set aside normally used for other purposes but can be converted quickly Commercial cold site – International, interstate or local – With or without communications or office space Casual arrangements – Contract with suppliers – Agreement with organisation with same equipment (Reciprocal agreement) – Handshake agreements
Recovery time $ Hot site (in-house) option Commercial hot site option Cold site (in-house) option Commercial cold site option Casual Arrangement option Accumulated Costs of outage Investment in alternative strategies Recommended level of investment
WHAT YOU NEED TO KNOW The differences between CP, BIA, IRP, DRP & BCP Continuity Strategies