INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.

Slides:



Advertisements
Similar presentations
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Advertisements

Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.
Introduction Creation of information security program begins with creation and/or review of organization’s information security policies, standards,
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
1 Continuity Planning for transportation agencies.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Business Continuity Planning and Disaster Recovery Planning
Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.
Principles of Incident Response and Disaster Recovery
Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 
Planning for Contingencies
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
CSE 4482: Computer Security Management: Assessment and Forensics
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Planning for Contingencies
Computer Security: Principles and Practice
Network security policy: best practices
1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.
The Business of Security
Planning for Continuity
Contingency Planning Things which you do not hope happen more frequently than things which you do hope. -- PLAUTUS. (C. 254–184 B.C.), MOSTELLARIA, ACT.
3 Security Policies, Standards, and Planning
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Disaster Recovery, Business Continuity, and Organizational Policies.
ITC358 ICT Management and Information Security
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Planning for Contingencies
INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3.
Planning for Contingencies
ISA 562 Internet Security Theory & Practice
1 ISA&D7‏/8‏/ ISA&D7‏/8‏/2013 Systems Development Life Cycle Phases and Activities in the SDLC Variations of the SDLC models.
David N. Wozei Systems Administrator, IT Auditor.
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information.
Business Continuity & Disaster recovery
Disaster Recovery & Business Continuity
Business Continuity and Disaster Recovery Planning.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Disaster Recovery and Business Continuity Planning.
INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.
Contingency Planning.
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
TEL2813/IS2820 Security Management
Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin ( ), American entrepreneur, statesman,
SecSDLC Chapter 2.
Lecture5 : Contingency planning Lecturer: Kawther Abas 25/12/ CS – Management of Programming Projects.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
MANAGEMENT of INFORMATION SECURITY Second Edition.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Business Continuity Disaster Planning
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part II.
Contingency Planning. Objectives Upon completion of this material, you should be able to: –Recognize the need for contingency planning –Describe the major.
Information Security Crisis Management Daryl Goodwin.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
CompTIA Security+ Study Guide (SY0-401)
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
MANAGEMENT of INFORMATION SECURITY Second Edition.
Business Continuity Program Overview
Presentation transcript:

INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Introduction One study found that over 40% of businesses that don't have a disaster plan go out of business after a major loss Small Business Approaches

Contingency Planning Contingency planning (CP) – The overall planning for unexpected events – Involves preparing for, detecting, reacting to, and recovering from events that threaten the security of information resources and assets Main goal: Restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event

Fundamentals of Contingency Planning Incident Response Disaster Recovery Business Continuity

Developing a CP Document Develop the contingency planning policy statement Conduct the BIA Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training, and exercises Plan maintenance

Business Impact Analysis (BIA) Provides detailed scenarios of each potential attack’s impact

Business Impact Analysis (cont’d.) The CP team conducts the BIA in the following stages: – Threat attack identification – Business unit analysis – Attack success scenarios – Potential damage assessment – Subordinate plan classification Management of Information Security, 3rd ed.

Business Impact Analysis (cont’d.) An organization that uses a risk management process will have identified and prioritized threats The second major BIA task is the analysis and prioritization of business functions within the organization

Business Impact Analysis (cont’d.) Create a series of scenarios depicting impact of successful attack on each functional area Attack profiles should include scenarios depicting typical attack including: (1) Methodology, (2) Indicators, (3) Broad consequences Estimate the cost of the best, worst, and most likely outcomes

Timing and Sequence of CP Elements Management of Information Security, 3rd ed. Figure 3-6 Contingency planning implementation timeline Source: Course Technology/Cengage Learning

Incident Response Plan A detailed set of processes and procedures that commence when an incident is detected When a threat becomes a valid attack, it is classified as an information security incident if it:  directed against information assets  a realistic chance of success  threatens the confidentiality, integrity, or availability of information assets

Incident Response Plan (cont’d.) Planners develop and document the procedures that must be performed during the incident and immediately after the incident has ceased Separate functional areas may develop different procedures

Incident Response Plan (cont’d.) Develop procedures for tasks that must be performed in advance of the incident – Details of data backup schedules – Disaster recovery preparation – Training schedules – Testing plans – Copies of service agreements – Business continuity plans

Incident Response Plan (cont’d.) Management of Information Security, 3rd ed. Figure 3-3 Incident response planning Source: Course Technology/Cengage Learning

Incident Response Plan (cont’d.) Planning requires a detailed understanding of the information systems and the threats they face The IR planning team seeks to develop pre- defined responses that guide users through the steps needed to respond to an incident

Incident Response Plan (cont’d.) Incident classification – Determine whether an event is an actual incident – Uses initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators (Example: RSA Data Loss Prevention)

Incident Response Software

Incident Response Plan Tools

Incident Response Plan: Indicators Possible indicators Probable indicators Definite indicators When the following occur, the corresponding IR must be immediately activated Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law

Incident Response Plan (cont’d.) Once an actual incident has been confirmed and properly classified – IR team moves from the detection phase to the reaction phase – A number of action steps must occur quickly and may occur concurrently

Incident Response Plan: Action Steps 1. Notification of key personnel (alert roster) 2. Assignment of tasks 3. Documentation of the incident

Incident Response Plan (cont’d.) The essential task of IR is to stop the incident or contain its impact Incident containment strategies focus on two tasks: – Stopping the incident – Recovering control of the systems

IRP: Stopping the Incident Containment strategies Once contained and system control regained, incident recovery can begin Incident damage assessment An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident

IRP: Recovery Process Identify the vulnerabilities Address the safeguards that failed Evaluate monitoring capabilities (if present) Restore the data from backups as needed Restore the services and processes in use Continuously monitor the system Restore the confidence of the members

Incident Response Plan (cont’d.) When an incident violates civil or criminal law, it is the organization’s responsibility to notify the proper authorities Involving law enforcement has both advantages and disadvantages

Disaster Recovery Plan The preparation for and recovery from a disaster, whether natural or man made In general, an incident is a disaster when: – The organization is unable to contain or control the impact of an incident, or – The level of damage or destruction from an incident is so severe the organization is unable to quickly recover

Disaster Recovery Plan (cont’d.) The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located Common DRP classifications: Natural Disasters Human-made Disasters Scenario development and impact analysis – Used to categorize the level of threat of each potential disaster

Disaster Recovery Plan (cont’d.) Actual events often outstrip even the best of plans If physical facilities are intact, begin restoration – If organization’s facilities are unusable, take alternative actions – When disaster threatens the organization at the primary site, DRP becomes BCP

Business Continuity Plan Ensures critical business functions can continue in a disaster Activated and executed concurrently with the DRP when needed Relies on identification of critical business functions and the resources to support them

BCP: Strategies Continuity strategies – Exclusive-use options: hot, warm and cold sites – Shared-use options: timeshare, service bureaus, mutual agreements

Business Continuity Plan: Site Options Hot Sites Warm Sites Cold Sites Other Alternatives: Timeshares, Service Bureaus, Mutual Agreements Ex. RSA data centers – 2 10gig ethernet lines between MA and NC

Business Continuity Plan (cont’d.) To get any BCP site running quickly organization must be able to recover data Options include: – Electronic vaulting – Remote journaling – Database shadowing

Timing and Sequence of CP Elements Figure 3-4 Incident response and disaster recovery Source: Course Technology/Cengage Learning

Timing and Sequence of BCP Source: Course Technology/Cengage Learning

Timing and Sequence of CP Elements Management of Information Security, 3rd ed. Figure 3-6 Contingency planning implementation timeline Source: Course Technology/Cengage Learning

Business Resumption Planning Because the DRP and BCP are closely related, most organizations prepare them concurrently – May combine them into a single document, the business resumption plan (BRP) – Although a single planning team can develop the BRP, execution requires separate teams

Business Resumption Planning (cont’d.) Components of a simple disaster recovery plan – Name of agency – Date of completion or update of the plan and test date – Agency staff to be called in the event of a disaster – Emergency services to be called (if needed) in event of a disaster

Business Resumption Planning (cont’d.) Components of a simple disaster recovery plan (cont’d.) – Locations of in-house emergency equipment and supplies – Sources of off-site equipment and supplies – Salvage priority list – Agency disaster recovery procedures – Follow-up assessment

Testing Contingency Plans Problems are identified during testing – Improvements can be made, resulting in a reliable plan Contingency plan testing strategies – Desk check – Structured walkthrough – Simulation – Parallel testing – Full interruption testing

Contingency Planning: Final Thoughts Iteration results in improvement A formal implementation of this methodology is a process known as continuous process improvement (CPI) Each time the plan is rehearsed it should be improved Constant evaluation and improvement lead to an improved outcome

BYOD erization_of_IT_and_BYOD_Guide MDM management management MAM management management

BYOD – Securing Device

BYOD – Mobile Device Mgmt Management of Information Security, 3rd ed.

BYOD – Mobile Device Mgmt Management of Information Security, 3rd ed.

BYOD: Final Thoughts If the solution that you apply is too restrictive, then as much as everyone wants BYOD, it's simply not going to be a practical solution because no one will use it.