EGEE04 Pisa 27 Oct 2005 - 1 Planning for emergencies Grid security, just another case for emergency preparation? Pål S. Anderssen CERN - IT.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

GOVERNMENT IMPACT AND PREPARATION. The United States Federal Government takes actions that are in the best interests of the nation and are not likely.
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Planning for the Future Disaster Recovery Plan / Business Continuity Plan Jim Zukowski, Ed.D. Texas State Board of Dental Examiners 2006 Annual ConferenceAlexandria,
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
1 Continuity Planning for transportation agencies.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Stephen S. Yau CSE , Fall Security Strategies.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Session 3 – Information Security Policies
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.
Experiences from establishing a national Centre for Information Security in Norway TERENA Networking Conference 2003 Maria Bartnes Dahl &
IAEA International Atomic Energy Agency EPR-Public Communications L-011 Good Practices for PIOs.
Care Home Forum 19 th May 2015 Sarah Chittock – Merton Civil Contingencies Officer Taryn Milton – Emergency Planning Manager – Epsom St. Helier.
RBTC: Business Continuity 101 July 18, What is Business Continuity? Scenario Part 1 Why is BC important? What types of plans are needed? How do.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Know the Difference™ ITIL Solution Martin Perlin Marketing Director, Evolven BOOST YOUR ITIL ® INITIATIVES Evolven Comparison assists in many ITIL v3 areas.
Physical Security By: Christian Hudson. Overview Definition and importance Components Layers Physical Security Briefs Zones Implementation.
PAR CONFERENCE Homeland Defense A Provider’s Perspective Lessons from TMI Dennis Felty November 15, 2001.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Protect critical information with a smart information-based-risk management strategy. Prepared by: Firas Mohamed Taher.
INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3.
ISA 562 Internet Security Theory & Practice
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
Important points and activities.  The objective is to secure life, property, information in the event of a disaster and to facilitate business continuity.
Preparing for Disasters General Liability. Introduction  The one coverage that provides you and your business the most protection is General Liability.
ADM 677 Crisis Management in Educational Settings Karen McCuiston Kentucky Center For School Safety.
1 Crisis Management / Emergency Management Overview.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Service Level Agreements Service Level Statements NO YES The process of negotiating and defining the levels of user service (service levels) required.
Principles of Incident Response and Disaster Recovery Chapter 10 Business Continuity Operations and Maintenance.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Chap1: Is there a Security Problem in Computing?.
Annual Boys State Directors Conference Reviewing and Updating Crisis Management Plans Mike Bredeck Director of Minnesota.
Environment and Disaster Planning Hari Srinivas, GDRC Rajib Shaw, Kyoto University Contents of the presentation: -What is the problem? -Precautionary Principles.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
Katie Yurkewicz Community Advisory Board 24 September 2015 Enterprise Risk Management.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
1 Crisis Management and Communication Dr. Joy Smith and Ms. Robin Denny.
DRP Disaster Recovery Planning. Social Networking... It's the way the 21st century communicates today.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.
Writing an Emergency Operations Plan Why do we need to plan? Spring 2008.
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
Business Continuity Disaster Planning
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Disaster Preparedness Are you prepared?. Effective Disaster Plans  Your plan should outline the basic preparedness steps needed to handle the anticipated.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
EXPECT THE UNEXPECTED Prepare Your Business for Disaster.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Information Systems Security
THINK DIFFERENT. THINK SUCCESS.
Chapter 8 – Administering Security
Security on the Move & In the Clouds
LCG/EGEE Incident Response Planning
“The Link” - Continuity of Operations and Emergency Management
Physical Security.
Presentation transcript:

EGEE04 Pisa 27 Oct Planning for emergencies Grid security, just another case for emergency preparation? Pål S. Anderssen CERN - IT

EGEE04 Pisa 27 Oct Planning for emergencies The LHC Computing Grid (LCG) will be an important element for the processing of the data from the detectors of the LHC accelerator The agreement between the collaborating institutes and CERN are laid down in a Memorandum of Understanding (MoU) During LHC data taking, the MoU requires 99% uptime for the links which connect CERN to 12 Grid sites Security is perceived as one significant risk factor Provoked a discussion in the Joint Security Policy Group (JSPG) Motivation

EGEE04 Pisa 27 Oct LHC T1 Planning for emergencies yearly availability up-time down- time lingo[%][hour] [min][day] x x x x x The layman’s availability sheet Availability is a component of the service level agreement Reliance on human intervention possible Redundant self–healing infrastructure Do we have the means to match the requirements with our service model in case of possible types of incidents?

EGEE04 Pisa 27 Oct Planning for emergencies Overview of possible types incidents: Outages of supporting services Supply of electricity Environmental control Destruction Physical force Heat, fire Chemicals Water Abuse Broken confidentiality Compromised integrity Denial of access Unauthorized use of resources Grid information assets are at risk

EGEE04 Pisa 27 Oct Planning for emergencies Outages of supporting services Many sites have been hit Can be caused by off-site events Can be mitigated by redundant supply lines and redundant on-site installations Impact on reputation and budget - Downtime Call for contingency services Extra cost for restoration of service Extra cost for transition back to normal service

EGEE04 Pisa 27 Oct Planning for emergencies Destruction Rare, mostly unpredictable Catches the operation utterly unprepared Effects can be disastrous when several factors are combined Injury to people Permanent damage to infrastructure Access to premises may be restricted

EGEE04 Pisa 27 Oct Planning for emergencies Abuse Management controls include safeguards and countermeasures to protect – Integrity Confidentiality Availability - of the information assets Are the controls effective on the Grid today? Breaches of security may go un-noticed Confusing motivation of intruding party – Hamper operation, denial of service Enrichment, theft of information Unauthorized use of infrastructure Can controls be automated in order to enhance availability? Perhaps security vulnerabilities are of a different, more complex nature Severe security breaches reinforce the call for an emergency strategy to be prepared in advance

EGEE04 Pisa 27 Oct Planning for emergencies Scale of impact from incidents in a publicly funded research establishment Injury Major impact on Reputation and Budget Minor impact on Reputation or Budget Impact of disasters

EGEE04 Pisa 27 Oct LCG/EGEE Planning for emergency Brief from the September 2005 meeting of the Joint Security Policy Group (JSPG)

EGEE04 Pisa 27 Oct JSPG September 2005 Emergency procedures are required to cover the following cases: Incident response plans cannot be followed: critical parts of the infrastructure are unavailable (e.g. mailing lists) Incident response plans are inappropriate: E.g. need to rapidly inform large parts of the community, beyond the security contacts, and incident communication channels are compromised Examples Major power cut at Site A lasted several days Cable cut network access to Site B Major worm disrupted network access at Site C Security incident blocks user access to accounts at Site D Wide area exploit of the (homogeneous) security fabric When are emergency procedures required?

EGEE04 Pisa 27 Oct JSPG September 2005 Out-of-band communication channels Alternative service providers (Internet, telephony) Alternative contact details ( , chat, …) Alternative technology Clear decision-making roles There is no time for consensus during a crisis Usual decision making process needs to be bypassed Clear information flow and roles For at least management, users, the press Reduce the risk of mis-communication Disaster Recovery Plan Definition of critical infrastructure to be kept running or repaired quickly Dependencies and sequence must be clear for restoring services Mailing lists (at CERN) are key to restoring communication What is needed in an emergency?

EGEE04 Pisa 27 Oct JSPG September 2005 Define an emergency advisory committee? Members, mandate Goal is to ensure rapid and appropriate decisions Assure information flow E.g. update DNS servers to point to temporary (web) servers Pre-record messages on telephone help services Prepare alternative communication channels E.g. commercial conference call facilities Alternative Internet providers ( addresses, chat, phone,…) When/do we return to normal Incident Response? Some ideas to stimulate discussion

EGEE04 Pisa 27 Oct Planning for emergencies Incidents will occur Over time, responses to re-occurring incidents find their way into operational procedures This is also the case for security breaches Sites have in place procedures to handle minor, local cases of abuse LCG/EGEE Grid security problems, above a certain level of severity, call for the formal Incident Response Handling (IRH) The incident may have impact beyond the local site Reporting channels are prepared in advance The IRH relies on a minimum of the infrastructure being operational In the event of a disaster, the operational procedures and the predefined response handling may not work In extreme cases they may even be counterproductive

EGEE04 Pisa 27 Oct Planning for emergencies Prepare for disaster recovery Assemble a knowledge team Look for common elements of disasters Identify services and their criticality Review impact of service disruptions Analyze vulnerabilities Analyze dependencies of services Review contingency options Develop a plan Analyze requirements for an alternate service location Identify resources required for service restoration Identify people who are likely to contribute to the restoration Identify people/functions/roles that will constitute the emergency management team Define the extent of authority of the management team Some specific suggestions

EGEE04 Pisa 27 Oct Planning for emergencies I thank you for the attention…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.