Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3.

Published byMeghan Hodges Modified over 9 years ago

Similar presentations

Presentation on theme: "INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3."— Presentation transcript:

1 INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3

2 Overview InfoSec Planning Why Plan? Contingency Planning – Business Impact Analysis (BIA) – Incident Response Planning (IRP) – Disaster Recovery Planning (DRP) – Business Continuity Planning (BCP) Continuity Strategies

3 InfoSec Planning “…a systematic study of the organisational IS assets, possible threats, existing countermeasures and the proposal of new countermeasures” (Zviran, Hoge & Micucci (1990)) “… a document that describes how an organisation will address its security needs.” (Pfleeger 2 nd Ed. P. 471) An InfoSec plan contains: – Risk Objectives – Policy – Current Status of Security – Risk Analysis Results – Requirements – Recommendations – Responsibilities – Timetable – Implementation Strategy – Maintenance Schedule

4 Why Plan? 2-3% loss within 8 days outage > 10 days outage can threaten survival Increased dependence on continuous, available systems Clients may demand it (e.g. EDS & SA Govt.) Insurance Company may demand it (for lower premiums) Company Directors are not exposed to law suits Legal, statutory responsibilities

5 What is at stake? Inability to run critical applications. (i.e. cash flow operations, management tools) Loss of industry image Loss of investor confidence Loss of competitive edge Legal violations

6 What Is Contingency Planning? The overall planning for unexpected events is called contingency planning (CP) It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets The main goal is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event

7 Slide 7 CP Components Business Impact Analysis (BIA) Incident response planning (IRP) focuses on immediate response Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur Business continuity planning (BCP) facilitates establishment of operations at an alternate site

8 Slide 8 Business Impact Analysis (BIA) BIA provides information about systems and threats and provides detailed scenarios for each potential attack BIA is not risk management, which focuses on identifying threats, vulnerabilities, and attacks to determine controls (what might go wrong) BIA assumes controls have been bypassed or are ineffective, and attack was successful (when something does go wrong)

9 Business Impact Analysis Define critical applications Define tolerance levels Consider different disaster scenarios Consider intangible effects, cash flow effects, extra expenses, future effects – Loss of customers – Missed sales enquiries – Blown deadlines – Dissatisfied customers – Loss of market share – Loss of investor confidence

10 Incident Response Planning Incident response planning covers identification of, classification of, and response to an incident Attacks classified as incidents if they: – Are directed against information assets – Have a realistic chance of success – Could threaten confidentiality, integrity, or availability of information resources Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident

11 Slide 11 Incident Response Plan The IRP is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets Incident response (IR) is a set of procedures that commence when an incident is detected

12 Slide 12 Incident Response Plan When a threat becomes a valid attack, it is classified as an information security incident if: – It is directed against information assets – It has a realistic chance of success – It threatens the confidentiality, integrity, or availability of information assets It is important to understand that IR is a reactive measure, not a preventative one

13 Disaster Recovery Planning What is a disaster? – When the “outage” greater than the tolerance. – The interruption of business due to loss or denial of the information assets required for normal operation Examples: – National Library fire – Flood in Sydney Stock Exchange – 9-11 Twin Towers terrorist attack The question is not “if” a disaster occurs but “when” a disaster occurs – We must forget about “probability” and emphasise “impact”

14 Disaster Recovery Planning An InfoSec Management control which helps to “recover from” a man-made or natural disaster A process which does NOT prevent threats but addresses the impact when they occur A control that addresses NOT confidentiality, NOT integrity, but availability of information The objective is to minimise down-time or the amount of time that critical IS services are unavailable (i.e. denied)

15 Management of Information Security, 2nd ed. - Chapter 3 Slide 15 Disaster Recovery Planning Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made In general, an incident is a disaster when: – The organization is unable to contain or control the impact of an incident – The level of damage or destruction from an incident is so severe the organization is unable to quickly recover The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located

16 What is a DR Plan? A tested set of procedures for reacting to and recovering from a catastrophe. Addresses 2 timeframes: – The present – maintenance, testing & training before a disaster occurs – The future – what to do when a disaster occurs A “roadmap” which details procedures, responsibilities, contacts etc. in the event of a disaster It is a basis for decision making

17 Business Continuity Planning Outlines re-establishment of critical business operations during a disaster that impacts operations If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy

18 Management of Information Security, 2nd ed. - Chapter 3 Slide 18 Business Continuity Planning BCP ensures critical business functions can continue in a disaster BCP most properly managed by CEO of organization BCP is activated and executed concurrently with the DRP when needed While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site BCP relies on identification of critical business functions and the resources to support them

19 Management of Information Security, 2nd ed. - Chapter 3 Slide 19 Continuity Strategies Several continuity strategies for business continuity, determining factor is usually cost Three exclusive-use options: – Hot sites – Warm sites – Cold sites Three shared-use options: – Timeshare – Service bureaus – Mutual agreements

20 Slide 20 Exclusive Use Options Hot sites – Fully configured computer facility with all services Warm sites – Like hot site, but software applications not kept fully prepared Cold sites – Only rudimentary services and facilities kept in readiness

21 Slide 21 Shared Use Options Timeshares – Like an exclusive use site but leased Service bureaus – Agency that provides physical facilities Mutual agreements – Contract between two organizations to assist Specialized alternatives – Rolling mobile site – Externally stored resources

22 Recovery Strategies In-house hot site – Duplicate site – Solely for recovery – Sometimes used for development – Sometimes extra in-house capacity at branch sites Commercial hot site – International, interstate or local – With or without communications, office space or maintained O/S parallelism In-house cold site – A partially developed site – A space set aside normally used for other purposes but can be converted quickly Commercial cold site – International, interstate or local – With or without communications or office space Casual arrangements – Contract with suppliers – Agreement with organisation with same equipment (Reciprocal agreement) – Handshake agreements

23 Recovery time $ Hot site (in-house) option Commercial hot site option Cold site (in-house) option Commercial cold site option Casual Arrangement option Accumulated Costs of outage Investment in alternative strategies Recommended level of investment

24 WHAT YOU NEED TO KNOW The differences between CP, BIA, IRP, DRP & BCP Continuity Strategies

Download ppt "INFORMATION SECURITY PLANNING & IMPLEMENTATION Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition, 2008 Chapter 3."

Similar presentations

IT Service Continuity Management

IT Service Continuity Management
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Business Plug-In B4 MIS Infrastructures.

Business Plug-In B4 MIS Infrastructures.
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Case Study: Business Continuity Planning for Site- Level Disaster Kimberley A. Pyles Northrop Grumman Corporation

Case Study: Business Continuity Planning for Site- Level Disaster Kimberley A. Pyles Northrop Grumman Corporation
CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (www.cioassist.in)www.cioassist.in

CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (
Introduction Creation of information security program begins with creation and/or review of organization’s information security policies, standards,

Introduction Creation of information security program begins with creation and/or review of organization’s information security policies, standards,
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.

1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
1 Continuity Planning for transportation agencies.

1 Continuity Planning for transportation agencies.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.

Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.
Principles of Incident Response and Disaster Recovery

Principles of Incident Response and Disaster Recovery
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Planning for Contingencies

Planning for Contingencies
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Planning for Contingencies

Planning for Contingencies
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.

1 Disaster Recovery Planning & Cross-Border Backup of Data among AMEDA Members Vipin Mahabirsingh Managing Director, CDS Mauritius For Workgroup on Cross-Border.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.

John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.

Similar presentations

Ads by Google