INFORMATION SECURITY

MANAGEMENT

LECTURE 3:
PLANNING FOR
CONTINGENCIES
You got to be careful if you dont know where youre going,
because you might not get there. Yogi Berra

Principles of Information Security

Mgmt
Include the following characteristics that will be
the focus of the current course (six Ps):

1.
2.
3.
4.
5.
6.

Planning Chapters 2 & 3

Chapter 4
Policy
Programs
Protection
People
Project Management

http://csrc.nist.gov/publications/PubsTC.html

Introduction

One study found that over 40% of businesses

that don't have a disaster plan go out of business
after a major loss

Small Business Approaches

Introduction 2012 Natural Disaster Map

Contingency Planning
Contingency planning (CP)
The overall planning for unexpected events
Involves preparing for, detecting, reacting to, and
recovering from events that threaten the security of
information resources and assets

Fundamentals of Contingency Planning

Incident Response
Disaster Recovery
Business Continuity

Developing a CP Document
Develop the contingency planning policy
statement
Conduct the BIA
Identify preventive controls
Develop recovery strategies
Develop an IT contingency plan
Plan testing, training, and exercises
Plan maintenance

Business Impact Analysis (BIA)

Provides detailed scenarios of each potential attacks
impact

Business Impact Analysis (contd.)

The CP team conducts the BIA in the following

stages:

Threat attack identification

Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification

What are the goals of a BIA?

Management of Information Security, 3rd ed.

Business Impact Analysis (contd.)

An organization that uses a risk management
process will have identified and prioritized threats

The second major BIA task is the analysis and

prioritization of business functions within the
organization
Each should be categorized

Business Impact Analysis (contd.)

Create a series of scenarios depicting impact of
successful attack on each functional area
Attack profiles should include scenarios depicting
typical attack including:
(1) Methodology, (2) Indicators, (3) Broad
consequences

Estimate the cost

Should this be done in-house or outsourced?

NIST Business Process and Recovery Criticality

Key recovery measures:
Maximum Tolerable Downtime (MTD) - total amount of
time the system owner is willing to accept for a
mission/business process outage or disruption
Recovery time objective (RTO) - maximum amount of
time that a system resource can remain unavailable
before there is an unacceptable impact on other system
resources and processes
Recovery point objective (RPO) - point in time, prior to a
disruption or system outage, to which mission/business
process data can be recovered after an outage

NIST Business Process and Recovery Criticality

Work Recovery Time (WRT) - amount of effort
that is necessary to get the business function
operational AFTER the technology element is
recovered
Can be added to the RTO to determine the realistic
amount of elapsed time before a business function is
back in useful service

Total time needed to place the business function

back in service must be shorter than the MTD
Must balance the cost of system inoperability
against the cost of recovery

Timing and Sequence of CP Elements

Figure 3-6 Contingency planning implementation timeline

Management of Information Security, 3rd ed.

Source: Course Technology/Cengage Learning

Incident Response Plan

The question is not will an incident occur,
but rather when an incident will occur
A detailed set of processes and procedures that
commence when an incident is detected
When a threat becomes a valid attack, it is classified
as an information security incident if it:
directed against information assets
a realistic chance of success
threatens the confidentiality, integrity, or availability of
information assets

Incident Response Plan (contd.)

Who creates the incident response plan?
Planners develop and document the procedures
that must be performed during the incident and
immediately after the incident has ceased
Separate functional areas may develop different
procedures

Incident Response Plan (contd.)

Develop procedures for tasks that must be
performed in advance of the incident

Details of data backup schedules

Disaster recovery preparation
Training schedules
Testing plans
Copies of service agreements
Business continuity plans

Incident Response Plan (contd.)

Figure 3-3 Incident response planning

Management of Information Security, 3rd ed.

Source: Course Technology/Cengage Learning

Incident Response Plan (contd.)

Planning requires a detailed understanding of the
information systems and the threats they face
The IR planning team seeks to develop pre-defined
responses that guide users through the steps
needed to respond to an incident

Incident Response Plan (contd.)

Incident classification
Determine whether an event is an actual incident
Uses initial reports from end users, intrusion detection
systems, host- and network-based virus detection
software, and systems administrators
(Example: RSA Data Loss Prevention)

Incident Response Software

Incident Response Plan Tools

Incident Response Plan Tools

Incident Response Plan: Indicators

Possible indicators
Probable indicators
Definite indicators
When the following occur, the corresponding IR must
be immediately activated
Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law

http://www.npr.org/blogs/thetwo-way/2013/01/16/169528579/outsourced-employee-sends-own-job-tochina-surfs-web

Incident Response Plan (contd.)

Once an actual incident has been confirmed and
properly classified
IR team moves from the detection phase to the reaction
phase
A number of action steps must occur quickly and may
occur concurrently

Incident Response Plan: Action Steps

1. Notification of key personnel (alert roster)
2. Assignment of tasks
3. Documentation of the incident

Incident Response Plan (contd.)

The essential task of IR is to stop the incident or
contain its impact
Incident containment strategies focus on two
tasks:

IRP: Stopping the Incident

Containment strategies
Once contained and system control regained, incident
recovery can begin
Incident damage assessment
An incident may increase in scope or severity to the
point that the IRP cannot adequately contain the incident

IRP: Recovery Process

Identify the vulnerabilities

Address the safeguards that failed
Evaluate monitoring capabilities (if present)
Restore the data from backups as needed
Restore the services and processes in use
Continuously monitor the system
Restore the confidence of the members

Incident Response Plan (contd.)

When an incident violates civil or criminal law, it is
the organizations responsibility to notify the
proper authorities
Involving law enforcement has both advantages and
disadvantages

Article: Incident Response SANS Survey

Disaster Recovery Plan

The preparation for and recovery from a disaster,
whether natural or man made
In general, an incident is a disaster when:

Disaster Recovery Plan (contd.)

The key role of a DRP is defining how to reestablish
operations at the location where the organization is
usually located
Common DRP classifications:
Natural Disasters
Human-made Disasters

Scenario development and impact analysis

Used to categorize the level of threat of each potential
disaster

Disaster Recovery Plan (contd.)

Disaster Recovery Plan (contd.)

Discussion on Disaster Recovery Myths

Disaster Recovery Plan (contd.)

Discussion on Disaster Recovery Checklist

Business Continuity Plan

Ensures critical business functions can
continue in a disaster
Activated and executed concurrently with the
DRP when needed
Relies on identification of critical business
functions and the resources to support them

BCP: Strategies
Continuity strategies

Business Continuity Plan:Site Options

Hot Sites
Warm Sites
Cold Sites
Other Alternatives: Timeshares, Service Bureaus,
Mutual Agreements
Ex. RSA data centers lease 2 - 10gig Ethernet lines
between MA and NC

Business Continuity Plan (contd.)

To get any BCP site running quickly organization
must be able to recover data
Options include:

Timing and Sequence of CP Elements

Figure 3-4 Incident response and disaster recovery

Source: Course Technology/Cengage Learning

Timing and Sequence of BCP

Source: Course Technology/Cengage Learning

Timing and Sequence of CP Elements

Figure 3-6 Contingency planning implementation timeline

Management of Information Security, 3rd ed.

Source: Course Technology/Cengage Learning

Business Resumption Planning

Because the DRP and BCP are closely related,
most organizations prepare them concurrently

Business Resumption Planning (contd.)

Components of a simple disaster recovery plan

Name of agency
Date of completion or update of the plan and test date
Agency staff to be called in the event of a disaster
Emergency services to be called (if needed) in event of a
disaster

Business Resumption Planning (contd.)

Components of a simple disaster recovery plan
(contd.)

Locations of in-house emergency equipment and supplies

Sources of off-site equipment and supplies
Salvage priority list
Agency disaster recovery procedures
Follow-up assessment

Testing Contingency Plans

Problems are identified during testing
Improvements can be made, resulting in a reliable plan

Contingency plan testing strategies

Desk check
Structured walkthrough
Simulation
Parallel testing
Full interruption testing

Contingency Planning: Final Thoughts

Iteration results in improvement
A formal implementation of this methodology is a
process known as continuous process
improvement (CPI)
Each time the plan is rehearsed it should be
improved
Constant evaluation and improvement lead to an
improved outcome