1 / 59

Planning for Contingencies

Planning for Contingencies. EECS 711: Security Management and Audit Philip Mein "Prakash" Pallavur Sankaranaraynan Annette Tetmeyer. Outline. What is Contingency Planning? Components of Contingency Planning Business Impact Analysis Incident Response Plan Disaster Recovery Plan

betsy
Download Presentation

Planning for Contingencies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Planning for Contingencies EECS 711: Security Management and Audit Philip Mein "Prakash" Pallavur Sankaranaraynan Annette Tetmeyer EECS 711 Spring 2008 Chapter 3

  2. Outline What is Contingency Planning? Components of Contingency Planning Business Impact Analysis Incident Response Plan Disaster Recovery Plan Business Continuity Plan Timing and Sequence of CP Elements Business Resumption Planning Testing Contingency Plans Contingency Planning: Final Thoughts EECS 711 Spring 2008 Chapter 3

  3. What is Contingency Planning? The overall process of preparing for unexpected events Prepare for, detect, react to, recover from these events “many organization contingency plans are woefully inadequate…” EECS 711 Spring 2008 Chapter 3

  4. What is Contingency Planning? Communities of Interest Information Technology Information Security Prepare for, detect, react to and recover from unexpected events Natural Human Environmental EECS 711 Spring 2008 Chapter 3

  5. Components of Contingency Planning EECS 711 Spring 2008 Chapter 3

  6. Components of Contingency Planning Business Impact Analysis (BIA) Determine critical business functions and information systems Incident Response Plan (IR) Immediate response to an incident Disaster Recovery Plan (DR) Focus on restoring operations at the primary site Business Continuity Plan (BC) Enables business to continue at an alternate site Occurs concurrently with DR Plan EECS 711 Spring 2008 Chapter 3

  7. Major Tasks EECS 711 Spring 2008 Chapter 3

  8. Developing the CP Plan Unified plan Smaller organizations Four plans with interlocking procedures Larger, complex organizations Should involve high level administrators and key personnel CIO, CISO, IT and business managers, system administrators EECS 711 Spring 2008 Chapter 3

  9. CP Team Personnel Champion: provides strategic vision and access to organizational support Project Manager Team Members: from communities of interest EECS 711 Spring 2008 Chapter 3

  10. CP Process Elements Required to begin the CP process Planning methodology Policy environment Understanding cause and effect of precursor activities Access to financial and other resources (budget) EECS 711 Spring 2008 Chapter 3

  11. Creating the CP Document Develop the policy statement Conduct the BIA Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training and exercises Plan maintenance EECS 711 Spring 2008 Chapter 3

  12. Creating the CP Document EECS 711 Spring 2008 Chapter 3

  13. Sample Policy EECS 711 Spring 2008 Chapter 3

  14. Business Impact Analysis Provides detailed scenarios of effects of potential attacks Risk management identifies attacks BIA assumes controls have failed EECS 711 Spring 2008 Chapter 3

  15. Risk Management Contingency planning and risk management are closely related • Risks must be identified in order to establish the contingency plan EECS 711 Spring 2008 Chapter 3

  16. BIA Stages Threat Attack Identification and Prioritization Business Unit Analysis Attack Success Scenario Development Potential Damage Assessment Subordinate Plan Classification EECS 711 Spring 2008 Chapter 3

  17. Threat Attack Identification and Prioritization Update threat list and add an attack profile Detailed description of activities that occur during an attack Develop for every serious threat Natural or man-made Deliberate or accidental Used later to provide indicators of attacks and extent of damage EECS 711 Spring 2008 Chapter 3

  18. Example Attack Profile Elements Include Date analyzed Attack name and description Threat and probable threat agents Vulnerabilities (known or possible) Precursor activities or indicators Likely attack activities or indicators of attack in progress Information assets at risk Damage or loss to information assets Other assets at risk and damage/loss to these assets Immediate actions indicated when the attack is underway Follow-up actions after this attack was successfully executed against systems Comments EECS 711 Spring 2008 Chapter 3

  19. Business Unit Analysis Analysis and prioritization of business functions Independently evaluate all departments, units, etc. Prioritize revenue producing functions EECS 711 Spring 2008 Chapter 3

  20. Attack Success Scenario Development What are the effects of the threat? Alternative outcomes to each Best, worst, most likely What are the implications for all business functions? EECS 711 Spring 2008 Chapter 3

  21. Potential Damage Assessment Prepare attack scenario end case What is the cost for the best, worst, most likely? Include cost estimates of time and effort EECS 711 Spring 2008 Chapter 3

  22. Subordinate Plan Classification Is the attack disastrous or not? Develop subordinate plans Non disastrous scenarios may be addressed as part of DR and BC plans EECS 711 Spring 2008 Chapter 3

  23. Incident Response Plan “Things which you do not hopehappen more frequentlythan things which you do hope.”-- Plautus (c. 254–184 BCE),in Mostellaria,Act I, Scene 3, 40 (197) EECS 711 Spring 2008 Chapter 3

  24. Incident Response Plan • Incident • An unexpected event • IRP (Incident Response Plan) • Detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets • IR (Incident Response) • A set of procedures that commence when an incident is detected • Minimal damage • Little or no disruption to business operations • What is not is prevention (reactive not preventative) EECS 711 Spring 2008 Chapter 3

  25. IR Policy • CP team develops the policy environment to authorize the creation of each of the planning components (IR, DR, BC) • Defines the roles and responsibilities for the entire enterprise • Defines the roles and responsibilities for for the SIRT (Security Incident Response Team EECS 711 Spring 2008 Chapter 3

  26. IR Policy cont. • Computer Security Incident Handling Guide (NIST SP 800-61) • Statement of management commitment • Purpose and objectives of the policy • Scope of the Policy • Definition of information security incidents and their consequences within the organization • Organizational structure and delineation of roles responsibilities, and levels of authority • Prioritization or severity ratings of incidents • Performance measures • Reporting and contact forms EECS 711 Spring 2008 Chapter 3

  27. What is an InfoSec Incident • It is directed against information assets • It has a realistic chance of success • It threatens the confidentiality, integrity, or availability of information resources and assets EECS 711 Spring 2008 Chapter 3

  28. IR Plan • BIA provides data to develop IR plan • Information systems and the threats they face • Stop the incident, mitigate its effects, and provide information for the recovery from the incident • Three sets of incident procedures • Before an Attack • Backup schedules • Training schedules • Testing plans • During an Attack • Procedures and tasks to be performed during the incident • Minimize the effect of the attack (avoid disaster) • After an Attack • Patches, Updates • Interviews EECS 711 Spring 2008 Chapter 3

  29. Incident Detection • Incident candidates • Possible Indicators • Unfamiliar files, unknown processes, consumption of resources, unusual system crashes • Probable Indicators • Activity at unexpected times, presence of new accounts, reported attacks, IDS • Definite Indicators • Use of dormant accounts, changes to logs, presence of hacker tools, notification by peers, notification by hacker • Occurrences of Actual Incidents • Loss of availability, loss of integrity, loss of confidentiality, violation of policy, violation of law EECS 711 Spring 2008 Chapter 3

  30. Actual Incident reported by IDS EECS 711 Spring 2008 Chapter 3

  31. Incident Response • Notification of Key Personnel • Alert roster (sequential or hierarchical) • Documenting an Incident • Who, what, when, where, why, how (for each action) • Incident Containment Strategies • Stopping the incident and recovering control • Disabling compromised accounts • Reconfiguring a firewall • Disabling the compromised process or service • Taking down the conduit application or server • Stopping all computers and network devices • Incident Escalation EECS 711 Spring 2008 Chapter 3

  32. Incident Response cont. • Incident Recovery • Incident damage assessment • Scope of C.I.A. • Individuals who document the damage must be trained to collect and preserve evidence • Recovery steps: • Identify vulnerabilities • Address the safeguards that failed to stop or limit the incident or missing • Evaluate monitoring capabilities • Restore data from backups • Restore the services and processes • Continuously monitor the system • Restore the confidence of the members of the organization • Law Enforcement Involvement • FBI, US Secret Service, US Treasury Dept, SEC, Local agencies EECS 711 Spring 2008 Chapter 3

  33. Disaster Recovery Plan Entails the preparation for and recovery from a disaster Responsibility of the IT community of interest, under the leadership of the CEO An incident becomes a disaster when The organization is unable to contain or control the impact of an incident The level of damage is so severe that the organization cannot recover from the incident EECS 711 Spring 2008 Chapter 3

  34. Disaster Recovery Plan • The key role of a DR plan is to reestablish operations at the primary location EECS 711 Spring 2008 Chapter 3

  35. DR Planning Process • Develop the DR planning policy statement • Review the BIA • Indentify preventive controls • Develop recovery strategies • Develop the DR plan document • Plan testing, training and exercises • Plan maintenance EECS 711 Spring 2008 Chapter 3

  36. DR Planning Policy Statement • The DR team lead by the DR team lead, begins with the development of the DR policy • The DR policy contains the following key elements: • Purpose • Scope • Roles and responsibilities • Resource requirements • Training requirements • Exercise and testing schedules • Plan maintenance schedules • Special considerations EECS 711 Spring 2008 Chapter 3

  37. Classification of disasters • Natural disasters • Examples: Fire, flood, hurricane, tornado • Man-made disasters • Examples: Cyber-terrorism • Rapid-onset • Examples: Earthquakes, mud-flows • Slow-onset • Examples: Famines, deforestation EECS 711 Spring 2008 Chapter 3

  38. Planning for disaster • Key elements that the CP team must build into a DR plan include the following: • Delegation of roles and responsibilities • Execution of alert roster and notification of key personnel • Clear establishment of priorities • Procedures for documentation of disasters • Actions to mitigate the impact of disaster on the operations • Alternative implementations of various systems in case the primaries are unavailable EECS 711 Spring 2008 Chapter 3

  39. Options to protect information Traditional back-ups Electronic vaulting Remote journaling Database shadowing EECS 711 Spring 2008 Chapter 3

  40. Crisis Management • Steps taken during and after a disaster that affect people internally and externally • According to Gartner Research, crisis management involves the following activities: • Supporting personnel and their loved ones during the crisis • Determine events impact on normal business and make disaster declaration if necessary • Keep public informed about the event and steps being taken to ensure recovery of personnel and the enterprise • Communicate with major customers, suppliers, partners, regulatory agencies, industry organizations, media and other interested parties. EECS 711 Spring 2008 Chapter 3

  41. Crisis Management • The crisis management team is also charged with two key tasks: • Verifying personnel status • Activating the alert roster • The most important role of crisis management is, in the event of a disaster tell the whole story as soon as possible directly to the affected audience EECS 711 Spring 2008 Chapter 3

  42. Responding to disasters During disasters even the most well planned DR plans can be overwhelmed To be prepared, the CP team should incorporate a degree of flexibility If facilities are intact DR team should begin restoration of systems and services If facilities are destroyed, alternative actions must be taken until new facilities are available When the operations of the primary site are threatened, the disaster recovery process becomes a business continuity process EECS 711 Spring 2008 Chapter 3

  43. Business Continuity Plan Ensures that critical business functions can continue if a disaster occurs CEO should manage Activated and executed concurrently with DR plan Business can no longer function at primary location Use an alternate location EECS 711 Spring 2008 Chapter 3

  44. Business Continuity Plan Identify critical business functions and resources to support them Want to quickly re-establish these functions at alternate site EECS 711 Spring 2008 Chapter 3

  45. BC Planning Process Develop the BC planning policy statement Authority, guidance, executive vision Review the BIA Identify, prioritize critical IT systems Identify preventive controls Measures to reduce disruption, increase system availability Develop relocation strategies Critical systems must be recovered quickly EECS 711 Spring 2008 Chapter 3

  46. BC Planning Process Develop the continuity plan Include detailed guidelines and procedures Plan testing, training, and exercises Identify planning gaps, prepare personnel for improved effectiveness and preparedness Plan maintenance Living document, plan to update! EECS 711 Spring 2008 Chapter 3

  47. Develop the BC planning policy statement Authority, guidance, executive vision Provide: Purpose Scope Roles and responsibilities Resource requirements Training requirements Plan maintenance schedule Special considerations EECS 711 Spring 2008 Chapter 3

  48. Plan Similarities Similar to other elements of the CP Process are similar Implementation differs EECS 711 Spring 2008 Chapter 3

  49. Design Parameters Recovery Time Objective (RTO) Amount of time that passes before an infrastructure is available Recovery Point Objective (RPO) The point in the past to which the recovered applications and data will be restored How much data loss? EECS 711 Spring 2008 Chapter 3

  50. Continuity Strategies Exclusive-use options Hot site Warm site Cold site Shared-use options Timeshare Service bureau Mutual agreement Other Rolling mobile site Mirrored site Cost Time to activate EECS 711 Spring 2008 Chapter 3

More Related