Principles of incident response and disaster recovery l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Principles of Incident Response and Disaster Recovery PowerPoint PPT Presentation


  • 1260 Views
  • Updated On :
  • Presentation posted in: General

Principles of Incident Response and Disaster Recovery. Chapter 2 Planning for Organizational Readiness. Objectives. Identify an individual or group to create a contingency policy and plan Understand the elements needed to begin the contingency planning process

Related searches for Principles of Incident Response and Disaster Recovery

Download Presentation

Principles of Incident Response and Disaster Recovery

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Principles of incident response and disaster recovery l.jpg

Principles of Incident Response and Disaster Recovery

Chapter 2

Planning for Organizational Readiness


Objectives l.jpg

Objectives

  • Identify an individual or group to create a contingency policy and plan

  • Understand the elements needed to begin the contingency planning process

  • Create an effective contingency planning policy

  • Become familiar with the business impact analysis and each of the component parts of this important process

  • Know the steps needed to create and maintain a budget for enabling the contingency planning process

Principles of Incident Response and Disaster Recovery


Introduction l.jpg

Introduction

  • Planning for contingencies is complex and demanding

  • Developing a contingency plan:

    • Organize the planning process

    • Prepare the detailed plans

    • Commit to maintaining plans at a high state of readiness

    • Rehearse the use of the plans

    • Maintain the processes necessary to keep a high state of readiness

Principles of Incident Response and Disaster Recovery


Beginning the contingency planning process l.jpg

Beginning the Contingency Planning Process

  • Contingency planning management team (CPMT) is responsible for:

    • Obtaining senior management commitment and support

    • Writing the contingency plan document

    • Conducting the business impact analysis (BIA):

      • Identifying and prioritizing threats and attacks

      • Identifying and prioritizing business functions

    • Organizing the subordinate teams (incident response, disaster recovery, business continuity, crisis management)

Principles of Incident Response and Disaster Recovery


Beginning the contingency planning process continued l.jpg

Beginning the Contingency Planning Process (continued)

  • Typical CPMT roster may include:

    • Champion: high-level manager with influence and resources; provides strategic vision

    • Project manager: leads project

    • Team members: managers or representatives from business, information technology, and information security

    • Representatives from other business units (HR, PR, finance, legal, physical plant, etc.)

    • Representatives from subordinate teams (IR, DR, and BC teams)

Principles of Incident Response and Disaster Recovery


Beginning the contingency planning process continued6 l.jpg

Beginning the Contingency Planning Process (continued)

Principles of Incident Response and Disaster Recovery


Slide7 l.jpg

Commitment and Support of Senior Management

  • Contingency planning process will fail without clear and formal commitment of senior management

  • Emphasis from senior management encourages subordinates to invest in the process

  • Support must also be gained from communities of interest

  • Community of interest:

    • Group of individuals united by shared interests or values within the organization

Principles of Incident Response and Disaster Recovery


Commitment and support of senior management continued l.jpg

Commitment and Support of Senior Management (continued)

  • Three communities of interest with roles and responsibilities in information security:

    • Managers and practitioners in information security

    • Managers and practitioners in information technology

    • Managers and professionals from general management

  • Information security management and professionals:

    • Focus on integrity and confidentiality of systems

    • May lose sight of the objective of availability

Principles of Incident Response and Disaster Recovery


Slide9 l.jpg

Commitment and Support of Senior Management (continued)

  • Information technology management and professionals:

    • Design, build, and operate information systems

    • Focus on costs of system creation and operation, ease of use, timeliness, transaction response time, etc.

  • Organizational management and professionals:

    • Includes executives, production management, HR, accounting, legal, etc. – the users of IT systems

Principles of Incident Response and Disaster Recovery


Elements to begin contingency planning l.jpg

Elements to Begin Contingency Planning

  • Required elements to begin the CP process:

    • Planning methodology

    • Policy environment to enable the planning process

    • Business impact analysis

    • Planning budget: access to resources (financial and other)

  • CPMT begins the development of a CP document

  • CP document provides a 7-step contingency process used to develop and maintain a contingency planning program

Principles of Incident Response and Disaster Recovery


Elements to begin contingency planning continued l.jpg

Elements to Begin Contingency Planning (continued)

  • 7-step process:

    • Develop the contingency planning policy statement

    • Conduct the BIA

    • Identify preventive controls - measures to reduce the effects of system disruptions

    • Develop recovery strategies

    • Develop an IT contingency plan

    • Conduct plan testing, training, and exercises

    • Maintain the plan

Principles of Incident Response and Disaster Recovery


Slide12 l.jpg

Contingency Planning Policy

  • Contingency Planning Policy:

    • Established by executive management

    • Defines the scope of the CP operations

    • Establishes managerial intent for response times, disaster recovery, and resumption of operations

    • Establishes responsibility for development and operations of the CPMT

Principles of Incident Response and Disaster Recovery


Business impact analysis l.jpg

Business Impact Analysis

  • Business Impact Analysis (BIA):

    • An investigation and assessment of the impact of various types of attacks

    • Provides detailed scenarios of the effects of each potential type of attack

  • BIA assumes that risk management controls have been bypassed, have failed, or were ineffective

  • BIA addresses what to do if the attack succeeds

Principles of Incident Response and Disaster Recovery


Slide14 l.jpg

Business Impact Analysis (continued)

  • CPMT conducts BIA in five stages:

    • Threat attack identification and prioritization

    • Business unit analysis

    • Attack success scenario development

    • Potential damage assessment

    • Subordinate plan classification

Principles of Incident Response and Disaster Recovery


Business impact analysis continued l.jpg

Business Impact Analysis (continued)

Principles of Incident Response and Disaster Recovery


Threat or attack identification and prioritization l.jpg

Threat or Attack Identification and Prioritization

  • List of threats already identified by the risk management process should be converted to a list of attacks

  • List of attacks is used to create attack profiles

  • Predominantly information security-related threats, but should also include work stoppages, serious illnesses (pandemics), and other critical threats

  • List of attacks should be categorized to some degree

  • Categories may overlap multiple attacks, and vice versa

Principles of Incident Response and Disaster Recovery


Threat or attack identification and prioritization continued l.jpg

Threat or Attack Identification and Prioritization (continued)

Principles of Incident Response and Disaster Recovery


Slide18 l.jpg

Threat or Attack Identification and Prioritization (continued)

Principles of Incident Response and Disaster Recovery


Threat or attack identification and prioritization continued19 l.jpg

Threat or Attack Identification and Prioritization (continued)

Principles of Incident Response and Disaster Recovery


Threat or attack identification and prioritization continued20 l.jpg

Threat or Attack Identification and Prioritization (continued)

  • Use a weighted analysis table to prioritize attacks facing the organization

  • May use a scale to place values for both weights and attack values

  • Weights to consider:

    • Probability of occurrence

    • Probability of success

    • Extent of damage

    • Cost to restore

Principles of Incident Response and Disaster Recovery


Slide21 l.jpg

Threat or Attack Identification and Prioritization (continued)

Principles of Incident Response and Disaster Recovery


Threat or attack identification and prioritization continued22 l.jpg

Threat or Attack Identification and Prioritization (continued)

Principles of Incident Response and Disaster Recovery


Business unit analysis l.jpg

Business Unit Analysis

  • Analysis and prioritization of business functions within the organization

  • Priority should be on restoring the organization’s main revenue-producing operations

  • Avoid “turf wars” and focus on critical business functions that must be sustained to continue business operations

  • Assign weights to each critical business function, using a weighted analysis table

Principles of Incident Response and Disaster Recovery


Business unit analysis continued l.jpg

Business Unit Analysis (continued)

Principles of Incident Response and Disaster Recovery


Attack success scenario development l.jpg

Attack Success Scenario Development

  • Attack scenario (attack profile):

    • Depicts the effects of an occurrence of each threat on each prioritized functional area

    • Should include the attack methodology, indicators of the attack, and broad consequences

  • An attack may have implications for many business functions

Principles of Incident Response and Disaster Recovery


Slide26 l.jpg

Potential Damage Assessment

  • Attack scenario end case:

    • Estimates the cost of the best, worst, and most likely outcomes

    • Helps to identify what must be done to recover from each case

  • Costs include the actions of the response team members as they act to recover from an incident or disaster

  • Costs to recover from a disaster or incident may motivate additional spending on protection of business units

Principles of Incident Response and Disaster Recovery


Slide27 l.jpg

Subordinate Plan Classification

  • Subordinate plan:

    • Deals with the aftermath of the attack

    • May already be part of standard operating procedures

    • May be part of an existing or prior disaster recovery planning project or business continuity project

  • Each attack is categorized as disastrous or not

    • Disastrous attacks generally cannot be stopped while in process due to danger to employees, such as hurricanes, fires, floods, tornadoes, etc.

Principles of Incident Response and Disaster Recovery


Slide28 l.jpg

BIA Data Collection

  • Methods to collect BIA data:

    • Online questionnaires

    • Facilitate data-gathering sessions

    • Process flows and interdependency studies

    • Risk assessment research

    • IT application or system logs

    • Financial reports and departmental budgets

    • BCP/DRP audit documentation

    • Production schedules

Principles of Incident Response and Disaster Recovery


Bia data collection continued l.jpg

BIA Data Collection (continued)

  • Online questionnaires: provide a structured method to collect information from those who know the most about the business area

  • Should include questions about:

    • Function description

    • Dependencies

    • Impact profile

    • Operational impacts

    • Financial impacts

    • Work backlog

    • Recovery and technology resources

    • PC and network requirements

Principles of Incident Response and Disaster Recovery


Bia data collection continued30 l.jpg

BIA Data Collection (continued)

  • Online Questionnaire – questions (continued):

    • Work-around procedures

    • Can work be performed at home?

    • Can workload be shifted to another business area?

    • Required business records and backups

    • Required regulatory reporting

    • Work inflows required

    • Work outflows and impact of loss of outflow

    • Business disruption experience (past history)

    • Competitive analysis

Principles of Incident Response and Disaster Recovery


Bia data collection continued31 l.jpg

BIA Data Collection (continued)

  • Other key issues that should be identified for the completion of the BIA:

    • Recovery point objective (RPO): point in time by which systems and data must be recovered; e.g. how much data can we afford to lose?

    • Recovery time objective (RTO): period of time within which functionality must be recovered; e.g., maximum allowed downtime

Principles of Incident Response and Disaster Recovery


Bia data collection continued32 l.jpg

BIA Data Collection (continued)

  • Facilitated data-gathering sessions (focus group):

    • Collects information directly from end users and business managers

  • Process flows and interdependency studies:

    • Systems diagramming, including:

      • Use case diagrams and supporting use cases

      • UML models

      • Workflow

      • Functional decomposition

      • Dataflow diagrams

Principles of Incident Response and Disaster Recovery


Bia data collection continued33 l.jpg

BIA Data Collection (continued)

Principles of Incident Response and Disaster Recovery


Bia data collection continued34 l.jpg

BIA Data Collection (continued)

Principles of Incident Response and Disaster Recovery


Bia data collection continued35 l.jpg

BIA Data Collection (continued)

Principles of Incident Response and Disaster Recovery


Bia data collection continued36 l.jpg

BIA Data Collection (continued)

Principles of Incident Response and Disaster Recovery


Slide37 l.jpg

BIA Data Collection (continued)

Principles of Incident Response and Disaster Recovery


Bia data collection continued38 l.jpg

BIA Data Collection (continued)

Principles of Incident Response and Disaster Recovery


Slide39 l.jpg

BIA Data Collection (continued)

  • Risk Assessment Research:

    • Information collected during the risk assessment and risk management planning processes that provides input to the BIA

  • IT Application or System Logs:

    • Logs provide data on failed login attempts, probes, scans, denial of service attacks, viruses detected, etc.

    • Helps describe the attack environment

  • Financial Reports and Departmental Budgets:

    • Help to prioritize business functions according to their contribution to profitability and revenue

Principles of Incident Response and Disaster Recovery


Bia data collection continued40 l.jpg

BIA Data Collection (continued)

  • Audit Documentation:

    • Provides information for compliance with federal and state regulations, national or international standards

  • Production Schedules:

    • Production schedules, marketing forecasts, and productivity reports help in prioritizing business functions

Principles of Incident Response and Disaster Recovery


Budgeting for contingency operations l.jpg

Budgeting for Contingency Operations

  • Disaster recovery and business continuity require dedicated budgeting; incident response may not

  • Incident Response Budgeting:

    • Usually part of a normal IT budget

    • Includes data backup and recovery, UPSs, anti-virus software, anti-spyware software, RAID drives, storage-area networks (SANs), etc.

    • Should also include maintenance of redundant equipment to handle equipment failures

    • Rule of 3: keep 3 levels of computer system environments available for essential redundancy (hot, warm, and cold)

Principles of Incident Response and Disaster Recovery


Budgeting for contingency operations continued l.jpg

Budgeting for Contingency Operations (continued)

  • Disaster Recovery Budgeting:

    • Insurance covers rebuilding and reestablishing operations at the primary site

    • Consider data loss policies

    • Other items not covered by insurance, such as loss of services (water, electricity, data), etc.

  • Business Continuity Budgeting:

    • Requirements to maintain service contracts, such as mobile equipment, and temporary sites

    • Employee overtime

Principles of Incident Response and Disaster Recovery


Slide43 l.jpg

Budgeting for Contingency Operations (continued)

  • Crisis Management Budgeting:

    • Employee salaries

    • Other employee expenses and benefits

Principles of Incident Response and Disaster Recovery


Summary l.jpg

Summary

  • Contingency planning starts by establishing the team, writing the planning document, obtaining commitment from senior management, and conducting the BIA

  • CP process requires planning methodology, policy environment, BIA, and budgetary resources

  • 7 steps of planning cycle: develop the policy, conduct the BIA, identify preventive controls, develop recovery strategies, develop IT contingency plan, test the plan, maintain the plan

Principles of Incident Response and Disaster Recovery


Summary continued l.jpg

Summary (continued)

  • CP policy should contain introduction, statement of scope and purpose, call for periodic risk assessment and BIA, major components to be covered by CPMT, call for recovery options and business continuity strategies, call for testing, list of key regulations and standards that must be met, identification of key individuals, and call for organization support

  • BIA should contain threat attack identification and prioritization, business unit analysis, attack success scenarios, potential damage assessments, and subordinate plan classification

Principles of Incident Response and Disaster Recovery


Summary continued46 l.jpg

Summary (continued)

  • Budgeting requirements include incident response budgeting, disaster recovery budgeting, business continuity budgeting, and crisis management budgeting

Principles of Incident Response and Disaster Recovery


  • Login