Disaster Recovery and Business Continuity Chapter 16
Disaster Recovery • A good disaster recovery plan prepares an organization for any type of disruption. • How to prepare for a disaster and how plans to mitigate the disaster dictate how long operations are disrupted. • These events do not happen often. • It is more likely that business operations will be interrupted due to employee error.
Disaster Recovery Planning Process • Defines resources, actions, and data required to reinstate critical business processes. Potential threats: • Human induced accidents: Loss of power, transportation accidents, chemical contamination, etc. • Natural: Flood, earthquake, tornado, etc. • Internal: Sabotage, theft, employee violence, etc. • Armed conflict: Acts of terrorism, civil unrest, war • External: Hacking, unauthorized use, industrial espionage, etc.
Plan/Process • A disaster recovery plan (DRP) defines the data and resources necessary and the steps to take in order to restore critical processes. • Physical resources • Computer hardware and software. • Personnel • Organizations need somebody who knows how to run the systems that process critical data.
Plans/Process • Understanding how long an organization can survive without the specific function. • Critical • The function is essential for operations and without the function, the basic mission of the organization cannot be accomplished. • Necessary for normal processing • The function is for normal processing, but the organization can do without it for a short period of time (such as for less than 30 days). • Desirable • The function is not needed for normal processing. It, however, enhances the ability to conduct its mission efficiently. • Optional • The function is nice to have. It does not affect operations.
Documents in a Disaster Recovery Plan • List of covered disasters • List of disaster recovery team members for each type of situation and their contact information • Business impact assessment • Business resumption and continuity plan • Backup documentation • Restore documentation
Steps in the Disaster Recovery Planning Process • The disaster recovery team should include • a member of senior management to assess business impact • members of the Information Technology Department that will perform the assessment and recovery • representatives from facilities management • representatives from the user community affected by the event. • The most important step in managing potential crises is to have the proper team assembled, trained, and ready to respond at a moment's notice.
Business Continuity Plan • A BCP emphasizes the critical systems needed to operate. • The BCP describes the functions that are most critical. • The BCP often describe the order in which functions should be returned to operation. • BCP is determined by the Business Impact Assessment. • the Australian Academic Research Network reported that packet loss on its MCI link went from zero to four percent at 13:39:25 GMT, then to 100% at 14:06:11 GMT, 96% at 14:07:48 GMT, and back to zero at 14:29:07 GMT
Policies and Procedures • Security policy • Human resources policy • Incident response policy
Security Policy • General statement that dictates what security means to the organization • Establishes how the security program is organized • Describes policy’s goals • Identifies who is responsible • Describes strategic value of the policy
Sections of a Security Policy • A password management policy should address: • The procedures for selecting passwords (If allowed) • length, character set, etc. • The frequency with which they must be changed, and how they will be distributed. • Procedures for creating new passwords should an employee forget password. • The acceptable handling of passwords. • Password cracking by administrators. • It discovers weak passwords selected by employees.
Sections of a Security Policy Acceptable Use • A good policy ensures employee productivity while limiting liability through inappropriate use of the assets. It should delineate what activities are not allowed. • The policy should consider: • Use of resources to conduct personal business • Installation of hardware or software • Remote access to systems and networks • Copying of company-owned software • User responsibility to protect company assets • Data, software, and hardware • Statements regarding penalties for violating the policies (such as termination) should also be included. • Penalties should not outweigh the related offense.
Sections of a Security Policy Acceptable Use • The appropriate use by the organization. • Is it appropriate to monitor an employee's use of the systems and network? • If any information gathered during monitoring is used in a civil or criminal case, be able to answer the following questions: • Did the employee have an expectation of privacy? • Was it legal for the organization to be monitoring? • The statement that states that use of the system constitutes consent to monitoring should be referred.
Sections of a Security Policy • The Internet usage policy ensures employee productivity and limits liability from inappropriate use of the Internet in a workplace. • This policy addresses which sites employees are allowed to visit. • If the company allows employees to surf the Web during non-work hours, the policy should spell out acceptable parameters including times and prohibited sites. • The policy should describe under what circumstances an employee would be allowed to post something from the organization's network on the Web.
Sections of a Security Policy • The e-mail usage policy like the Internet usage policy. • It states what the company will allow employees to send in terms of e-mail. • The policy should spell out if non-work e-mail traffic is allowed or is restricted. • It should cover the type of message that would be considered inappropriate to send to other employees. • The policy should specify any disclaimers that must be attached to an employee's message sent outside the company.
Sections of a Security Policy • Due care and due diligence are terms to address issues where one party's actions may have caused loss or injury to another party. • The law recognizes the responsibility of an individual or an organization to act reasonably. • Reasonable actions should to be taken to demonstrate that the organization is being responsible. • Organizations should protect the information that it maintains on individuals. • The standard applied—reasonableness—is subjective and is often be determined by a jury. • The organization must show it has taken reasonable precautions to protect the information. • Despite these precautions, an unforeseen security event may occur that causes injury to the other party.
Sections of a Security Policy An effective policy should include sections on: • Privacy – if clients' and partners' right to privacy is violated, there can be legal action for intentionally or unintentionally divulging that information. • Separation of duties - effectively distribute tasks throughout the IT organization and document processes thoroughly. • Need-to-know” issues - Need-to-know rights work in tandem with the concept of least privilege. • Service-level agreements - contractual understanding between an ISP and the end user which binds the ISP to a specified and documented level of service • Destruction or disposal of information and storage media - The best way is to have the medium degaussed or physical destruction
Human Resources Policy • Cross-train technology staff • Continuously train personnel to be able to manually perform tasks that are normally automated • How personnel management relates to security • Pre-employment • Employee maintenance • Post-employment • Minimize risk that security is not compromised • Perform periodic reviews • Reevaluate security clearances • Implement policy of job rotation and separation of duties
Employee Hiring • Verify candidate’s background • Reference checks • Previous employers • Criminal background checks • Relevant educational background • Character evaluations • Background investigation
Employee Termination • Make process as friendly as possible to avoid ill will • Conduct exit interviews professionally • Receive security badges and company property from former employee • Escort individual off the property • Deactivate former employee’s computer accounts and change affected passwords
Code of Ethics • As part of the human resource policy, a code of ethics can help define the company's stance on information security. • The code should demand that employees act honestly, responsibly, and legally to protect the organization. • Employees should be asked to work diligently and provide competent services to all customers, suppliers, and fellow employees. • The code should also discourage unsafe practices and preserve and strengthen the integrity of the organization. • Employees should observe and abide by all contracts, expressed or implied, avoid any conflict of interest, and take on only the jobs he or she is qualified to perform.
Incident Response Policy • Covers how to detect and recover from incidents quickly • Adopting an incident response methodology contributes to the practice of due care : • Preparation – create procedures that describe responses • Detection - (IDS) to assist with this process. • Containment - assess on a case-by-case basis • Eradication - necessary to eradicate the cause of the incident • Recovery – full system restore is the highest level of assurance that systems and network components are not compromised • Follow up -documenting • provides information that can help justify an organization's incidence response effort and security police • provides training material for new team members and can be • leveraged should there be legal proceedings that arise because of the incident.
Privilege Management Policy • Helps secure mission critical information • Considerations • Restrict access to files based on identifying a specific MAC address • Prescribe standard requirements for access controls placed on key files and network resources • Tool or mechanism required • Default requirement for new files
Privilege Management Policy • Types of access control lists - using file permissions and optional ACLs to: • Discretion Access Control (DAC) list –restricts access to info based on a user’s id or group membership • Mandatory Access Control (MAC) list – controls access to info based on the sensitivity of the information • Role-Based Access Control (RBAC) list –managing access and privileges based on the user’s assigned roles
Effective Backup Strategy Issues • Frequency of backups • Backup medium • Time of day • Manual or automated • How verified • Length of storage • Location of storage • Primary and fallback person responsible • Need for off-site storage
Types of Off-Site Backup Facilities • Hot site • Warm site • Cold site
Hot Site • Fully configured and ready to operate within a few hours of a disaster • Can support a short- or long-term outage • Flexible in its configuration and options • Advantages • Ready within hours for operations • High availability • Flexible configurations • Annual testing available • Exclusive use • Disadvantages • Very expensive (can more than double data center costs)
Warm Site • Partially configured with some equipment • Essentially provide the facility and some peripheral devices, but not a full configuration like a hot site • Advantages • Less expensive • Usually exclusive use • Available for long time frames • Disadvantages • Not immediately available • Operational testing usually not available
Cold Site • Supplies basic computing environments including wiring, ventilation, plumbing, and flooring • Advantages • Relatively low cost • Disadvantages • No hardware infrastructure • Not immediately available • Operational testing not available
Other Backup Considerations • Reciprocal backup agreement • Internet-based backup service • Completely redundant in-house network • Incident training to ensure the effectiveness of backup methods and keeps personnel trained for a quick restore of the system. • If the backup is taking place over a WAN connection or outside of the firewall, use a virtual private network (VPN) or encrypt the data on the server
Chapter Summary • Potential impact of external or internal activities on business functions • Minimizing the impact of catastrophic events with: • Disaster recovery planning process • Business continuity preventative actions • Comprehensive security policies