420 likes | 564 Views
Lesson 19-Disaster Recovery, Business Continuity, and Organizational Policies. Disaster Recovery. Whether from a virus, hacking or simply a fire or flood or other act of nature- there may come a time when you will experience a catastrophic loss of computer data.
E N D
Lesson 19-Disaster Recovery, Business Continuity, and Organizational Policies
Disaster Recovery • Whether from a virus, hacking or simply a fire or flood or other act of nature- there may come a time when you will experience a catastrophic loss of computer data. • How to prepare for a disaster and how plans to mitigate the disaster dictate how long operations are disrupted. • These events do not happen often. • It is more likely that business operations will be interrupted due to employee error. • Plans/Process Backups • Utilities • Secure Recovery • High Availability and Fault Tolerance • Computer Incident Response Teams • Test, Exercise, and Rehearse
Categories of Business Functions • A BIA (Business Impact Assessment), and a DRP (Disaster Recovery Plan) categorizes functions based on how critical or important they are to a business operation. • Critical • The function is essential for operations and without the function, the basic mission of the organization cannot be accomplished. • Necessary for normal processing • The function is for normal processing, but the organization can do without it for a short period of time (such as for less than 30 days). • Desirable • The function is not needed for normal processing. It, however, enhances the ability to conduct its mission efficiently. • Optional • If the function is not needed and no subsequent processing will be required to restore this function. • If the function does not fall into any of the categories because it does not really affect operations. • Consider eliminating this function
Categories of Business Functions • The plan to continue organizational operations is business continuity plan (BCP). • It focuses on the continued operation of the business or organization. • A BCP emphasizes the critical systems needed to operate. • The BCP describes the functions that are most critical. • This is determined by the business impact assessment (BIA). • The BCP often describe the order in which functions should be returned to operation. • The focus of a disaster recovery plan (DRP) is on continued operation after a disaster.
Disaster Recovery Plan • DRP (disaster recover plan) defines the data and resources (hardware, software and computer personnel) necessary and the processes and procedures required to restore critical processes. • The specific steps required to restore operations should be documented. • They should be reviewed and exercised on a periodic basis. • It is essential the DRP needs is approved by management.. • Exercising disaster recovery plans and processes before a disaster helps discover flaws or weaknesses in plans. • DRP should describe critical functions that are to be restored first
BIA • To create the BIA answer the following questions for all critical functions: • Who is responsible for the operation of this function? • What do these individuals need to perform the function? • Where will this function be performed? • When should this function be accomplished? • How is this function performed (what is the process)? • Why is this function so important or critical to an organization?
Backups • Backups are key to BCP or DRP - Hardware and storage media failure leading to corruption of critical data is a source of disaster. • The strategy should consider • How frequently should backups be conducted? • How extensive do the backups need to be? • What is the process for conducting backups? • Who is responsible for ensuring that backups are created? • Where will the backups be stored? • How long will backups be kept? • Depending on the type of organization, there may be legal requirements for conducting backups that will affect the factors mentioned previously.
What Needs to Be Backed Up • A good backup plan will consider more than just the data. It will include: • Application programs needed to process the data. • The operating system and utilities that the hardware platform requires to run the applications. • The DRP should also address other items related to backups such as: • Personnel • Equipment • Electrical power
Types of Backups • There are four basic types of backups • Full backup • An occasional full backup must be conducted. • Later, when a delta backup is conducted at specific intervals, only the portions of the files that have been changed will be stored. • Differential backup • Only the files and software that have changed since the last full backup • An incremental backup • Any file that has changed since the last backup (full or partial). • The type selected will greatly affect the overall backup strategy, plans, and processes. • How frequently should backups be performed? • You should consider how long an organization can survive without current data.
Backup Rule of Three • Multiple backups should be maintained. • There are several strategies or approaches to backup retention and a common and easy to remember is the “rule of three.” • This entails simply keeping the three most recent backups. When a new backup is created, the oldest copy is overwritten. • In certain environments, regulatory issues may prescribe a specific frequency and retention period. • It is important to know an organization and its requirements when determining how often a backup will be created and how long will it be kept. • If you are not in an environment where regulatory issues dictate the frequency and retention, your goal will be to optimize the frequency.
Backup Rule of Three • To determine the optimal backup frequency, consider: • The cost of the backup strategy chosen. • The cost of recovery if the backup strategy is not implemented (meaning if there were no backups created). • the probability that the backup will be needed on any given day. • The two figures to consider then are: • (probability the backup is needed AND cost of restoring with no backup) • This figure is the probable loss that can be expected by an organization if there is no backup conducted. • (probability the backup isn't needed AND cost of the backup strategy) • This figure is the price an organization is willing to pay (lose) to ensure that you can restore, should a problem occur. • To optimize backup strategy, the correct balance between these two figures needs to be determined. • When working with these two calculations, it Is is a cost-avoidance exercise.
Backup Rule of Three • When calculating the cost of the backup strategy, consider: • The cost of the backup media required for a single backup • The storage costs for the backup media and the retention policy • The labor costs associated with performing a single backup • The frequency with which backups are created • The best strategy is to keep copies of backups in separate locations. • The most recent copy could be stored locally, as it is the most likely to be needed. • Other copies can be kept at other locations.
Alternate Sites • Offsite Storage • A recent advance is online backup services. • A number of third-party companies offer high-speed connections for storing data on a frequent basis. • Where should restoration services be conducted? • If an organization has suffered physical damage to a facility, having offsite storage of data is only part of the solution. • Data needs to be processed somewhere. • Hot site - A fully configured environment similar to the normal operating environment. • Warm - Partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. • Cold site - Basic environmental controls needed to operate. Has few computing components needed. • Mobile backup- Trailers with the required computers and electrical power that can be driven to a location within hours of a disaster and set up to commence processing immediately.
Alternate Sites • A less expensive alternative is a mutual aid agreement. • Similar organizations agree to assume the processing for the other party with the following assumptions • both organizations will not be hit by the same disaster. • both have similar processing environments. • Such an arrangement may not be legally enforceable, even if it is in writing.
Long-Term Storage of Backups • Depending on the media: • Magnetic media degrade over time (measured in years). • Tapes can be used a limited number of times before the surface begins to flake off. • Storage of media in a steel safe or file cabinet may accelerate the process. Other considerations • Software applications also evolve, and the media may not be compatible with current versions of the software. • If the file you stored is encrypted, then passwords are needed to decrypt the file to restore the data. • .
Utilities - Power • Emergency power must be planned for in case of disruption • For short-term interruptions a UPS may suffice. • Beyond a few minutes, another source of power is required. • Backup generators are not a simple, maintenance-free solution. • Generators should be tested on a regular basis. • They can become strained if they power too much equipment, therefore, ensure the reserve capacity is beyond the anticipated load. • They take time to start up. A UPS should be used to for a smooth transition to backup power. • Generators are expensive and require fuel – they should be kept in a place where they can be fueled.
Utilities - Environmental • Environmental conditions. • Air conditioning. • Mobile backup sites use trailers and rely on generators for their power but also factor in the requirement for environmental controls. • Depending on the disaster, telephone and Internet communication may be lost. • Wireless services may also not be available. • Planning redundant communication can help with most outages. • Backup plans should include the option to continue operations from a different location while waiting for communications to be restored.
Secure Recovery • In the event an organization’s operations are disrupted, several companies offer recovery services that can remotely provide restoration services for critical files and data. These may include: • Power • Communications • Technical support • For the physical sites and the remote service—security is an important element and must be ensured. • Confidentiality • Integrity • Availability
High Availability and Fault Tolerance • High availability refers to the ability to maintain data and operational processing despite any disruption. • It requires redundant systems for both power and processing. • Fault tolerance refers to availability and is accomplished by the mirroring of data and systems. • Should a “fault” occur that disrupts a device such as a disk controller, the mirrored system provides the requested data with no interruption in service.
Computer Incident Response Teams • A plan should include establishing a Computer Incident Response Team (CIRT) or a Computer Emergency Response Team (CERT). • The team should be created and team members notified before an incident occurs. • The team includes technical and non-technical individuals who provide guidance on ways to handle media attention, legal issues, management issues. • The team consists of permanent and ad hoc members. • The CIRT conducts investigations of the incident and makes recommendations about how to proceed. • Policies and procedures for investigation should also be worked out in advance. • It is also advisable to have the team periodically meet to review these procedures.
Test, Exercise, and Rehearse • The BCP, DRP, backup procedures, or method to address computer incidents and other plans should be tested. • all parties should practice the established procedures. • As many recovery functions as possible should be performed • Care should be taken not to impact actual operations. • Rehearsal of portions of the recovery plan should include: • Items that are disruptive to actual operations. • Items identified as needing more frequent activation due to either the importance or the need for continual practice
Policies and Procedures • Policies are high-level statements made by the management laying out an organization's position on some issue. • Policies are mandatory but are not specific in their details. • Policies are focused on the result – not the methods for achieving that result. • Standards are specifications providing specific details on how a policy is to be enforced. • Procedures are step-by-step instructions describing exactly how employees are expected to act in a given situation or to accomplish a specific task.
Policies and Procedures • There are security policies that every organization should have in place. • Acceptable use • Due care • Separation of duties • Password management • Other important policy-related issues include: • Privacy • Service level agreements • Human resources policies • Code of ethics • Incident response
Security Policies • The security policy should describe how security is handled from an organizational point of view. • It describes which office and corporate officer or manager oversees the organization's security. • The security policy should be reviewed regularly and updated as needed. • Policies should be updated less frequently than the procedures that implement them. • High-level goals do not change as often as the environment in which they must be implemented. • All policies should also be reviewed by a legal counsel. • A plan should be outlined describing how all employees will be made aware of the policies. • Policies can be made stronger by including references to the authority who made the policy. • For example, whether this policy comes from the CEO, or is a department-level policy. • Refer to any laws or regulations applicable to the specific policy and environment.
Acceptable Use • An acceptable use policy (AUP) outlines the appropriate use of company resources, computer systems, and networks. • It should delineate what activities are not allowed. • The policy should consider: • Use of resources to conduct personal business • Installation of hardware or software • Remote access to systems and networks • Copying of company-owned software • User responsibility to protect company assets • Data, software, and hardware • Statements regarding penalties for violating the policies (such as termination) should also be included. • Penalties should not outweigh the related offense.
Acceptable Use • The appropriate use by the organization. • Is it appropriate to monitor an employee's use of the systems and network? • If any information gathered during monitoring is used in a civil or criminal case, be able to answer the following questions: • Did the employee have an expectation of privacy? • Was it was legal for the organization to be monitoring? • The statement that states that use of the system constitutes consent to monitoring should be referred. • Legal council should be consulted before any monitoring is conducted. • The actual wording of the warning message is important. It establishes certain rights and responsibilities.
Internet Usage Policy • The Internet usage policy ensures employee productivity and limits liability from inappropriate use of the Internet • This policy addresses which sites employees are allowed to visit. • If the company allows employees to surf the Web during non-work hours, the policy should spell out acceptable parameters including times and prohibited sites. • The policy should describe under what circumstances an employee would be allowed to post something from the organization's network on the Web.
E-Mail Usage Policy • The e-mail usage policy like the Internet usage policy. • It states what the company will allow employees to send in terms of e-mail. • The policy should spell out if non-work e-mail traffic is allowed or is restricted. • It should cover the type of message that would be considered inappropriate to send to other employees. • The policy should specify any disclaimers that must be attached to an employee's message sent outside the company.
Due Care • Due care and due diligence are terms used in the legal and business community to address issues where one party's actions may have caused loss or injury to another party. • The law recognizes the responsibility of an individual or an organization to act reasonably. • Reasonable actions should to be taken to demonstrate that the organization is being responsible. • Organizations should protect the information that it maintains on individuals. • The standard applied—reasonableness—is subjective and is often be determined by a jury. • The organization must show it has taken reasonable precautions to protect the information. • Despite these precautions, an unforeseen security event occurred that caused the injury to the other party. • Many sectors have “security best practices” for their industry that is a basis for due care in that sector. • If the organization does not follow the industry best practices, it should be prepared to justify its actions in court should an incident occur. • In any case, you must have a security policy.
Separation of Duties • Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. • Trust in any one individual is lessened. • The risk of catastrophic damage to the organization is also decreased. • Separation of duties as a security tool is a good practice. • It is possible to go overboard and break transactions up into too many pieces or require too much oversight. • This yields inefficiency and perhaps less secure. • Individuals may not scrutinize transactions thoroughly as they know others will review them. • Separation of duties spreads responsibilities over an organization so no single individual becomes indispensable. • No one has the “keys to the kingdom” or unique knowledge about how the system works. • Each task should have a primary and backup person.
Need to Know • Need to know and least privilege are principles that ensure that each individual in the organization is only supplied with the minimum amount of information and privileges they need to perform their tasks. • To obtain access to any piece of information, they must justify why they “need to know” it. • They will only be granted the bare number of privileges needed to perform their jobs. • A policy spelling out these principles as guiding philosophies should be created and address who may grant access or assign privileges.
Password Management • A password management policy should address: • The procedures for selecting passwords (If allowed) • length, character set, etc. • The frequency with which they must be changed, and how they will be distributed. • Procedures for creating new passwords should an employee forget password. • The acceptable handling of passwords. • Password cracking by administrators. • It discovers weak passwords selected by employees.
Disposal and Destruction • Many intruders know the value of “dumpster diving” • Documents, letters, scratch paper, old removable storage media, and old equipment all have value. • Finding e-mail or sticky notes with passwords and userids. • Organizations must have a strong disposal and destruction policy • Important papers should be shredded. • Magnetic storage media should have all files deleted. • The media should be overwritten at least three times with all ones, all zeros, and then random characters. • A safer method is to destroy the data by using a strong magnetic field to degauss the media. • One can even use a file to remove the magnetic material from the surface of the platter. • Shredding floppy media is normally sufficient.
Privacy and Service Level Agreements • Organizations should have a privacy policythat explains the guiding principles used to guard personal data they access. • Customers have a legal right to expect that their information is kept private. • Organizations violating this trust may be sued. • In the field of health care, federal regulations have been created that prescribe stringent security controls on private information. • Service level agreements (SLAs) are contractual agreements between entities specifying levels of service that two organizations agree upon. • These agreements delineate expectations in terms of the service provided, support expected, and penalties for failure. • The SLA should include a section on the service provider's responsibility for business continuity and disaster recovery as well as the provider's backup plans and processes for restoring lost data.
Human Resources Policies • You should hire individuals that can be trusted with your data and that of your clients. • You need policies to address when employees leave the organization. • Run background checks on prospective employees and check references. • Drug tests • Past criminal activity • Educational background • Work history • For sensitive environments, security background checks are required. • Once hired, you should minimize the risk that the employee will “turn against you.” • Periodic reviews by supervisory personnel, additional drug checks, and monitoring of activity during work should be considered. • Your ability to monitor may be restricted if not spelled out in advance • New employees should be made aware of all pertinent security policies. • Documents should be executed acknowledging that they have read and understood them. • Changes to privileges should be clearly spelled out in their policies.
Employee Retirement, Separation, or Termination • Employees who retire by choice may announce their retirement weeks or even months in advance. • Limiting access to sensitive documents the moment they announce their intention is the safest thing to do, although it may not be necessary. • Each situation should be evaluated individually. • If they leave for a better job, you may decide to allow them to gracefully transfer their projects to other employees. • The decision should be considered carefully if the new company is a competitor. • If the employee is terminated, immediately revoke their access privileges: • Access cards, keys, and badges should be collected. • The employee should be escorted to their desk and watched as they pack their personal belongings, and escorted from the building. • Combinations should be changed quickly once they have been informed of their termination.
Code of Ethics • Professional organizations have established codes of ethics for their members. • Each of these describes the expected behavior of their members from a high-level standpoint. • For organizations, a code of ethics can set the tone for how employees will be expected to act and conduct business. • The code should: • Demand honesty from employees. • Require that they perform all activities in a professional manner. • Address principles of privacy and confidentiality. • State how employees should treat client and organizational data. • Address conflicts of interest.
Incident Response Policies • An incident response policy and procedure should be developed to outline how the organization will deal with security incidents when they occur. • Preparation • Detection • Containment and Eradication • Recovery • Follow-On Actions
Preparation • Preparing for an incident is the first phase and steps should be established. • The points of contact should be determined and employees should be trained. • The equipment necessary to detect, contain, and recover from an incident should be acquired; and those who will use the equipment should be trained. • Training in computer forensics should also be accomplished. • Incidence Response Team membership varies depending on the type of incident: • A higher-level manager who can obtain the cooperation from employees as needed should lead. • A computer or network security analyst is useful, as well as security office. • Specialists may be added for specific hardware or software platforms as needed. • The organization's legal counsel should be part of the team. • The public affairs office should be available on an as-needed basis to formulate the public response should the event become public. • There should be a point of contact for the team in case criminal activity is suspected.
Detection • The most likely group of individuals to discover an incident will be the network and security administrators via the organization's firewalls and IDSs. • Procedures should be established to check for possible security events. • The tools and training should be identified during the preparation phase described. • Social engineering policy and training is essential. • A reporting procedure needs to be in place for the employees. • Everyone should know who to call and what to do if something is suspected. • A reporting template should be given to any individual suspecting an incident • One of the first jobs of the incident response team is to determine if an actual incident has occurred. • Each reported incident must be investigated and treated as a possible incident.
Containment and Eradication • The team should quickly contain the problem. • Decide whether to restore operations or prosecute. • If the decision to prosecute is made, specific procedures need to be followed in handling potential evidence. • A decision that should be made quickly is how to address containment. • If an intruder is on the system, one response is to disconnect from the Internet until the system can be restored and vulnerabilities patched. • Once the incident has been contained and malicious software or vulnerabilities have been taken care of, the procedures described earlier should be put into action. • The goal should be to have the organization back to normal processing as soon as possible.
Follow-On Actions • Once the operations have been restored to their pre-incident state, a few details need to be taken care of. • Senior-level management should be informed of what occurred. • Recommendations should be made to improve processes and policies so that a repeat will not occur. • If prosecution of the individual responsible is desired, then additional time will be spent in helping law enforcement agencies and in possible testimony. • Training material should be developed or modified as part of the new policies and procedures.