1 / 44

Disaster Recovery and Business Continuity

Disaster Recovery and Business Continuity. Chapter 16. Learning Objectives. Understand business continuity Understand the disaster recovery planning process Explain the importance of defining and documenting security policies and procedures

kimball
Download Presentation

Disaster Recovery and Business Continuity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disaster Recovery and Business Continuity Chapter 16

  2. Learning Objectives • Understand business continuity • Understand the disaster recovery planning process • Explain the importance of defining and documenting security policies and procedures • Discuss implications of privilege management and its impact on disaster recovery and business continuity

  3. Business Continuity • Solid disaster recovery plan: • Allows a business to continue through a catastrophic event • Includes well documented paper records stored in a safe, fireproof location that is secured from outside and internal tampering but accessible to company officials • Build redundancy into mission critical systems

  4. Disaster Recovery Planning Process • Defines resources, actions, and data required to reinstate critical business processes that have been damaged or disabled because of a disaster • Potential threats • Human-induced accidents • Natural • Internal • Armed conflict • External

  5. Data Backups • Backing up all mission-critical data so personnel can restore files and application software to continue business as though nothing happened • Essential part of a disaster recovery plan

  6. Effective Backup Strategy Issues • Frequency of backups • Backup medium • Time of day • Manual or automated • How verified • Length of storage • Location of storage • Primary and fallback person responsible • Need for off-site storage

  7. Types of Off-Site Backup Facilities • Hot site • Warm site • Cold site

  8. Hot Site • Fully configured and ready to operate within a few hours of a disaster • Can support a short- or long-term outage • Flexible in its configuration and options

  9. Hot Site • Advantages • Ready within hours for operations • High availability • Flexible configurations • Annual testing available • Exclusive use • Disadvantages • Very expensive (can more than double data center costs)

  10. Warm Site • Partially configured with some equipment • Essentially provide the facility and some peripheral devices, but not a full configuration like a hot site

  11. Warm Site • Advantages • Less expensive • Usually exclusive use • Available for long time frames • Disadvantages • Not immediately available • Operational testing usually not available

  12. Cold Site • Supplies basic computing environments including wiring, ventilation, plumbing, and flooring

  13. Cold Site • Advantages • Relatively low cost • Disadvantages • No hardware infrastructure • Not immediately available • Operational testing not available

  14. Other Backup Considerations • Reciprocal backup agreement • Internet-based backup service • Completely redundant in-house network • Incident training

  15. Documents in a Disaster Recovery Plan • List of covered disasters • List of disaster recovery team members for each type of situation and their contact information • Business impact assessment • Business resumption and continuity plan • Backup documentation • Restore documentation

  16. Steps in the Disaster Recovery Planning Process • Evaluate and determine potential sources of the outage • Assess business impact • Document the server in concise language

  17. Policies and Procedures • Security policy • Human resources policy • Incident response policy

  18. Security Policy • General statement that dictates what security means to the organization • Establishes how the security program is organized • Describes policy’s goals • Identifies who is responsible • Describes strategic value of the policy

  19. Sections of a Security Policy • Acceptable use • Due care • Privacy • Separation of duties • “Need-to-know” issues • Password management • Service-level agreements • Destruction or disposal of information and storage media

  20. Acceptable Use Policy • Covers what is and is not considered appropriate use of company resources and time • Misuse of computer resources can result in: • Lost productivity • Compromised company information

  21. Goals of Acceptable Use Policy • Meet productivity goals of HR department • Meet liability concerns of legal department • Protect critical information and technical resources • Maintain security goals of IT department

  22. Due Care • Reasonable precautions are being taken that indicate an organization is being responsible • Can protect against unnecessary lawsuits

  23. Privacy • Protecting company and supplier data solidifies trust between organization and external parties • If an organization does not respect its clients’ rights to privacy, it can lose trust of those parties or face legal action

  24. Separation of Duties • Distribute tasks throughout the IT organization and document processes thoroughly • Diversifies security of network so that one person cannot act alone to change or disable a piece of equipment

  25. Need-to-Know Rights • Method for establishing dissemination in which users should only have access to information and resources they need to know about • Work in tandem with least privilege

  26. Password Management Policies • Protect confidentiality of information and integrity of systems by keeping unauthorized users out of computer systems • Can specify attributes and procedures • Minimum length • Allowed character set • Disallowed strings • Duration of use of the password • Should include human factors and training on proper password procedures

  27. Service Level Agreements (SLA) • Contractual understanding between an ASP and end user which binds the ASP to a specified and documented level of service • Should include: • Specific levels of service and support • Penalty clauses • Disaster recovery plan

  28. Disposal and Destruction • Degauss (demagnetize) the medium to render all information useless • Physically destroy the media

  29. Human Resources Policy • Cross-train technology staff • Continuously train personnel to be able to manually perform tasks that are normally automated • How personnel management relates to security • Pre-employment • Employee maintenance • Post-employment

  30. Employee Hiring • Verify candidate’s background • Reference checks • Previous employers • Criminal background checks • Relevant educational background • Character evaluations • Background investigation

  31. Employee Hiring • Minimize risk that security is not compromised • Perform periodic reviews • Reevaluate security clearances • Implement policy of job rotation and separation of duties

  32. Employee Termination • Make process as friendly as possible to avoid ill will • Conduct exit interviews professionally • Receive security badges and company property from former employee • Escort individual off the property • Deactivate former employee’s computer accounts and change affected passwords

  33. Code of Ethics • Part of human resource policy that defines the company’s stance on information security and appropriate use of resources

  34. Incident Response Policy • Covers how to deal with a security incident after it has transpired • Steps to establish • Preparation • Detection • Containment • Eradication • Recovery • Follow up

  35. Preparation • Allocate sufficient resources • Ensure that systems and applications used in handling incidents are themselves resistant to attack • Create a set of procedures to deal with incidents as efficiently as possible

  36. Detection • Employ a form of IDS • Analyze all anomalies in the system • Enable auditing functions and increase amount of audit information captured • Promptly obtain full backup of system where incident occurred; gather copies of compromised data for analysis • Estimate scope of incident continued…

  37. Detection • Thoroughly document and report information • Basic information about the incident • Type and purpose of attack • Resources involved • Origins and consequences of the attack • How sensitive the compromised information is • Determine how quickly to disseminate reports and what transmission method to use

  38. Containment • Shut down system • Remove a piece of compromised hardware • Change filtering rules on firewalls and routers • Disable or delete compromised login services such as file transfer services

  39. Eradication • Use software programs to detect viruses or malicious code • Clean and reformat affected hard drives

  40. Recovery • Full system restore • Change all passwords • When recovering data, restore from most recent full backup • Use fault-tolerant system hardware to recover mirrored data that resided on redundant hard drives

  41. Follow up • Documenting the entire process can provide information that helps justify the incidence response effort and security policy

  42. Privilege Management Policy • Helps secure mission critical information • Considerations • Restrict access to files based on identifying a specific MAC address • Prescribe standard requirements for access controls placed on key files and network resources • Tool or mechanism required • Default requirement for new files

  43. Privilege Management Policy • Types of access control lists • Discretion Access Control (DAC) list • System Access Control (SAC) list • Role-Based Access Control (RBAC) list

  44. Chapter Summary • Potential impact of external or internal activities on business functions • Minimizing the impact of catastrophic events with: • Disaster recovery planning process • Business continuity preventative actions • Comprehensive security policies

More Related