1 / 46

Principles of Incident Response and Disaster Recovery

Principles of Incident Response and Disaster Recovery. Chapter 2 Planning for Organizational Readiness. Objectives. Identify an individual or group to create a contingency policy and plan Understand the elements needed to begin the contingency planning process

tuesday
Download Presentation

Principles of Incident Response and Disaster Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Principles of Incident Response and Disaster Recovery Chapter 2 Planning for Organizational Readiness

  2. Objectives • Identify an individual or group to create a contingency policy and plan • Understand the elements needed to begin the contingency planning process • Create an effective contingency planning policy • Become familiar with the business impact analysis and each of the component parts of this important process • Know the steps needed to create and maintain a budget for enabling the contingency planning process Principles of Incident Response and Disaster Recovery

  3. Introduction • Planning for contingencies is complex and demanding • Developing a contingency plan: • Organize the planning process • Prepare the detailed plans • Commit to maintaining plans at a high state of readiness • Rehearse the use of the plans • Maintain the processes necessary to keep a high state of readiness Principles of Incident Response and Disaster Recovery

  4. Beginning the Contingency Planning Process • Contingency planning management team (CPMT) is responsible for: • Obtaining senior management commitment and support • Writing the contingency plan document • Conducting the business impact analysis (BIA): • Identifying and prioritizing threats and attacks • Identifying and prioritizing business functions • Organizing the subordinate teams (incident response, disaster recovery, business continuity, crisis management) Principles of Incident Response and Disaster Recovery

  5. Beginning the Contingency Planning Process (continued) • Typical CPMT roster may include: • Champion: high-level manager with influence and resources; provides strategic vision • Project manager: leads project • Team members: managers or representatives from business, information technology, and information security • Representatives from other business units (HR, PR, finance, legal, physical plant, etc.) • Representatives from subordinate teams (IR, DR, and BC teams) Principles of Incident Response and Disaster Recovery

  6. Beginning the Contingency Planning Process (continued) Principles of Incident Response and Disaster Recovery

  7. Commitment and Support of Senior Management • Contingency planning process will fail without clear and formal commitment of senior management • Emphasis from senior management encourages subordinates to invest in the process • Support must also be gained from communities of interest • Community of interest: • Group of individuals united by shared interests or values within the organization Principles of Incident Response and Disaster Recovery

  8. Commitment and Support of Senior Management (continued) • Three communities of interest with roles and responsibilities in information security: • Managers and practitioners in information security • Managers and practitioners in information technology • Managers and professionals from general management • Information security management and professionals: • Focus on integrity and confidentiality of systems • May lose sight of the objective of availability Principles of Incident Response and Disaster Recovery

  9. Commitment and Support of Senior Management (continued) • Information technology management and professionals: • Design, build, and operate information systems • Focus on costs of system creation and operation, ease of use, timeliness, transaction response time, etc. • Organizational management and professionals: • Includes executives, production management, HR, accounting, legal, etc. – the users of IT systems Principles of Incident Response and Disaster Recovery

  10. Elements to Begin Contingency Planning • Required elements to begin the CP process: • Planning methodology • Policy environment to enable the planning process • Business impact analysis • Planning budget: access to resources (financial and other) • CPMT begins the development of a CP document • CP document provides a 7-step contingency process used to develop and maintain a contingency planning program Principles of Incident Response and Disaster Recovery

  11. Elements to Begin Contingency Planning (continued) • 7-step process: • Develop the contingency planning policy statement • Conduct the BIA • Identify preventive controls - measures to reduce the effects of system disruptions • Develop recovery strategies • Develop an IT contingency plan • Conduct plan testing, training, and exercises • Maintain the plan Principles of Incident Response and Disaster Recovery

  12. Contingency Planning Policy • Contingency Planning Policy: • Established by executive management • Defines the scope of the CP operations • Establishes managerial intent for response times, disaster recovery, and resumption of operations • Establishes responsibility for development and operations of the CPMT Principles of Incident Response and Disaster Recovery

  13. Business Impact Analysis • Business Impact Analysis (BIA): • An investigation and assessment of the impact of various types of attacks • Provides detailed scenarios of the effects of each potential type of attack • BIA assumes that risk management controls have been bypassed, have failed, or were ineffective • BIA addresses what to do if the attack succeeds Principles of Incident Response and Disaster Recovery

  14. Business Impact Analysis (continued) • CPMT conducts BIA in five stages: • Threat attack identification and prioritization • Business unit analysis • Attack success scenario development • Potential damage assessment • Subordinate plan classification Principles of Incident Response and Disaster Recovery

  15. Business Impact Analysis (continued) Principles of Incident Response and Disaster Recovery

  16. Threat or Attack Identification and Prioritization • List of threats already identified by the risk management process should be converted to a list of attacks • List of attacks is used to create attack profiles • Predominantly information security-related threats, but should also include work stoppages, serious illnesses (pandemics), and other critical threats • List of attacks should be categorized to some degree • Categories may overlap multiple attacks, and vice versa Principles of Incident Response and Disaster Recovery

  17. Threat or Attack Identification and Prioritization (continued) Principles of Incident Response and Disaster Recovery

  18. Threat or Attack Identification and Prioritization (continued) Principles of Incident Response and Disaster Recovery

  19. Threat or Attack Identification and Prioritization (continued) Principles of Incident Response and Disaster Recovery

  20. Threat or Attack Identification and Prioritization (continued) • Use a weighted analysis table to prioritize attacks facing the organization • May use a scale to place values for both weights and attack values • Weights to consider: • Probability of occurrence • Probability of success • Extent of damage • Cost to restore Principles of Incident Response and Disaster Recovery

  21. Threat or Attack Identification and Prioritization (continued) Principles of Incident Response and Disaster Recovery

  22. Threat or Attack Identification and Prioritization (continued) Principles of Incident Response and Disaster Recovery

  23. Business Unit Analysis • Analysis and prioritization of business functions within the organization • Priority should be on restoring the organization’s main revenue-producing operations • Avoid “turf wars” and focus on critical business functions that must be sustained to continue business operations • Assign weights to each critical business function, using a weighted analysis table Principles of Incident Response and Disaster Recovery

  24. Business Unit Analysis (continued) Principles of Incident Response and Disaster Recovery

  25. Attack Success Scenario Development • Attack scenario (attack profile): • Depicts the effects of an occurrence of each threat on each prioritized functional area • Should include the attack methodology, indicators of the attack, and broad consequences • An attack may have implications for many business functions Principles of Incident Response and Disaster Recovery

  26. Potential Damage Assessment • Attack scenario end case: • Estimates the cost of the best, worst, and most likely outcomes • Helps to identify what must be done to recover from each case • Costs include the actions of the response team members as they act to recover from an incident or disaster • Costs to recover from a disaster or incident may motivate additional spending on protection of business units Principles of Incident Response and Disaster Recovery

  27. Subordinate Plan Classification • Subordinate plan: • Deals with the aftermath of the attack • May already be part of standard operating procedures • May be part of an existing or prior disaster recovery planning project or business continuity project • Each attack is categorized as disastrous or not • Disastrous attacks generally cannot be stopped while in process due to danger to employees, such as hurricanes, fires, floods, tornadoes, etc. Principles of Incident Response and Disaster Recovery

  28. BIA Data Collection • Methods to collect BIA data: • Online questionnaires • Facilitate data-gathering sessions • Process flows and interdependency studies • Risk assessment research • IT application or system logs • Financial reports and departmental budgets • BCP/DRP audit documentation • Production schedules Principles of Incident Response and Disaster Recovery

  29. BIA Data Collection (continued) • Online questionnaires: provide a structured method to collect information from those who know the most about the business area • Should include questions about: • Function description • Dependencies • Impact profile • Operational impacts • Financial impacts • Work backlog • Recovery and technology resources • PC and network requirements Principles of Incident Response and Disaster Recovery

  30. BIA Data Collection (continued) • Online Questionnaire – questions (continued): • Work-around procedures • Can work be performed at home? • Can workload be shifted to another business area? • Required business records and backups • Required regulatory reporting • Work inflows required • Work outflows and impact of loss of outflow • Business disruption experience (past history) • Competitive analysis Principles of Incident Response and Disaster Recovery

  31. BIA Data Collection (continued) • Other key issues that should be identified for the completion of the BIA: • Recovery point objective (RPO): point in time by which systems and data must be recovered; e.g. how much data can we afford to lose? • Recovery time objective (RTO): period of time within which functionality must be recovered; e.g., maximum allowed downtime Principles of Incident Response and Disaster Recovery

  32. BIA Data Collection (continued) • Facilitated data-gathering sessions (focus group): • Collects information directly from end users and business managers • Process flows and interdependency studies: • Systems diagramming, including: • Use case diagrams and supporting use cases • UML models • Workflow • Functional decomposition • Dataflow diagrams Principles of Incident Response and Disaster Recovery

  33. BIA Data Collection (continued) Principles of Incident Response and Disaster Recovery

  34. BIA Data Collection (continued) Principles of Incident Response and Disaster Recovery

  35. BIA Data Collection (continued) Principles of Incident Response and Disaster Recovery

  36. BIA Data Collection (continued) Principles of Incident Response and Disaster Recovery

  37. BIA Data Collection (continued) Principles of Incident Response and Disaster Recovery

  38. BIA Data Collection (continued) Principles of Incident Response and Disaster Recovery

  39. BIA Data Collection (continued) • Risk Assessment Research: • Information collected during the risk assessment and risk management planning processes that provides input to the BIA • IT Application or System Logs: • Logs provide data on failed login attempts, probes, scans, denial of service attacks, viruses detected, etc. • Helps describe the attack environment • Financial Reports and Departmental Budgets: • Help to prioritize business functions according to their contribution to profitability and revenue Principles of Incident Response and Disaster Recovery

  40. BIA Data Collection (continued) • Audit Documentation: • Provides information for compliance with federal and state regulations, national or international standards • Production Schedules: • Production schedules, marketing forecasts, and productivity reports help in prioritizing business functions Principles of Incident Response and Disaster Recovery

  41. Budgeting for Contingency Operations • Disaster recovery and business continuity require dedicated budgeting; incident response may not • Incident Response Budgeting: • Usually part of a normal IT budget • Includes data backup and recovery, UPSs, anti-virus software, anti-spyware software, RAID drives, storage-area networks (SANs), etc. • Should also include maintenance of redundant equipment to handle equipment failures • Rule of 3: keep 3 levels of computer system environments available for essential redundancy (hot, warm, and cold) Principles of Incident Response and Disaster Recovery

  42. Budgeting for Contingency Operations (continued) • Disaster Recovery Budgeting: • Insurance covers rebuilding and reestablishing operations at the primary site • Consider data loss policies • Other items not covered by insurance, such as loss of services (water, electricity, data), etc. • Business Continuity Budgeting: • Requirements to maintain service contracts, such as mobile equipment, and temporary sites • Employee overtime Principles of Incident Response and Disaster Recovery

  43. Budgeting for Contingency Operations (continued) • Crisis Management Budgeting: • Employee salaries • Other employee expenses and benefits Principles of Incident Response and Disaster Recovery

  44. Summary • Contingency planning starts by establishing the team, writing the planning document, obtaining commitment from senior management, and conducting the BIA • CP process requires planning methodology, policy environment, BIA, and budgetary resources • 7 steps of planning cycle: develop the policy, conduct the BIA, identify preventive controls, develop recovery strategies, develop IT contingency plan, test the plan, maintain the plan Principles of Incident Response and Disaster Recovery

  45. Summary (continued) • CP policy should contain introduction, statement of scope and purpose, call for periodic risk assessment and BIA, major components to be covered by CPMT, call for recovery options and business continuity strategies, call for testing, list of key regulations and standards that must be met, identification of key individuals, and call for organization support • BIA should contain threat attack identification and prioritization, business unit analysis, attack success scenarios, potential damage assessments, and subordinate plan classification Principles of Incident Response and Disaster Recovery

  46. Summary (continued) • Budgeting requirements include incident response budgeting, disaster recovery budgeting, business continuity budgeting, and crisis management budgeting Principles of Incident Response and Disaster Recovery

More Related