information security planning & implementation
DESCRIPTION
INFORMATION SECURITY PLANNING & IMPLEMENTATION. Today’s Reference: Whitman & Mattord, Management of Information Security , 2 nd edition, 2008 Chapter 3. Overview. InfoSec Planning Why Plan? Contingency Planning Business Impact Analysis (BIA) Incident Response Planning (IRP) - PowerPoint PPT PresentationTRANSCRIPT
INFORMATION SECURITY PLANNING &
IMPLEMENTATION
Today’s Reference:
Whitman & Mattord, Management of Information Security, 2nd edition, 2008 Chapter 3
Overview
• InfoSec Planning• Why Plan?• Contingency Planning– Business Impact Analysis (BIA)– Incident Response Planning (IRP)– Disaster Recovery Planning (DRP)– Business Continuity Planning (BCP)
• Continuity Strategies
InfoSec Planning
• “…a systematic study of the organisational IS assets, possible threats, existing countermeasures and the proposal of new countermeasures” (Zviran, Hoge & Micucci (1990))
• “… a document that describes how an organisation will address its security needs.” (Pfleeger 2nd Ed. P. 471)
• An InfoSec plan contains:– Risk Objectives– Policy– Current Status of Security– Risk Analysis Results– Requirements– Recommendations– Responsibilities– Timetable– Implementation Strategy– Maintenance Schedule
Why Plan?
• 2-3% loss within 8 days outage• > 10 days outage can threaten
survival• Increased dependence on
continuous, available systems• Clients may demand it (e.g. EDS &
SA Govt.)• Insurance Company may demand
it (for lower premiums)• Company Directors are not
exposed to law suits• Legal, statutory responsibilities
What is at stake?
• Inability to run critical applications. (i.e. cash flow operations, management tools)
• Loss of industry image• Loss of investor confidence• Loss of competitive edge• Legal violations
What Is Contingency Planning?
• The overall planning for unexpected events is called contingency planning (CP)
• It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets
• The main goal is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event
Slide 7
CP Components
• Business Impact Analysis (BIA)• Incident response planning (IRP)
focuses on immediate response • Disaster recovery planning (DRP)
focuses on restoring operations at the primary site after disasters occur
• Business continuity planning (BCP) facilitates establishment of operations at an alternate site
Slide 8
Business Impact Analysis (BIA) • BIA provides information about
systems and threats and provides detailed scenarios for each potential attack
• BIA is not risk management, which focuses on identifying threats, vulnerabilities, and attacks to determine controls (what might go wrong)
• BIA assumes controls have been bypassed or are ineffective, and attack was successful (when something does go wrong)
Business Impact Analysis
• Define critical applications• Define tolerance levels• Consider different disaster
scenarios• Consider intangible effects, cash
flow effects, extra expenses, future effects– Loss of customers– Missed sales enquiries– Blown deadlines– Dissatisfied customers– Loss of market share– Loss of investor confidence
Incident Response Planning
• Incident response planning covers identification of, classification of, and response to an incident
• Attacks classified as incidents if they:– Are directed against information assets
– Have a realistic chance of success
– Could threaten confidentiality, integrity, or availability of information resources
• Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident
Slide 11
Incident Response Plan
• The IRP is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets
• Incident response (IR) is a set of procedures that commence when an incident is detected
Slide 12
Incident Response Plan
• When a threat becomes a valid attack, it is classified as an information security incident if: – It is directed against information
assets– It has a realistic chance of success– It threatens the confidentiality,
integrity, or availability of information assets
• It is important to understand that IR is a reactive measure, not a preventative one
Disaster Recovery Planning
• What is a disaster?– When the “outage” greater than the
tolerance.– The interruption of business due to loss
or denial of the information assets required for normal operation
• Examples:– National Library fire– Flood in Sydney Stock Exchange– 9-11 Twin Towers terrorist attack
• The question is not “if” a disaster occurs but “when” a disaster occurs– We must forget about “probability” and
emphasise “impact”
Disaster Recovery Planning
• An InfoSec Management control which helps to “recover from” a man-made or natural disaster
• A process which does NOT prevent threats but addresses the impact when they occur
• A control that addresses NOT confidentiality, NOT integrity, but availability of information
• The objective is to minimise down-time or the amount of time that critical IS services are unavailable (i.e. denied)
Management of Information Security, 2nd ed. - Chapter 3 Slide 15
Disaster Recovery Planning
• Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made
• In general, an incident is a disaster when: – The organization is unable to contain or
control the impact of an incident – The level of damage or destruction from
an incident is so severe the organization is unable to quickly recover
• The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located
What is a DR Plan?
• A tested set of procedures for reacting to and recovering from a catastrophe.
• Addresses 2 timeframes:– The present – maintenance, testing &
training before a disaster occurs– The future – what to do when a
disaster occurs• A “roadmap” which details
procedures, responsibilities, contacts etc. in the event of a disaster
• It is a basis for decision making
Business Continuity Planning
• Outlines re-establishment of critical business operations during a disaster that impacts operations
• If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning
• Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy
Management of Information Security, 2nd ed. - Chapter 3 Slide 18
Business Continuity Planning
• BCP ensures critical business functions can continue in a disaster
• BCP most properly managed by CEO of organization
• BCP is activated and executed concurrently with the DRP when needed
• While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site
• BCP relies on identification of critical business functions and the resources to support them
Management of Information Security, 2nd ed. - Chapter 3 Slide 19
Continuity Strategies
• Several continuity strategies for business continuity, determining factor is usually cost
• Three exclusive-use options:– Hot sites– Warm sites– Cold sites
• Three shared-use options:– Timeshare– Service bureaus– Mutual agreements
Slide 20
Exclusive Use Options
• Hot sites– Fully configured computer facility with all
services
• Warm sites– Like hot site, but software applications not
kept fully prepared
• Cold sites– Only rudimentary services and facilities
kept in readiness
Slide 21
Shared Use Options
• Timeshares– Like an exclusive use site but leased
• Service bureaus– Agency that provides physical facilities
• Mutual agreements– Contract between two organizations to
assist
• Specialized alternatives– Rolling mobile site – Externally stored resources
Recovery Strategies
• In-house hot site– Duplicate site– Solely for recovery– Sometimes used for development– Sometimes extra in-house capacity at branch sites
• Commercial hot site– International, interstate or local– With or without communications, office space or
maintained O/S parallelism• In-house cold site
– A partially developed site– A space set aside normally used for other
purposes but can be converted quickly• Commercial cold site
– International, interstate or local– With or without communications or office space
• Casual arrangements– Contract with suppliers – Agreement with organisation with same
equipment (Reciprocal agreement)– Handshake agreements
Recovery time
$
Hot site (in-house) option
Commercial hot site option
Cold site (in-house) option
Commercialcold site option
Casual Arrangementoption
Accu
mul
ated
Cost
s of o
utag
e
Investment in
alternative
strategies
Recommended level of investment
WHAT YOU NEED TO KNOW
• The differences between CP, BIA, IRP, DRP & BCP
• Continuity Strategies