INFORMATION SECURITY PLANNING &

IMPLEMENTATION

Today’s Reference:

Whitman & Mattord, Management of Information Security, 2nd edition, 2008 Chapter 3

Overview

• InfoSec Planning• Why Plan?• Contingency Planning– Business Impact Analysis (BIA)– Incident Response Planning (IRP)– Disaster Recovery Planning (DRP)– Business Continuity Planning (BCP)

• Continuity Strategies

InfoSec Planning

• “…a systematic study of the organisational IS assets, possible threats, existing countermeasures and the proposal of new countermeasures” (Zviran, Hoge & Micucci (1990))

• “… a document that describes how an organisation will address its security needs.” (Pfleeger 2nd Ed. P. 471)

• An InfoSec plan contains:– Risk Objectives– Policy– Current Status of Security– Risk Analysis Results– Requirements– Recommendations– Responsibilities– Timetable– Implementation Strategy– Maintenance Schedule

Why Plan?

• 2-3% loss within 8 days outage• > 10 days outage can threaten

survival• Increased dependence on

continuous, available systems• Clients may demand it (e.g. EDS &

SA Govt.)• Insurance Company may demand

it (for lower premiums)• Company Directors are not

exposed to law suits• Legal, statutory responsibilities

What is at stake?

• Inability to run critical applications. (i.e. cash flow operations, management tools)

• Loss of industry image• Loss of investor confidence• Loss of competitive edge• Legal violations

What Is Contingency Planning?

• The overall planning for unexpected events is called contingency planning (CP)

• It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets

• The main goal is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event

Slide 7

CP Components

• Business Impact Analysis (BIA)• Incident response planning (IRP)

focuses on immediate response • Disaster recovery planning (DRP)

focuses on restoring operations at the primary site after disasters occur

• Business continuity planning (BCP) facilitates establishment of operations at an alternate site

Slide 8

Business Impact Analysis (BIA) • BIA provides information about

systems and threats and provides detailed scenarios for each potential attack

• BIA is not risk management, which focuses on identifying threats, vulnerabilities, and attacks to determine controls (what might go wrong)

• BIA assumes controls have been bypassed or are ineffective, and attack was successful (when something does go wrong)

Business Impact Analysis

• Define critical applications• Define tolerance levels• Consider different disaster

scenarios• Consider intangible effects, cash

flow effects, extra expenses, future effects– Loss of customers– Missed sales enquiries– Blown deadlines– Dissatisfied customers– Loss of market share– Loss of investor confidence

Incident Response Planning

• Incident response planning covers identification of, classification of, and response to an incident

• Attacks classified as incidents if they:– Are directed against information assets

– Have a realistic chance of success

– Could threaten confidentiality, integrity, or availability of information resources

• Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident

Slide 11

Incident Response Plan

• The IRP is a detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets

• Incident response (IR) is a set of procedures that commence when an incident is detected

Slide 12

Incident Response Plan

• When a threat becomes a valid attack, it is classified as an information security incident if: – It is directed against information

assets– It has a realistic chance of success– It threatens the confidentiality,

integrity, or availability of information assets

• It is important to understand that IR is a reactive measure, not a preventative one

Disaster Recovery Planning

• What is a disaster?– When the “outage” greater than the

tolerance.– The interruption of business due to loss

or denial of the information assets required for normal operation

• Examples:– National Library fire– Flood in Sydney Stock Exchange– 9-11 Twin Towers terrorist attack

• The question is not “if” a disaster occurs but “when” a disaster occurs– We must forget about “probability” and

emphasise “impact”

Disaster Recovery Planning

• An InfoSec Management control which helps to “recover from” a man-made or natural disaster

• A process which does NOT prevent threats but addresses the impact when they occur

• A control that addresses NOT confidentiality, NOT integrity, but availability of information

• The objective is to minimise down-time or the amount of time that critical IS services are unavailable (i.e. denied)

Management of Information Security, 2nd ed. - Chapter 3 Slide 15

Disaster Recovery Planning

• Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made

• In general, an incident is a disaster when: – The organization is unable to contain or

control the impact of an incident – The level of damage or destruction from

an incident is so severe the organization is unable to quickly recover

• The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located

What is a DR Plan?

• A tested set of procedures for reacting to and recovering from a catastrophe.

• Addresses 2 timeframes:– The present – maintenance, testing &

training before a disaster occurs– The future – what to do when a

disaster occurs• A “roadmap” which details

procedures, responsibilities, contacts etc. in the event of a disaster

• It is a basis for decision making

Business Continuity Planning

• Outlines re-establishment of critical business operations during a disaster that impacts operations

• If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning

• Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy

Management of Information Security, 2nd ed. - Chapter 3 Slide 18

Business Continuity Planning

• BCP ensures critical business functions can continue in a disaster

• BCP most properly managed by CEO of organization

• BCP is activated and executed concurrently with the DRP when needed

• While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site

• BCP relies on identification of critical business functions and the resources to support them

Management of Information Security, 2nd ed. - Chapter 3 Slide 19

Continuity Strategies

• Several continuity strategies for business continuity, determining factor is usually cost

• Three exclusive-use options:– Hot sites– Warm sites– Cold sites

• Three shared-use options:– Timeshare– Service bureaus– Mutual agreements

Slide 20

Exclusive Use Options

• Hot sites– Fully configured computer facility with all

services

• Warm sites– Like hot site, but software applications not

kept fully prepared

• Cold sites– Only rudimentary services and facilities

kept in readiness

Slide 21

Shared Use Options

• Timeshares– Like an exclusive use site but leased

• Service bureaus– Agency that provides physical facilities

• Mutual agreements– Contract between two organizations to

assist

• Specialized alternatives– Rolling mobile site – Externally stored resources

Recovery Strategies

• In-house hot site– Duplicate site– Solely for recovery– Sometimes used for development– Sometimes extra in-house capacity at branch sites

• Commercial hot site– International, interstate or local– With or without communications, office space or

maintained O/S parallelism• In-house cold site

– A partially developed site– A space set aside normally used for other

purposes but can be converted quickly• Commercial cold site

– International, interstate or local– With or without communications or office space

• Casual arrangements– Contract with suppliers – Agreement with organisation with same

equipment (Reciprocal agreement)– Handshake agreements

Recovery time

$

Hot site (in-house) option

Commercial hot site option

Cold site (in-house) option

Commercialcold site option

Casual Arrangementoption

Accu

mul

ated

Cost

s of o

utag

e

Investment in

alternative

strategies

Recommended level of investment

WHAT YOU NEED TO KNOW

• The differences between CP, BIA, IRP, DRP & BCP

• Continuity Strategies