CISSP (8 Domain)

Certified Information Systems

Security Professional

Instructor : Do Duc Huy

CISSP, CISA, CEH, CCSP, CCNP, RSA CSP
[email protected]
Module 1

CISSP – SECURITY AND RISK

MANAGEMENT
 Content

 Confidentiality, integrity, and availability concepts

 Security governance vs. Management

 Compliance

 Legal and regulatory issues

 Professional ethics

 Security policies, standards, procedures and guidelines

 Business Continuity and Disaster Recovery

3
Well known exploits

4
 THE ROLE OF INFORMATION
SECURITY WITHIN AN
ORGANIZATION
 First priority is to support the mission of the organization
 Requires judgment based on risk tolerance of organization, cost and
benefit
 Role of the security professional is that of a risk advisor, not a
decision maker.

5
 Planning Horizon

 Strategic Goals
 Over-arching - supported by tactical
goals and operational
 Tactical Goals
 Mid-Term - lay the necessary
foundation to accomplish Strategic
Goals
 Operational Goals
 Day-to-day - focus on productivity and
task-oriented activities

6
 SECURITY FUNDAMENTALS

 C – I – A Triad
 Confidentiality
 Integrity
 Availability

7
 CONFIDENTIALITY

 Prevent unauthorized disclosure

 Threats against confidentiality:
 Social Engineering
 Training, Separation of Duties, Enforce Policies and Conduct Vulnerability Assessments
 Media Reuse
 Proper Sanitization Strategies
 Eavesdropping
 Encrypt
 Keep sensitive information off the network

What does this mean? V2hhdCBkb2VzIHRoaXMgbWVhbj8g

8
 INTEGRITY

 Detect modification of information

 Corruption

 Intentional or Malicious Modification

 Message Digest (Hash)
 Message Authentication Code (MAC)
 Digital Signatures

100$
f5942b3a8e3b9ff33938b0d6b5267129
10000$
504ad5f52155a17f4317640f6b1b61aa

9
 AVAILABILITY

 Provide timely and reliable access to resources

 Redundancy, redundancy, redundancy
 Prevent single point of failure
 Comprehensive fault tolerance (Data, Hard Drives, Servers, Network Links,
etc..)

10
 BEST PRACTICES (TO PROTECT C-I-A)

 Separation of Duties (SOD)

 Mandatory Vacations

 Job rotation

 Least privilege

 Need to know

 Dual control

11
 DEFENSE IN DEPTH

 AlsoKnown as layered Defense

 No One Device will PREVENT an attacker

 Three main types of controls:

 Technical (Logical)
 Administrative
 Physical

12
 RISK

 Every decision starts with looking at risk

 Determine the value of your assets

 Look to identify the potential for loss

 Find cost effective solution reduce risk to an acceptable level

(rarely can we eliminate risk)
 Safeguards are proactive

 Countermeasures are reactive

13
 RISK DEFINITIONS

 Asset: Anything of Value to the company

 Vulnerability: A weakness; the absence of a safeguard

 Threat: Something that could pose loss to all or part of an asset

 Threat Agent: What carries out the attack

 Exploit: An instance of compromise

 Risk: The probability of a threat materializing

 Controls: Physical, Administrative, and Technical Protections

 Safeguards
 Countermeasure

14
 SOURCES OF RISK

 Weak or non-existing anti-virus software

 Disgruntled employees

 Poor physical security

 Weak access control

 No change management

 No formal process for hardening systems

 Lack of redundancy

 Poorly trained users

15
 RISK MANAGEMENT

 Processes of identifying, analyzing, assessing, mitigating, or

transferring risk. It’s main goal is the reduction of probability or
impact of a risk.
 Summary topic that includes all risk -related actions

 Includes Assessment, Analysis, Mitigation, and Ongoing Risk

Monitoring

16
 RISK MANAGEMENT

 Risk Management
 Risk Assessment
 Identify and Valuate Assets
 Identify Threats and Vulnerabilities
 Risk Analysis
 Qualitative
 Quantitative
 Risk Mitigation/Response
 Reduce /Avoid
 Transfer
 Accept /Reject
 Ongoing Risk Monitoring

17
 RISK ASSESSMENT

 Identification and Valuation of Assets is the first step in risk

assessment.
 What are we protecting and what is it worth
 Is it valuable to me? To my competitors?
 What damage will be caused if it is compromised?
 How much time was spent in development
 Are there compliance/legal issues?

18
 RISK ANALYSIS

 Determining a value for a risk

 Qualitative vs. Quantitative

 Risk Value is Probability x Impact

 Probability: How likely is the threat to materialize?
 Impact: How much damage will there be if it does?
 Could also be referred to as likelihood and severity.

19
 RISK ANALYSIS

 Qualitative Analysis (subjective, judgment -based)

 Probability and Impact Matrix
 Quantitative Analysis (objective, numbers driven)
 $ amount

20
 QUALITATIVE ANALYSIS

 Subjective in Nature
 Uses words like “high”
“medium” “low” to
describe likelihood and
severity (or probability
and impact) of a threat
exposing a vulnerability
 Delphi technique is often used
to solicit objective opinions

21
 QUANTITATIVE ANALYSIS

 Quantitative:
 More experience required than with Qualitative
 Involves calculations to determine a dollar value associated
with each risk event
 Business Decisions are made on this type of analysis

 Goal:
 Calculating
the dollar value of a risk and use that amount to
determine what the best control is for a particular asset
 Necessary for a cost/benefit analysis
22
 QUANTITATIVE ANALYSIS
 Factors
 AV (Asset Value): $
 EF (Exposure Factor): %
 ARO (Annual Rate of Occurrence): %
 SLE (Single Loss Expectancy): $
 ALE (Annual Loss Expectancy): $

SLE = AV x EF
ALE = SLE x ARO

 Cost of control should be the same or less than the potential for
loss
23
 MITIGATING RISK

 Three Acceptable Risk Responses:

 Reduce
 Transfer

 Accept

 Secondary Risks
 Residual Risks

 Continue to monitor for risks

 How we decide to mitigate business risks becomes the basis for

Security Governance and Policy

24
 SECURITY GOVERNANCE

The IT Governance Institute in its Board Briefing on IT

Governance, 2ndEdition, defines Security governance as
follows:
“Security governance is the set of responsibilities and practices
exercised by the board and executive management with the goal of
providing strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately and verifying that the
enterprise's resources are used responsibly.”

25
 SECURITY BLUEPRINTS

 For achieving “Security Governance”

 BS 7799, ISO 17799, and 27000 Series

 COBIT and COSO

 OCTAVE

 ITIL

26
 COBIT AND COSO

 COBIT (Control Objectives for Information and related Technology)

 COSO (Committee of Sponsoring Organizations)

 Both of these focus on goals for security

27
 ITIL

 Information Technology Infrastructure Library (ITIL) is the de facto

standard for best practices for IT service management
 5 Service Management Publications:
 Strategy
 Design
 Transition
 Operation
 Continual Improvement

**While the Publications of ITIL are not testable, it's purpose and
comprehensive approach are testable. It provides best practices for
organization and the means in which to implement those practices

28
 OCTAVE

 Operationally Critical Threat, Asset and Vulnerability Evaluation

 Self Directed risk evaluation developed by Carnegie Mellon.
 People within an organization are the ones who direct the risk analysis

 A suite of tools, techniques, and methods for risk-based information

security strategic assessment and planning.
1. Identify Assets
2. Identify Vulnerabilities
3. Risk Analysis and Mitigation

29
 BS 7799, ISO 17799, 27000 SERIES

 BS 7799-1, BS 7799-2
 Absorbed by ISO 17799

 Renamed ISO 27002 to fit into the ISO numbering standard

30
 ISO 27000 SERIES

 ISO 27001: Establishment, Implementation, Control and improvement

of the ISMS. Follows the PDCA (Plan, Do, Check, Act)
 ISO 27002: Replaced ISO 17799. Provides practical advice for how to
implement security controls. Uses 10 domains to address ISMS.
 ISO 27004: Provides Metrics for measuring the success of ISMS

 ISO 27005: A standards based approach to risk management

 ISO 27799: Directives on protecting personal health information

31
The Plan Do Check Act (PDCA) Model

32
MANAGEMENT

33
 SENIOR MANAGEMENT ROLE

 CEO, CSO, CIO, etc..

 Ultimately responsible for Security within an organization
 Development and Support of Policies

 Allocation of Resources

 Decisions based on Risk

 Prioritization of business processes

34
 LIABILITIES
 Legal liability is an important consideration for risk assessment and
analysis.
 Addresses whether or not a company is responsible for specific actions or
inaction.
 Who is responsible for the security within an organization?
 Senior management
 Are we liable in the instance of a loss?
 Due care: Ensuring that “best practices” are implemented and followed.
Following up Due Diligence with action.
 Due diligence: Continuously monitoring an organizations practices to ensure
they are meeting/exceeding the security requirements.
 Prudent man rule: Acting responsibly and cautiously as a prudent man would
 Best practices: Organizations are aligned with the favored practices within an
industry

35
ORGANIZATIONAL SECURITY POLICY

 Also Known as a Program Policy

 Mandatory

 High level statement from management

 Should support strategic goals of an organization

 Explain any legislation or industry specific drivers

 Assigns responsibility

 Should be integrated into all business functions

 Enforcement and Accountability

36
 ISSUE AND SYSTEM SPECIFIC POLICY

 Issue Specific policy, sometimes called Functional Implementation

policy would include company's stance on various employee issues.
AUP, Email, Privacy would all be covered under issue specific
 System Specific policy is geared toward the use of network and
system resources. Approved software lists, use of firewalls, IDS,
Scanners, etc.

37
Security Policy Document Relationships

38
 STANDARDS

 Mandatory
 Created to support policy, while providing more specifics.

 Reinforces policy and provides direction

 Can be internal or external

39
 PROCEDURES

 Mandatory
 Step by step directives on how to accomplish an end-result.

 Detail the “how-to” of meeting the policy, standards and guidelines

40
 GUIDELINES

 Not Mandatory
 Suggestive in Nature

 Recommended actions and guides to users

 “Best Practices”

41
 BASELINES

 Mandatory
 Minimum acceptable security configuration for a system or process

 The purpose of security classification is to determine and assign the

necessary baseline configuration to protect the data

42
 PERSONNEL SECURITY POLICIES
(EXAMPLES)
 Hiring Practices and Procedures
 Background Checks/Screening

 NDA's

 Employee Handbooks

 Formal Job Descriptions

 Accountability

 Termination

43
 ROLES AND RESPONSIBILITIES
 Senior/Executive Management
 CEO: Chief Decision-Maker
 CFO: Responsible for budgeting and finances
 CIO: Ensures technology supports company's objectives
 ISO: (CISO) Risk Analysis and Mitigation
 Steering Committee: Define risks, objectives and approaches
 Auditors: Evaluates business processes
 Data Owner: Classifies Data
 Data Custodian: Day to day maintenance of data
 Network Administrator: Ensures availability of network resources
 Security Administrator: Responsible for all security-related tasks, focusing
on Confidentiality and Integrity
44
 RESPONSIBILITIES OF THE ISO

 Responsible for providing C-I-A for all information assets.

 Communication of Risks to Senior Management

 Recommend best practices to influence policies, standards,

procedures, guidelines
 Establish security measurements

 Ensure compliance with government and industry regulations

 Maintain awareness of emerging threats

45
 LIABILITIES – WHO IS AT FAULT?

 Failure of management to execute Due Care and/or Due Diligence

can be termed negligence
 Culpable negligence is often used to prove liability
 Prudent Man Rule
 Perform duties that prudent people would exercise in similar
circumstances
 Example: Due Care: setting a policy; Due Diligence: enforcing that policy

 Downstream Liabilities
 Integrated technology with other companies can extend one’s
responsibility outside the normal bounds

46
 LEGAL LIABILITY

 Legally Recognized Obligation

 A standard exists that outlines the conduct expected of a company to protect
others from unreasonable risks
 Proximate Causation
 Fault can actually be proven to be a direct result of one’s action or inaction
 Violation of Law
 Regulatory, criminal, or intellectual property
 Violation of Due Care
 Stockholders suits
 Violation of Privacy
 Employee suits

47
SECURITY AND RISK MANAGEMENT

LEGAL AND REGULATORY

TYPES OF LAWS

 CISSP coverage:
 Criminal Law
 Civil Law

 Regulatory

 Intellectual Property

49
 CRIMINAL LAW

 Beyond a reasonable doubt - can be difficult to meet this burden of

proof in computer-related crimes
 Penalties: Financial, Jail-time, death
 Felonies: More serious of the two. Often penalty results in incarceration
of at least a year.
 Misdemeanors: Normally the less serious of the two with fines or jail-time
of less than one year.
 The Goal of criminal penalties is:
 Punishment
 Deterrence

50
 CIVIL (TORT) LAW

 Preponderance of evidence
 Damages
 Compensatory: Paid for the actual damage which was suffered by a
victim, including attorney fees, loss of profits, medical costs, investigative
costs, etc...
 Punitive: Designed as a punishment for the offender
 Statutory: an amount stipulated within the law rather than calculated
based on the degree of harm to the plaintiff. Often, statutory damages
are awarded for acts in which it is difficult to determine the value of the
harm to the victim.
 Liability, Due Care, Due Diligence, Prudent Person Rule are all
pertinent to civil law , as well as administrative law
51
 ADMINISTRATIVE (REGULATORY)
LAW
 Defines standards of performance and regulates conduct for specific
industries
 Banking (Basel II)
 Energy (EPAct) of 2005

 Health Care (HIPAA)

 Penalties consist of financial or imprisonment

52
 INTELLECTUAL PROPERTY

 Intellectual Property Law

 Protecting products of the mind
 Company must take steps to protect resources covered by these laws or
these laws may not protect them
 Main international organization run by the UN is the World Intellectual
Property Organization (WIPO)
 Violation:
 Licensing is the most prevalent violation, followed by plagiarism, piracy
and corporate espionage

53
INTELLECTUAL PROPERTY PROTECTION

 Trade Secret
 Resource must provide competitive
value
 Must be reasonably protected from
unauthorized use or disclosure
 Proprietary to a company and important
for survival
 Must be genuine and not obvious

54
INTELLECTUAL PROPERTY PROTECTION

 Copyright
 A form of intellectual property law, protects original works of authorship
including literary, dramatic, musical, and artistic works, such as poetry, novels,
movies, songs, computer software, and architecture.
 Some characteristics
 Copyright protections lasts for the lifetime of the author plus 70 years or 75
years for corporations
 Work does not need to be registered or published to be protected.
 Protects expression of ideas rather than the ideas themselves
 Author to control how work is distributed, reproduced, used
 Protects the expression of the resource instead of the resource itself
 Two Limitations on Copyright:
 First sale
 Fair Use
https://www.copyright.gov/help/faq/ 55
INTELLECTUAL PROPERTY PROTECTION

 Trademark
 Protect word, name, symbol, sound, shape, color or combination used to
identify product to distinguish from others
 Protect from someone stealing another company’s “look and feel”

 Corporate Brands and operating system logos

 Trademark Law Treaty Implementation Act protects trademarks

internationally

56
INTELLECTUAL PROPERTY PROTECTION

 Patent
 Originally valid for 17 years, but are now valid for 20 years
 Protection for those who have legal ownership of an invention
 Invention must be novel and non-obvious
 Owner has exclusive control of invention for 20 years
 Cryptographic algorithm
 The strongest form of protection
 Published to stimulate other inventions
 PCT (Patent Cooperation Treaty) has been adopted by over 130
countries to provide the international protection of patents
 No organization enforces patents. It is up to the owner to purse the
patent rights through the legal system
57
ATTACKS ON INTELLECTUAL PROPERTY

 Piracy
 Copyright infringement

 Counterfeiting

 Cybersquatting

 Typosquatting

58
 EXPORT/IMPORT RESTRICTIONS

 Export restriction
 WASSENAAR Arrangement makes it illegal to export munitions to
terrorist sponsored nations
 Exporting of cryptographic software is allowed to non-government end-
users of other countries
 No exporting of strong encryption software to terrorists states

 Import restriction
 In many countries, the import of cryptographic tools with strong
encryption requires a copy of the private keys be provided to law
enforcement
 US Safe Harbor Laws

59
 INTERNATIONAL ISSUES

 Trans border Issues

 Each country treats computer crimes differently
 Evidence rules differ between legal systems

 Governments may not assist each other in international cases

 Jurisdiction issues

60
 PRIVACY ISSUES – EMPLOYEE
MONITORING
 Local labor laws related to privacy cannot be violated
 Be mindful of the reasonable expectation of privacy (REP)
 Gain an employee waiver by signature on policies, etc...
 Notify of monitoring that may be used, or do not monitor the
employees at all
 Banner and security awareness
 Ensure that monitoring is lawful

 Do not target individuals in monitoring

 Monitor work-related events:

 Keystroke, Cameras, Badges, Telephone, E-mail

61
 HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT)

 Applies to
 Health Insurers
 Health Providers

 Health care clearing houses (claim processing agencies)

 As of 2009, covered entities must disclose security breaches regarding

personal information

62
 GRAMM-LEACH-BLILEY FINANCIAL SERVICES MODERNIZATION ACT

 Known as GLBA
 Requires financial agencies to better protect customer’s PII
(Personally Identifiable Information)
 Three Rules:
 Financial Privacy rule-Requires financial institutions to provide
information to customers regarding how PII is protected
 Safeguards Rule-Requires each financial institution to have a formal
written security plan detailing how customer PII will be safeguarded
 Pretexting Protection-Addresses social engineering and requires
methods be in place to limit information that can be obtained by this type
of attack
63
PCI DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)

 Not a legal mandate

 Payment Card Industry self-regulates its own security standards

 Applies to any business worldwide that transmits, processes or stores

payment card transactions to conduct business with customers
 Compliance is enforced by the payment card vendors (Visa,
MasterCard, American Express, etc..)
 Compliance requirements are dictated by the number of transactions,
as well as any previous security issues

64
PCI DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)

 Six Core Principles:

 Build and maintain a secure network
 Protect card holder data

 Maintain a vulnerability management program

 Implement strong access control measures

 Regularly monitor and test the networks

 Maintain an Information security policy

65
 DISCLOSURE

 Often Organizations prefer not to disclose security breaches

 Advertises vulnerabilities
 Causes loss of customer confidence

 Liability issues

 Difficulty of Prosecution

 Many states have now passed disclosure laws that legally require
organizations to publicly disclose security breaches that might
compromise personal data
 Allow individuals to take corrective action
 Additional motivation for organizations to protect customer data

66
 ETHICS – ISC2

 ISC2® Code of Ethics

 Very testable
 Must be agreed to in order to become CISSP

 Preamble, canons (mandatory), and guidance (advisory)

 Canons:
 Protect society, the commonwealth, and the infrastructure
 Act honorably, honestly, justly, responsibly, and legally
 Provide diligent and competent service to principals
 Advance and protect the profession
 Cannons are applied in order; if there are conflicts go with the higher
one.
67
 ETHICS - IAB

 Computer Ethics Institute

 Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other peoples computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are
designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow
humans.

68
 ETHICS - IAB

 Internet Activities Board (IAB) Ethics

 “Ethics and the Internet”
 Defined as a Request for Comment (RFC), #1087

 Published in 1987

 Unethical behavior:
 Seeks to gain unauthorized access to the resources of the Internet
 Disrupts the intended use of the Internet

 Wastes resources (people, capacity, computer) through such actions

 Destroys the integrity of computer-based information

 Compromises the privacy of users

69
 COMPLIANT AND AUDITING ROLE

 Objective Evaluation of controls and policies to ensure that they are

being implemented and are effective.
 If internal auditing is in place, auditors should not report to the head of
a business unit, but rather to legal or human resources--some other
entity with out direct stake in result

70
 KNOWLEDGE TRANSFER

Awareness, Training, Education

“People are often the weakest link in securing information. Awareness
of the need to protect information, training in the skills needed to
operate them securely, and education in security measures and
practices are of critical importance for the success of an organization’s
security program.”

 The Goal of Knowledge Transfer is to modify employee behavior

71
 BEING AWARE OF THE RULES

 Security Awareness Training

 Employees cannot and will not follow the directives and procedures, if
they do not know about them
 Employees must know expectations and ramifications, if not met

 Employee recognition award program

 Part of due care

 Administrative control

72
AWARENESS/TRAINING/ EDUCATION
BENEFITS
 Overriding Benefits:
 Modifies employee behavior and improves attitudes towards information
security
 Increases ability to hold employees accountable for their actions

 Raises collective security awareness level of the organization

73
Business Continuity and Disaster Recovery
Planning

CONTINUITY OF THE
ENTERPRISE
 BCP VS. DRP

 Business Continuity Planning: Focuses on sustaining operations

and protecting the viability of the business following a disaster, until
normal business conditions can be restored. The BCP is an
“umbrella” term that includes many other plans including the DRP.
Long Term focused

 Disaster Recovery Planning: goal is to minimize the effects of a

disaster and to take the necessary steps to ensure that the resources,
personnel and business processes are able to resume operations in a
timely manner. Deals with the immediate aftermath of the disaster,
and is often IT focused. Short Term focused
75
BCP RELATIONSHIP TO RISK
MANAGEMENT

76
 MITIGATE RISKS

 Reduce negative effects:

 Life Safety is the number 1 priority!
 Reputation: Is the second most important asset of an organization.
Though specific systems are certainly essential, don’t forget to focus on
the big picture—protect the company as a whole

77
 BUSINESS CONTINUITY
PLANNING
 Disaster recovery and continuity planning deal with uncertainty and
chance
 Must identify all possible threats and estimate possible damage
 Develop viable alternatives

 Threat Types:
 Man-made
 Strikes, riots, fires, terrorism, hackers, vandals
 Natural
 Tornado, flood, earthquake
 Technical
 Power outage, device failure, loss of a T1 line
78
 BUSINESS CONTINUITY
 Categories of Disruptions PLANNING
 Non-disaster: Inconvenience. Hard drive failure
 Disruption of service
 Device malfunction
 Emergency/Crisis
 Urgent, immediate event where there is the potential for loss of life or property
 Disaster
 Entire facility unusable for a day or longer
 Catastrophe
 Destroys facility
 A company should understand and be prepared for each category

 ANYONE CAN DECLARE AN EMERGENCY, ONLY THE BCP COORDINATOR CAN

DECLARE A DISASTER (Anyone can pull the fire alarm or trigger an emergency alarm.
Only the BCP coordinator or someone specified in the BCP can declare a disaster which
will then trigger failover to another facility)
79
 ISO 27031

 Approved in 2011
 Provides a standard that did not exist previously

 Will solve issues of inconsistency in terms, definitions and documents

(so for now, there may be inconsistencies on the exam. Look for
concepts more than specific terms)
 Until this ISO standard is included on the test, the following institutes
will provide guidance on BCP/DRP:
 DRII (Disaster Recovery Institute International)
 NIST 800-34

 BCI GPG (Business Continuity International Good Practice Guidelines)

80
 BUSINESS CONTINUITY PLAN SUB-PLANS

 BCP
 Protect
 Crisis Communication Plan
 OEP (Occupant Emergency Plan)

 Recover
 BRP (Business Recovery Plan)
 DRP (Disaster Recovery Plan)

 Continuity of Support Plan/IT Contingency Plan

 Sustain
 COOP (Continuity of Operations Plan)

81
 PROTECT

 Crisis Communications Plan

 Purpose: Provides procedures for disseminating status reports to personnel
and the public
 Scope: Addresses communications with personnel and the public; not IT
focused

 Occupant Emergency Plan (OEP)

 Purpose: Provide coordinated procedures for minimizing loss of life or injury
and protecting property damage in response to a physical threat
 Scope: Focuses on personnel and property particular to the specific facility;
not business process or IT system functionality based. May also be referred to
as Crisis or Incident management plans. However, the OEP concept should
be recognizable as the “initial response to the emergency event”

82
 RECOVER
 Business Recovery (or Resumption) Plan (BRP)
 Purpose: Provide procedures for recovering business operations immediately following a disaster
 Scope: Addresses business processes; not IT-focused; IT addressed based only on its support for
business process
 Continuity of Support Plan/IT Contingency Plan
 Purpose: Provide procedures and capabilities for recovering a major application or general support
system
 Scope: Same as IT contingency plan; addresses IT system disruptions; not business process focused
 Cyber Incident Response Plan
 Purpose: Provide strategies to detect, respond to, and limit consequences of malicious cyber incident
 Scope: Focuses on information security responses to incidents affecting systems and/or networks
 Disaster Recovery Plan (DRP)
 Purpose: Provide detailed procedures to facilitate recovery of capabilities at an alternate site
 Scope: Often IT-focused; limited to major disruptions with long-term effects

83
 SUSTAIN

 Continuity of Operations Plan (COOP)

 Purpose: Provide procedures and capabilities to sustain an
organization’s essential, strategic functions at an alternate site for
up to 30 days.This term is sometimes used in US Government to refer
to the field of Business Continuity Management, but per NIST 800-34, it
is a unique sub-plan of the BCP. **Note, BCP addresses ALL
business processes, not just mission critical.
 Scope: Addresses the subset of an organization’s missions that are
deemed most critical; usually written at headquarters level; not IT-
focused

84
NIST 800-34 INTERRELATIONSHIP OF THE PLANS

85
 ROLES AND RESPONSIBILITIES

 Senior Functional Management

 Develop and document maintenance and testing strategy
 Identify and prioritize mission-critical systems

 Monitor progress of plan development and execution

 Ensure periodic tests

 Create the various teams necessary to execute the plans

86
 ROLES AND RESPONSIBILITIES

 BCP Steering Committee

 Conduct the BIA
 Coordinate with department representatives

 Develop analysis group

 Plan must be developed by those who will carry it out
 Representatives from critical departments

87
 BCP TEAMS

 Teams:
 Rescue: Responsible for dealing with the immediacy of disaster—
employee evacuation, “crashing” the server room, etc..
 Recovery: Responsible for getting the alternate facility up and running
and restoring the most critical services first.
 Salvage: Responsible for the return of operations to the original or
permanent facility (reconstitution)

88
 DEVELOPING THE TEAMS

 Management should appoint members

 Each member must understand the goals of the plan and be familiar
with the department they are responsible for
 Agreed upon prior to the event:
 Who will talk to the media, customers, share holders
 Who will setup alternative communication methods

 Who will setup the offsite facility

 Established agreements with off-site facilities should be in place

 Who will work on the primary facility

89
7 PHASES OF BUSINESS CONTINUITY
PLAN
 Phases of Plan:
 Project Initiation
 Business Impact Analysis

 Recovery Strategy

 Plan Design and Development

 Implementation

 Testing

 Maintenance

90
7 PHASES OF BUSINESS CONTINUITY
PLAN

91
 PHASES OF THE PLAN: PROJECT
INITIATION
 Project Initiation
 Obtain senior management’s support
 Secure funding and resource allocation

 Name BCP coordinator/Project Manager

 Develop Project Charter

 Determine scope of the plan

 Select Members of the BCP Team

92
 PHASES OF THE PLAN: BUSINESS IMPACT ANALYSIS

 BIA (Business Impact Analysis)

 Initiated by BCP Committee
 Identifies and prioritizes all business processes based on criticality
 Addresses the impact on the organization in the event of loss of a specific
services or process
 Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and
fines, etc..
 Qualitative: loss of service quality, competitive advantage, market share,
reputation, etc..
 Establishes key metrics for use in determining appropriate counter-measures
and recovery strategy
 IMPORTANCE (relevance) vs. CRITICALITY (downtime)
 The Auditing Department is certainly important, though not usually critical. THE BIA
FOCUSES ON CRITICALITY

93
 PHASES OF THE PLAN: BUSINESS IMPACT ANALYSIS

 Key Metrics to Establish

 Service Level Objectives
 RPO (Recovery Point Objective)

 MTD (Maximum Tolerable

Downtime)
 RTO (Recovery Time Objective)
 WRT (Work Recovery Time)
 MTBF (Mean Time Between
Failures)
 MTTR (Mean Time To Repair)
 MTTF (Mean Time To Failure)

94
 ELEMENTS OF THE PLAN: BUSINESS IMPACT ANALYSIS

 Management should establish recovery priorities for business

processes that identify:
 Essential personnel
 Succession Plans
 MOAs/MOUs (Memorandums of Agreement/Understanding)
 Technologies
 Facilities

 Communications systems

 Vital records and data

95
 RESULTS FROM THE BIA

 Results of Business Impact Analysis contain

 Identified ALL business processes and assets, not just those considered
critical.
 Impact company can handle dealing with each risk

 Outage time that would be critical vs those which would not be critical

 Preventive Controls

 Document and present to management for approval

 Results are used to create the recovery plans

96
PHASES OF THE PLAN: IDENTIFY RECOVERY STRATEGIES

 When preventive controls don’t work, recovery strategies are

necessary
 Facility Recovery
 Hardware and Software Recovery

 Personnel recovery

 Data Recovery

97
 FACILITY RECOVERY

 Facility Recovery
 Subscription Services
 Hot, warm, cold sites
 Reciprocal Agreements
 Others
 Redundant/Mirrored site (partial or full)
 Outsourcing
 Rolling hot site
 Prefabricated building
 Offsite Facilities should be no less than 15 miles away for low to medium
environments. Critical operations should have an offsite facility 50-200
miles away

98
FACILITY RECOVERY OPTIONS

99
 FACILITY RECOVERY: RECIPROCAL AGREEMENTS

 How long will the facility be available to the company in need?

 How much assistance will the staff supply in the means of integrating
the two environments and ongoing support?
 How quickly can the company in need move into the facility?

 What are the issues pertaining to interoperability?

 How many of the resources will be available to the company in need?

 How will differences and conflicts be addressed?

 How does change control and configuration management take place?

100
 HARDWARE RECOVERY

 Technology Recovery is dependent upon good configuration

management documentation
 May include
 PC’s/Servers
 Network Equipment

 Supplies

 Voice and data communications equipment

 SLA’s can play an essential role in hardware recovery

101
 SOFTWARE RECOVERY

 BIOS Configuration information

 Operating Systems

 Licensing Information

 Configuration Settings

 Applications

 Plans for what to do in the event that the operating

system/applications are not longer available to be purchased

102
 PERSONNEL RECOVERY

 Identify Essential Personnel—Entire staff is not always necessary to

move into recovery operations
 How to handle personnel if the offsite facility is a great distance away

 Eliminate single points of failure in staffing and ensure backups are

properly Trained
 Don’t forget payroll!

103
 ADDITIONAL DATA REDUNDANCY

 Database Shadowing
 Remote Journaling

 Electronic Vaulting

104
 DATA RECOVERY CONTINUED

 Database Backups
 Disk-shadowing
 Mirroring technology
 Updating one or more copies of data at the same time
 Data saved to two media types for redundancy

105
 DATA RECOVERY CONTINUED

 Electronic Vaulting
 Copy of modified file is sent to a
remote location where an original
backup is stored
 Transfers bulk backup information

 Batch process of moving data

 Remote Journaling
 Moves the journal or transaction log
to a remote location, not the actual
files

106
 PHASES OF THE PLAN: PLAN AND DESIGN DEVELOPMENT

 Now that all the research and planning has been done, this phase is
where the actual plan is written
 Should address
 Responsibility
 Authority

 Priorities

 Testing

107
 PHASES OF THE PLAN: IMPLEMENTATION
 Plan is often created for an enterprise with individual functional
managers responsible for plans specific to their departments
 Copies of Plan should be kept in multiple locations

 Both Electronic and paper copies should be kept

 Plan should be distributed to those with a need to know. Most

employees will only see a small portion of the plan

108
PHASES OF THE PLAN: IMPLEMENTATION

 Three Phases Following a Disruption

 Notification/Activation
 Notifying recovery personnel
 Performing a damage assessment
 Recovery Phase--Failover
 Actions taken by recovery teams and personnel to restore IT operations at
an alternate site or using contingency capabilities—performed by recovery
team
 Reconstitution--Failback
 Outlines actions taken to return the system to normal operating conditions—
performed by Salvage team

109
 PHASES OF THE PLAN: TESTING

 Should happen once per year, or as the result of a major change

(VERY TESTABLE)
 The purpose of testing is to improve the response (never to find fault
or blame)
 The type of testing is based upon the criticality of the organization,
resources available and risk tolerance
 Testing: Happens before implementation of a plan. The goal is to ensure
the accuracy and the effectiveness of the plan
 Exercises/Drills: Employees walk through step by step. Happens
periodically. Main goal is to train employees
 Auditing: 3rdparty observer ensures that components of a plan are being
carried out and that they are effective.
110
 TYPES OF TESTS

 Checklist Test
 Copies of plan distributed to different departments
 Functional managers review

 Structured Walk-Through (Table Top) Test

 Representatives from each department go over the plan

 Simulation Test
 Going through a disaster scenario
 Continues up to the actual relocation to an offsite facility

111
 TYPES OF TESTS
 Parallel Test
 Systems moved to alternate site, and processing takes place
there

 Full-Interruption Test
 Original site shut down
 All of processing moved to offsite facility

112
 POST-INCIDENT REVIEW

 After a test or disaster has taken place:

 Focus on how to improve
 What should have happened

 What should happen next

 Not who’s fault it was; this is not productive

113
 PHASES OF THE PLAN: MAINTENANCE

 Change Management:
 Technical –hardware/software
 People

 Environment

 Laws

 Large plans can take a lot of work to maintain

 Does not have a direct line to profitability

114
 PHASES OF THE PLAN: MAINTENANCE

 Keeping plan in date

 Make it a part of business meetings and decisions
 Centralize responsibility for updates

 Part of job description

 Personnel evaluations

 Report regularly

 Audits

 As plans get revised, original copies should be retrieved and destroyed

115
MODULE REVIEW
 CHAPTER 1: SECURITY AND RISK MANAGEMENT REVIEW

 Security Basics
 Confidentiality, integrity, and availability concepts
 Risks
 Security governance principles
 Compliance
 Legal and regulatory issues
 Professional ethics: download ISC2 code of ethics at
https://www.isc2.org/uploadedfiles/(isc)2_public_content/code_of_ethics/isc2-code-of-ethics.pdf
 Business Continuity Planning
1.Project Initiation
2.Business Impact Analysis
3.Recovery Strategy
4.Plan Design and Development
5.Implementation
6.Testing
7.Maintenance

117
MODULE SELF CHECK
 Module self check

Single loss expectancy (SLE) is calculated by using:

A. Asset value and annualized rate of occurrence (ARO)
B. Asset value, local annual frequency estimate (LAFE), and standard annual
frequency estimate (SAFE)
C. Asset value and exposure factor
D. Local annual frequency estimate and annualized rate of occurrence

119
 Module self check

Within the realm of IT security, which of the following combinations

best defines risk?
A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security

120
 Module self check

Single loss expectancy (SLE) is calculated by using:

A. Asset value and annualized rate of occurrence (ARO)
B. Asset value, local annual frequency estimate (LAFE), and standard
annual frequency estimate (SAFE)
C. Asset value and exposure factor
D. Local annual frequency estimate and annualized rate of occurrence

121
 Module self check

Information systems auditors help the organization:

A. Mitigate compliance issues
B. Establish an effective control environment
C. Identify control gaps
D. Address information technology for financial statements

122
 Module self check

Data access decisions are best made by:

A. User managers
B. Data owners
C. Senior management
D. Application developer

123
 Module self check

Which of the following methods is not acceptable for exercising the

business continuity plan?
A. Table-top exercise.
B. Call exercise.
C. Simulated exercise.
D. Halting a production application or function.

124
 Module self check

A service’s recovery point objective is zero. Which approach BEST

ensures the requirement is met?
A. RAID 6 with a hot site alternative.
B. RAID 0 with a warm site alternative
C. RAID 0 with a cold site alternative
D. RAID 6 with a reciprocal agreement.

125