Midterm Review 3
Beyond simply identifying what to back up, when to back it up, and how to restore it, what should a complete backup recovery plan include?
* How and when will backups be created? * Who will be responsible for creation of the backup? *How and when will backups be verified so that they are know to be correct and reliable? *Who is responsible for the verification of the backup? *Where will backups be stored and for how long? * How often will the backup plan be tested? * When will the plan be reviewed and revised? * How often will the plan be rehearsed, and who will take part in the rehearsal? pg.102
What are the component parts of risk management?
**Risk Identification **Risk assessment (inventorying assets, Classifying assets, and Identifying threat &vulnerabilities). **Risk Control (selecting strategy, Justifying controls).
What is the enterprise information security policy, and how is it used?
*Based on and directly supports the mission, vision, and direction of the organization *Executive-level *Sets strategic direction, scope, and tone for all security efforts -Contains requirements to be met -Defines purpose, scope, constraints, and applicability Assigns responsibilities -Addresses legal compliance
What are the elements needed to begin the CP process
*Planning methodology *Policy environment to enable the planning process *Business impact analysis *Planning budget: access to resources (financial and other) The elements required to begin the CP process are a (1) planning methodology; a (2) policy environment to enable the planning process; (3)an understanding of the causes and effects of core precursor activities, known as the business impact analysis (BIA); and (4) access to financial and other resources, as articulated and outlined by the planning budget.
What major objectives should be considered when conducting the BIA?
*Threat attack identification and prioritization *Business unit analysis *Attack success scenario development *Potential damage assessment *Subordinate plan classification
Beyond those items that are funded in the normal course of IT operations, what are the additional budgeting areas for CP needs?
- Incident Response Budgeting: *Usually part of a normal IT budget *Includes data backup and recovery, UPSs, anti-virus software, anti-spyware software, RAID drives, storage-area networks (SANs), etc. *Should also include maintenance of redundant equipment to handle equipment failures *Rule of 3: keep 3 levels of computer system environments available for essential redundancy (hot, warm, and cold) Disaster Recovery Budgeting: *Insurance covers rebuilding and reestablishing operations at the primary site *Consider data loss policies *Other items not covered by insurance, such as loss of services (water, electricity, data), etc.
What are the major sections in the CP policy document?
-An introductory statement of philosophical perspective by senior management as to the importance of contingency planning to the strategic, long-term operations of the organizations - A statement of scope -a call for periodic risk assessment and business impact
What are the basic strategies used to control risk? Define each.
-Defense approach (preferred approach) -Attempts to prevent vulnerability exploitation -Risk defense methods -Defense through application of policy -Defense through training and education programs -Defense through technology application -Usually requires technical solutions -Eliminate asset exposure -Attempt to reduce risk to an acceptable level
What are the basic strategies used to control risk? Define each (2).
-Implement security controls and safeguards Deflect attacks to minimize the successful probability -Transference -Attempts to shift risk to other assets, processes, organizations -Rethink how services offered -Revise deployment models -Outsource to other organizations -Purchase insurance -Implement service contracts with providers
What are the basic strategies used to control risk? Define each (3).
-Mitigation -Attempts to reduce impact caused by the vulnerability exploitation -Through planning and preparation -Includes contingency planning -Business impact analysis -Incident response plan -Disaster recovery plan -Business continuity plan -Requires quick attack detection and response -Relies on existence and quality of the other plans
What are the primary responsibilities of the Contingency Planning Management Team (CPMT)?
-Obtaining commitment and support form senior management -Managing and conducting the overall CP process -Writing the master CP document -Conducting the business impact impact analysis (BIA), which includes * Assisting in identifying and prioritizing threats and attacks * Assisting in identifying and prioritizing business functions -Organizing and staffing the leadership for the subordinate teams: * Incident response * Disaster recovery * Business continuity * Crisis management -Providing guidance to and integrating the work of the subordinate teams.
What are the primary means for collecting data for the BIA?
-Online questionnaires -Facilitate data-gathering sessions -Process flows and interdependency studies -Risk assessment research -IT application or system logs -Financial reports and departmental budgets -BCP/DRP audit documentation -Production schedules
What are the usual stages in the conduct of the BIA?
1. Assessing mission/business processes and recovery critically 2. Identifying resource requirements 3. Identifying recovery priorities
What are the most common downtime metrics used to express recovery criticality?
1. Maximum tolerable downtime (MTD) 2. Recovery time objective (RTO) 3. Recovery point objective (RPO)
What is encompassed in an incremental backup?
A backup the only archives the files that have been modified that day and thus requires less space and time than a differential backup.
What is a vulnerability in the context of information security?
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system's security policy."
What is encompassed in full backup?
A full backup is a full and complete backup of the entire system, including all applications, operating systems components, and data.
What is a threat in the context of information security.
A threat is an object, person, or other entity that is a potential risk of loss to an asset, which is the organizational resource being protected.
When confronted with many business functions from many parts of the organization, what is a useful tool that can be used to determine what the organization considers the most critical?
A weighted analysis (Function-weighted Prioritization) table can be useful in resolving the issue of which business function is the most critical to the organization.
What are the basic strategies used to control risk? Define each (4).
Acceptance -Do nothing to protect an information asset -Accept the outcome of its potential exploitation -Only valid when the organization has: -Determined the level of risk -Assessed the probability of attack -Estimated potential damage that could occur -Performed a thorough cost-benefit analysis -Evaluated controls -Decided asset did not justify the cost of protection
What is an asset in the context of information security?
An asset can be logical such a website, information, or data, or it can be physical, such as a person.
What is bare metal recovery?
Bare metal recovery technologies -Replace failed operating systems and services -Reboot affected system from CD-ROM or other remote drive -Quickly restore operating system **Providing images backed up from known stable state
What is retention schedule?
Both data backups and archives should be based on a retention schedule that guides the frequency of replacement and the duration of storage. Some data is required by law to be retained and stored for years.
What are some items usually included in routine IT operations budgets that can be considered part of CP requirements?
Business Continuity Budgeting: *Requirements to maintain service contracts, such as mobile equipment, and temporary sites *Employee overtime
What is a business impact analysis(BIA), and why is it important?
Business Impact Analysis (BIA): *An investigation and assessment of the impact of various types of attacks *Provides detailed scenarios of the effects of each potential type of attack -BIA assumes that risk management controls have been bypassed, have failed, or were ineffective -BIA addresses what to do if the attack succeeds pg 57
What is a facilitated data-gathering session(focus group)?
Collects information directly from end users and business managers
How is the Committee on National Security Systems (CNSS) model of information security organized?
Confidentiality, Integrity, Availability on the (Y axis), and Storage, Processing and Transmission on the (X axis).
What three principles are used to define the C.I.A, triangle? Define each in the the context.
Confidentiality, Integrity, and Availability. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorized people.
What is a contingency plan?
Contingency plan Used to anticipate, react to, and recover from events threatening events Restores organization to normal modes of business operations
What is the difference between a backup and an archive
Data backup is typically a snapshot of the data from a specific point in time. The data is considered volatile and subject to change. An archive is a long-term storage of a document or data file, usually for legal or regulatory purpose.
In what way are the backup needs of systems that use database different from the backup used to safeguard non database system?
Depending on the type of database and software vendor, the database may or may not be able to be backed up with the utilities that are provided with the operating system of the server on which the database run. *Can backup procedures be used without interrupting the use of the database. pg. 100
What are standards? How are they different from policy?
Detailed statement of what must be done to comply De facto standard (informal standard) De jure standard (formal standard) Standard tell the organization how the policy will be accomplished in detail. Policies are organizational laws.
List and describe the four subordinate functions of a contingency plan.
Four subordinate functions: Business impact assessment (BIA) Incident response planning (IRP) Disaster recovery planning (DRP) Business continuity planning (BCP)
What are the major types of backups?
Full, differential, and incremental.
What four teams may be subordinate to the CPMT in typical organizations?
Incident response team, Disaster recovery team, Business continuity team, and the Crisis management team? Check with sildes
What is a business process?
Is a task performed by an organization or organizational sub unit in support of the organization's overall mission.
What is visualization?
Is the development and deployment of virtual rather than physical implementations of systems and services.
What is the primary site?
Is the location or group of location at which the organization executes its functions.
What is risk management?
Is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components of the organization's information system.
What is an issue-specific security policy?
Issue-specific security policy (ISSP) Addresses specific areas of technology and contains a statement on the organization's position on a specific issue.
What is electronic vaulting, and how is it used in backup strategy?
It is the bulk transfer of data in batches to an off-site facility and usually conducted with the receiving server archiving the data storage as it received. -Via leased lines or data communications services Primary selection criteria -Service costs, bandwidth, stored data security, recovery, and continuity -Data transfer without affecting other operations Scale purchases according to needs Vendor managed solutions use software agent -Initiate full backup; continuously copies data -Data accessed via Web interface or software
What is database shadowing?
It is the storage of duplicate online transaction data, along with the duplication of the database at the remote site to a redundant server.
What is remote journaling, and how is it used in backup strategy?
It is the transfer of live transactions to an off-site facility so that all changes are recorded. Transfers live transactions to an off-site facility Only transactions transferred (not archived data) Transfer performed online; much closer to real time Involves online activities on a systems level -Data written to two locations simultaneously -Can be performed asynchronously Facilitates key transaction recovery in near real time Journaling may be enabled for an object -Operating system creates record of object's behavior -Stored in a journal receiver
How have cloud computing architectures affected the backup options available for organizations?
Now online backup to a third-party data storage vendor is available. Online backup to third-party data storage vendor -Referred to as data storage "in the cloud" -Commonly associated with leasing resources --Raises security challenges Could computing is usually decribed in three ways: Software as a Service (SaaS), Platform as a service (PaaS), and Infrastructure as a Service (IaaS).
In general terms, what is policy?
Plan or course of action -Conveys instructions from senior management to those who make decisions, take action, perform duties
What is information security?
Protection of information and its critical elements, including the systems and hardware that use, store and transmit that information (CNSS).
What is disk striping, and how might it be considered the opposite of disk mirroring?
RAID 0 creates one larger logical volume across several hard disk drives and stores the data using a process known as disk striping, in which data segments, called stripes are written in turn to each disk drive in the array. Is the opposite of disk mirroring because (RAID 1) it uses twin drives in a computer system. The computer records all data to both drives simultaneously, providing a backup if the primary drive fails (expensive and inefficient).
Why is shaping policy considered difficult?
Shaping policy is difficult because it must never conflict with laws, must stand up in court if challenged, and must be properly administered through dissemination and documented acceptance.
What is a systems-specific security policy?
Systems-specific security policy: used when configuring or maintaining systems
When is a system-specific security policy used?
Systems-specific security policy: used when configuring or maintaining systems. Two groups: Access lists(ACL) and Configuration rules.
What are the basic strategies used to control risk? Define each (4).
Termination -Difference from acceptance -Remove asset from the environment representing risk -Two main reasons Cost of protecting an asset outweighs its value Too difficult or expensive to protect asset compared to value or advantage asset offers -Termination must be a conscious business decision Not simple asset abandonment
What is CNSS?
The CNSS Mission The Committee on National Security Systems (CNSS) sets national-level Information Assurance policies, directives, instructions, operational procedures, guidance and advisories for United States Government (USG) departments and agencies for the security of National Security Systems (NSS). It provides a comprehensive forum for strategic planning and operational decision-making to protect NSS and approves the release of INFOSEC products and information to Foreign Governments.
What is maximum tolerable downtime (MTD)?
The MTD represents the total downtime the system owner/authorizing official is willing to accept for a mission/business process or disruption and includes all impact consideration. For example, "We can only have these systems down for 4 hours per month before negatively affecting operations.
What purpose does business resumption planning serve?
The business resumption (BR) plan has two major elements: the disaster recovery (DR) plan, for resuming normal operations at the primary sites, and the business continuity (BC) plan, for activating critical business functions at an alternate site.
What is recovery time objective (RTO)?
The period of time within which systems, application, or functions must be recovered after an outage.
What is recovery point objective (RPO), and how does it differ from recovery time objective?
The point in time to which lost systems and data can be recovered after an outage as determined by the business unit. Also known as maximum acceptable data loss.
What is encompassed in a differential backup?
The storage of all files that have changed or been added since the last full backup.
List the critical areas covered in an issue-specific security policy.
Three common approaches to creating ISSPs -Independent ISSP documents, each tailored to a specific issue -A single comprehensive ISSP document covering all issues -Modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements
What are the three communities of interest, and why are they important to CP?
Three communities of interest with roles and responsibilities in information security: *Managers and practitioners in information security *Managers and practitioners in information technology *Managers and professionals from general management -Information security management and professionals: *Focus on integrity and confidentiality of systems May lose sight of the objective of availability -Information technology management and professionals: *Design, build, and operate information systems *Focus on costs of system creation and operation, ease of use, timeliness, transaction response time, etc. -Organizational management and professionals: *Includes executives, production management, HR, accounting, legal, etc. - the users of IT systems
Explain these shared-use strategies: time-share, service bureau, and mutual agreement.
Time-share Operates like hot/warm/cold site Leased in conjunction with a business partner or sister organization Provides DR/BC option while reducing overall cost Disadvantages Facility made be needed simultaneously Need to stock facility with equipment and data from all involved organizations Complex negotiating Party may exit agreement or sublease their options Service bureaus Service agency that provides a service for a fee Service in the case of DR/CP Provision of physical facilities in the event of a disaster Agencies frequently provide off-site data storage (fee) Service bureaus contracts Specify exactly what the organization needs under what circumstances; guarantees space when needed Disadvantages Expensive option Must be renegotiated periodically Mutual agreements Contract between two organizations Assist the other in the event of a disaster Obligation to provide necessary facilities, resources, services until receiving organization recovers Other agreements provide cost-effective solutions Between divisions of the same parent company Between subordinate and senior organizations Between business partners Memorandum of agreement (MOA) Defined expectations and capabilities for alternate site
What is the first step in beginning the contingency planning process?
To begin the process of planning for contingencies, an organization must first establish an entity that will be responsible for the policy and plans that will emerge from the process. **A contingency planning management team (CPMT).
Who is expected to engage in risk management activities in most organizations?
Typical CPMT roster may include: Champion: high-level manager with influence and resources; provides strategic vision Project manager: leads project Team members: managers or representatives from business, information technology, and information security Representatives from other business units (HR, PR, finance, legal, physical plant, etc.) Representatives from subordinate teams (IR, DR, and BC teams)
What is a redundant array of independent disk (RAID), and what are its primary uses? How can it be used as a backup strategy?
Unlike tape backups, RAID uses a number of hard drives to store information across multiple drive units. The primary uses if for real-time protection, also known as replication. For operational redundancy, this can spread out data and, when coupled with checksums, can eliminate or reduce the impact of a hard drive failure.
What are the two major component parts of a BRP plan, and how are they related?
What are the Disaster Recovery (DR) and Business Continuity (BC) plans.
Explain the site resumption strategy known as exclusive use and how it uses hot sites, warm sites, and cold sites.
When an organization wants its operations to resume at a location over which it has exclusive control. Hot Site Fully configured computer facilities with all services, communications links, and physical plant operations Can establish operations at a moment's notice Warm Site Provide similar services and options as a hot site Software applications not included, installed, or configured Frequently includes computing equipment and peripherals with servers; no client workstations Has connections to facilitate quick data recovery Cold Sites Provide only rudimentary services and facilities No computer hardware or peripherals provided All communication services must be installed after site occupied No quick recovery or data duplication functions Empty room with standard heating, air conditioning, and electrical service
The CP process will fail without what critical element?
Without the clear and formal commitment of senior executive management. Only when the executive leadership emphasizes the importance of this process, preferably through personal involvement by the top executive (or by the leadership of a champion) will subordinate managers and employees provide the necessary time and resources to make the process happen.
