Chapter 10 Risk Management HMI 6571

electronic vaulting

A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections. Incident response procedures (IR procedures) Detailed, step-by-step methods of preparing, detecting, reacting to, and recovering from an incident.

database shadowing

A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations.

timeshare

A continuity strategy in which an organization co-leases facilities with a business partner or sister organization. A timeshare allows the organization to have a BC option while reducing its overall costs.

service bureau

A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.

mutual agreement

A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.

rolling mobile site

A continuity strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer.

digital malfeasance

A crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.

alert message

A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process.

After-action review (AAR)

A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery.

alert roster

A document that contains contact information for personnel to be notified in the event of an incident or disaster.

warm site

A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. Warm sites are used for BC operations.

cold site

A facility that provides only rudimentary services, with no computer hardware or peripherals. Cold sites are used for BC operations.

talk-through

A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization.

hot site

A fully configured computing facility that includes all services, communications links, and physical plant operations. Hot sites are used for BC operations.

business process

A task performed by an organization or one of its units in support of the organization's overall mission.

evidentiary material

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect.

computer security incident response team (CSIRT)

An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident. The CSIRT may include members of the IRPT.

incident

An adverse event that could result in a loss of information assets, but does not threaten the viability of the entire organization.

adverse events

An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.

business impact analysis (BIA)

An investigation and assessment of adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and its recovery priorities.

business continuity (BC)

An organization's set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site. The organization temporarily establishes critical operations at an alternate site until it can resume operations at the primary site or select and occupy a new primary site.

crisis management (CM)

An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster.

disaster recovery (DR)

An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster.

incident response (IR)

An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident.

incident candidates

Another term for adverse events

slow-onset disasters

Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects. Examples include droughts, famines, environmental degradation, desertification, deforestation, and pest infestation.

rapid-onset disasters

Disasters that occur suddenly, with little warning, taking people's lives and destroying the means of production. Examples include earthquakes, floods, storm winds, tornadoes, and mud flows.

digital forensics

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much art as science.

search warrant

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination. An affidavit becomes a search warrant when signed by an approving authority.

affidavit

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place. The facts, the items, and the place must be specified in this document.

structured walk-through

The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event. A walk-through can also be conducted as a conference room talk-through.

full-interruption testing

The CP testing strategy in which all team members follow each IR/DR/BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals.

desk check

The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components.

simulation

The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts.

business resumption planning (BRP)

The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.

business continuity planning (BCP)

The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams.

CM planning (CMP)

The actions taken by senior management to develop and implement the CM policy, plan, and response teams.

disaster recovery planning (DRP)

The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams.

incident response planning (IRP)

The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team.

contingency planning (CP)

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis.

Work recovery time (WRT)

The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO.

remote journaling

The backup of data to an off-site facility in close to real time based on transactions as they occur.

forensics

The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental.

BC plan

The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible.

CM plan

The documented product of crisis management planning; a plan that shows the organization's intended efforts to protect its personnel and respond to safety threats.

disaster recovery plan (DR plan)

The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster.

incident response plan (IR plan)

The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident.

contingency planning management team (CPMT)

The group of senior managers and project members organized to conduct and lead all CP efforts.

incident detection

The identification and classification of an adverse event as an incident, accompanied by the CSIRT's notification and the implementation of the IR reaction phase.

e-discovery

The identification and preservation of evidentiary material related to a specific legal action.

crisis management planning team

The individuals from various functional areas of the organization assigned to develop and implement the CM plan.

Recovery time objective (RTO)

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the MTD.

apprehend and prosecute

The organizational CP philosophy that focuses on an attacker's identification and prosecution, the defense of information assets, and preventing reoccurrence. Also known as "pursue and prosecute."

protect and forget

The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution. Also known as "patch and proceed."

Recovery point objective (RPO)

The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data.

BC policy

The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams.

CM policy

The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams.

DR policy

The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams.

EM policy

The policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.

IR policy

The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams.

disaster classification

The process of examining an adverse event or incident and determining whether it constitutes an actual disaster.

incident classification

The process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident.

business continuity planning team

The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location.

disaster recovery planning team

The team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters, including reestablishment of business operations at the primary site after the disaster.

incident response planning team

The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents.

Maximum tolerable downtime (MTD)

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations.