Chapter 14 Risk Analysis, Incident Response, and Contingency Planning

1. Quantitative risk analysis: b) Advantages: c) Disadvantages c) exposure factor/likelihood d) single loss expectancy (SLE). e) annual rate of occurrence (ARO) f) annualized loss expectancy (ALE)

- The organization assigns real numbers to the value of its assets. It also assigns real values to the cost of countermeasures and controls. - RA team must assign a value amount to each of the organization's assets. -Several factors shape the cost of an asset, such as the cost of developing it and then the ongoing cost of maintaining the asset each year. -After the RA team determines the organization's vulnerabilities and threats, it must determine exposure factor. - Once the RA team determines the exposure factor, it must determine single loss expectancy (SLE). -The RA team also must figure out how many times a specific risk might occur during a 1-year time frame. This is called the annual rate of occurrence (ARO). b) it provides an objective and monetary-based assessment of cost. - helps an organization understand both the cost of risk and the cost of controls. -allows management to directly compare the cost and benefits with recommended controls. c) very difficult to administer. -The asset might have value that is hard to measure. - also hard to place a value on an asset that provides an organization with its competitive edge c) is the percentage of asset loss that is likely to be caused by an identified threat d) is the amount of money that an organization will lose if a risk is realized. - In other words, it is the loss that an organization will suffer every time that risk occurs. - SLE is often expressed as an equation: SLE = Asset value × Exposure factor e) How many times a threat might affect an organization during a 1-year time frame. -ARO is expressed as a number. It can range from zero (a threat will never take place) to any number greater than zero. -ARO is used to calculate annualized loss expectancy (ALE) f) The amount of loss that an organization can expect to have each year because of a particular risk. - ALE is often expressed as the equation: ALE = SLE × ARO. ---SLE is single loss expectancy. --ARO is annual rate of occurrence.

1. Risk Management Process 2. Incident response (IR) planning 3. Disaster recovery (DR) planning 4. Business continuity (BC) planning 5. Risk management (RM

1. - helps an organization understand the risks, vulnerabilities, and threats that it faces each day. - helps the organization understand its security posture. -helps the organization know where to strengthen that posture. - Risk management and contingency planning are used to protect IT resources. 2. is a type of contingency planning that an organization uses to react to attacks against its IT infrastructure 3. Plans that address the recovery of an organization's information technology systems in the event of a disaster. 4. Plans that address the recovery of an organization's business processes and functions in the event of a disaster. -Business continuity plans tend to be comprehensive business plans for returning an organization to normal operating conditions. 5. helps an organization identify the risks that it faces. - makes sure that organizations respond to risk in a cost-effective manner -One of the main goals of RM is to protect the organization's bottom line. -RM helps an organization align its information security practices to its business goals -It makes sure that an organization spends its limited resources wisely and in ways that enhance business goals. - An organization uses RM to plan and prioritize its information security activities.

1. Incident Response Planning ---incident response (IR)/incident handling. b) Incident response (IR) c) Incident handling 2. IR describes how an organization: b) incident c) Incident Response Team d) IR policy e) most IR plans have five basic parts: 3. roles involved in IR: 4. U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC)/United States Computer Emergency Readiness Team (US-CERT) b) The NCCIC/US-CERT's incident categories are: 5. An organization might classify severity as follows: 6. During the review stage, both the incident handlers and the IR planning team can review the documentation to learn:

1. A contingency plan that helps an organization respond to attacks against an organization's information technology infrastructure. b) reactive term that describes how an organization responds to an incident. c) proactive term that describes how an organization manages an incident. 2. >>>>Detects information security incidents >>>>>Determines the cause of the incident >>>Mitigates the damage caused by the incident >>>>>Recovers from the incident b) any event that involves the organization's equipment, data, or other resources. An incident must adversely affect the confidentiality, integrity, and/or availability of the organization's data and IT systems. c) is responsible for creating the organization's IR policy and plan. -includes many information security team members -IR planning team must include advisors from several departments across the organization. -IR team may help draft the initial IR policy and create the plans that define the organization's IR structure -IR team is responsible for making sure that the procedures are in place to help all of these different departments work together - IR planning team should include information security and IT representatives. It also should have members from physical security, HR, and internal audit. Legal counsel should be included on the team to address any legal or regulatory issues. -IR team will help the organization create its IR policy. These policies are very specific to an organization's structure and culture d) is a statement of executive management's commitment to the IR process. -can contain information about how to measure the effectiveness of the IR process. ei) Incident triage - is the first phase in the IR process. - a potential incident is initially assessed. -primary handler will verify whether an adverse event meets the definition of an incident -primary handler is the person who is in charge of coordinating an organization's response to an information security incident. This person is often a member of the organization's information security team. ii) Investigation - is the second phase in the IR process. - the incident handlers learn about the incident and its source, as well as the impact that the incident is having on the organization. - The incident handlers must find all the resources that are affected by the incident. -They also must contact other areas as needed to fully understand the scope of the incident. -The IR policy and plan let the incident handlers know who they must contact. iii) Containment or mitigation iv) Recovery v) Review 3i) Victim —The person or resources that are targeted in an incident. -The victim is often the organization and its IT resources and data. ii) Attacker —The person or mechanism that caused the incident. iii) Incident reporter —The first person or mechanism that reports an incident. -An automated intrusion detection system (IDS) can be an incident reporter. -A person who notices an unusual incident and reports it is also an incident reporter. iv) Primary handler —The person who is in charge of coordinating the response to a particular incident. -This person is responsible for making sure that the IR process is documented. -Often this person is a member of the organization's information security department. v) Secondary handlers —These are the personnel involved in investigating, responding to, and recovering from an incident. - Secondary handlers include technicians, analysts, and operational staff who take part in handling the incident. Legal counsel and an organization's internal auditors also can be secondary handlers. 4. Uses IR categories that are based on NIST guidance. - is the federal government's IR center b) Category 1: Unauthorized Access —Unauthorized access is technical or physical access to an IT system without permission. An agency must report these incidents even if data is not compromised. Category 2: Denial of Service (DoS) —Any event that prevents the normal operation of IT resources such that use of those resources is harmed. Category 3: Malicious Code —Any event that involves the use of malicious code to successfully infect, breach, or compromise IT resources. These events include viruses, worms, and Trojan horses. Category 4: Improper Use —Any event that is a violation of the agency's AUP or other related policies. Category 5: Scans, Probes, and Attempted Access —Any event where an IT resource is scanned or probed in an attempt to access or identify the agency's IT systems. Category 6: Investigation —This category is for unusual events that do not fall into one of the other categories. These incidents require more review because they are odd or potentially harmful. 5. Low —The adverse effect on the confidentiality, integrity, or availability of the organization's data or IT resources is limited. A low-impact event causes little or no damage. Medium —The adverse effect on the confidentiality, integrity, or availability of the organization's data or IT resources is moderate. A medium-impact event results in significant damage to assets. High —The adverse effect on the confidentiality, integrity, or availability of the organization's data or IT resources is severe. A high-impact event results in major damage to assets. 6. ---Dollar amount spent in handling the incident -----Dollar amount spent to prevent similar incidents in the future ----Loss of staff time in handling the incident -----How the response to the current incident compares with similar incidents in the past ----Recommendations on policy and procedural changes because of lessons learned from the incident

1. Qualitative risk analysis 2. Quantitative risk analysis

1. A risk analysis method that uses scenarios and ratings systems to calculate risk and potential harm. - Unlike quantitative risk analysis, qualitative risk analysis does not attempt to assign money value to assets and risk. 2. A risk analysis method that uses real money costs and values to determine the potential monetary impact of threats and vulnerabilities

1. Disaster Recovery (DR) and Business Continuity Planning (BC) b) disaster c) incident 2. DR/BC team b) An organization's overall DR/BC plan has several goals: c) The steps in the DR/BC planning process are: 3. Business impact analysis (BIA) b) To complete a BIA, the DR/BC team must: c) Maximum tolerable downtime (MTD)/maximum acceptable outage (MAO) 4. common preventative controls that an organization can implement include: 5. An organization must prepare recovery strategies for its: 6. Contingency plan testing has several objectives. They include: 7. There are five ways to test DR/BC plans. a) checklist test b) Walk-through test/tabletop test c) simulation test d) parallel test e) full interruption test

1. help an organization respond to a disaster. b) sudden, unplanned event. Disasters negatively affect the organization's critical business functions for an unknown period. - severely affects the organization's infrastructure and interrupts critical business functions. - Natural threats and deliberate, human-made threats. Natural threats are uncontrollable events e.g. earthquakes, fires, and flood. Human-made threats include sabotage and terrorist activities. c) refers to service failures that affect the confidentiality, integrity, and/or availability of the organization's data and IT systems. 2. responsible for creating an organization's DR/BC policy and plans. -his team must include members from many areas of the organization b) ----Ensure that the organization's employees are safe. ------Minimize the organization's amount of loss. -------Recover critical business systems and infrastructure within a certain period. -------Resume critical business operations within a certain period. ------Repair or replace damaged facilities. -------Return to normal operations. c) >>>Develop the DR/BC policy. >>>>Conduct a business impact analysis. >>>>Identify threats and potential controls. >>>>Determine recovery strategy. >>>>Design and maintain the plan. 3. A process that identifies key business operations and the resources used to support those processes. A business impact analysis also identifies maximum tolerable downtime for critical business functions. -identifies key business operations. - identifies the resources that support those operations - The DR/BC team uses a BIA to estimate how long those critical operations and resources can be offline before the organization's entire business is negatively affected. b) i) Identify critical business processes —The BR/DR team must identify the organization's critical business processes. ii) Identify IT resources that support critical business processes—The BR/DR team must identify the resources that support its critical business processes. -Resources can include the organization's communications infrastructure. iii) Determine how long IT resources can be offline —The DR/BC team must identify the effect on business organizations if a resource is disrupted or damaged and a critical process cannot run. iv) Determine recovery criticality —The DR/BC team must prioritize how the organization will handle IT resources and business processes following a disaster. c) The amount of time that critical business processes and resources can be offline before an organization begins to experience irreparable business harm. 4. >>>>>Fire detection and suppression systems >>>>>Installing backup generators or uninterruptible power supplies >>>>>>Offsite storage of system backup media >>>>>Frequent backups of critical data >>>>>>Extra equipment inventories for critical IT resources 5a) Critical business processes —The organization must plan for recovering its business processes. -It must understand all the workflow steps needed to complete a business process. It must know the resources and supplies needed to support these processes. b) Facilities and supplies —The organization must make sure that it has a plan to restore its main facility. It also must restore the utilities needed to support that facility. Utilities include telecommunications and electrical infrastructure. c) Employee environment —The organization must have plans in place for supporting its employees during a disaster. This means making sure that it has ways to communicate with employees during a disaster. The organization also must have plans in place to manage employee responsibilities until the organization can return to normal operations. d) IT operations —The organization must have plans in place to resume its IT operations. This means making sure that infrastructure components are in place so that business can resume. e) Data recovery —The organization must have a way to recover its data and operational information, as well as retrieve data from offsite storage facilities. -It also must have plans to retrieve paper-based information from its main facility. 6. ------Help employees become familiar with and accept the DR/BC plan. --------Train employees how to respond during an emergency. ------Identify weaknesses or deficiencies within the plan. -----Make sure that all of the checklists and procedures needed to implement the plan are created and in place. ----Make sure that all the resources and supplies needed to implement the plan are in place and are operational. -----Make sure that all communications mechanisms work properly. ----Make sure that all DR/BC teams are able to work well together. 7a) basic types of DR/BC tests - the DR/BC team makes sure that supplies and inventory items that are needed to execute the DR/BC plan are in place. -This type of test makes sure that sufficient supplies are stored at backup facilities. - It also makes sure that the organization has enough reference copies of the DR/BC plan and that all copies have current information. b) often used with a checklist test - DR/BC team "walks through" the entire DR/BC plan. -They study each area of the plan to make sure that all of the assumptions and tasks stated in it are correct. T -This type of test also helps the people who are responsible for executing the DR/BC plan become very familiar with it. c) organization role-plays a disaster scenario. - is designed to measure the effectiveness of employee notification procedures. - Depending upon the scope of the test, an organization might try to measure how fast it can set up its backup site. It also could measure how fast its vendors can provide additional equipment. d) Is designed to test the organization's IT recovery processes. -In this type of test, the organization tests its ability to recover its IT systems and its business data. -The organization brings its backup sites online. -It will then use historical business data to test how those systems operate. - In this test, the organization tests both data processing and data recovery. -During the test, the organization continues normal business operations at its main facility. The test is conducted using historical data. e) is designed to test the organization's entire DR/BC plan. -This test involves a scenario that destroys or severely damages the organization's main facility. -The organization must transfer all business and IT functions to its backup site. - In this type of test, all normal business operations stop. Operations are shut down at the main site. They must be transferred to the backup site using the processes stated in the DR/BC plan. - Is the most expensive kind of contingency plan test. - . If the organization cannot get business operations resumed at the backup site, then the test itself can create a disaster situation for the organization.

1. . Public relations (PR) b) A PR strategy for emergencies must consider:

1. is a marketing field that manages an organization's public image. - includes marketing the organization's products and services, as well as protecting the organization's reputation and image. -includes responding to crises that threaten that image. -An organization's PR team develops communication strategies. b) ----Who is authorized to make comments on the organization's behalf? ------Who is authorized to approve the contents of comments shared with the public? -----How often should information be shared with the public? ----How should information be shared with the public? ----How should information be shared if normal communications methods are unavailable in an emergency?

1. Risk Response 2. Executive management can use several approaches to respond to risk. They are: a) Risk avoidance b) Risk mitigation c) Risk transfer d) Risk acceptance

1. is the actions taken by executive management to reduce risk to an acceptable level. 2a) The organization applies controls or takes other action to completely avoid a particular risk. This strategy removes all risk caused by a particular vulnerability or threat. For example, executive management could decide that the risks posed by a function in an IT system outweigh the benefit of that function. It could instruct system owners to disable that function in order to avoid the risk. The risk caused by that function is completely eliminated. b) The organization applies controls or takes other action to reduce a particular risk. This strategy does not eliminate all harm that could be caused by that risk. Instead, it reduces the risk to an acceptable level. The risk that is left over is called residual risk. For example, executive management could decide that the risks posed by a function in an IT system could be lessened if access to that function was limited. The organization could use access controls to limit access to that function to only a few trusted employees. The risk caused by that function is reduced because fewer people have access to it. c) The organization takes no action against a particular risk. Instead, it passes its risk to another entity that bears the risk of loss. Usually an organization transfers risk of loss to an insurance company. It can purchase a cyberliability insurance policy to insure against specific risks. For example, the organization could purchase insurance to cover losses because of unauthorized access to IT systems. These types of policies are called technology errors and omissions policies. d) The organization takes no action against the potential risk. It makes an intentional decision to do nothing. Executive management may choose this strategy if the cost of the risk is less than the cost to avoid, mitigate, or transfer the risk.

1. Gramm-Leach-Bliley Act (GLBA) Safeguards Rule

1. requires covered financial institutions to conduct RAs to identify risks to customer information as part of their information security program. - Covered financial institutions must apply controls to respond to identified risks. - They also must assess their current controls to make sure that they are effective. - Financial institutions also must review their information security programs on a regular basis.

1. Qualitative risk analysis b)Advantages: c) Disadvantages: 2. An RA team might use the following categories to determine risk exposure: a) low b) Medium c) High 3. Risk impact is determined the same way. The RA team might use the following impact categories: a) Low b) Medium c) High

1. uses scenarios and ratings systems to calculate risk and potential harm. -Qualitative risk analysis does not assign money value to assets and risk. Instead, it uses descriptive categories to express asset criticality, risk exposure (likelihood), and risk impact. b) it is relatively easy to use - It does not require RA team members to have specialized financial knowledge. - does not require them to deduce the costs of assets, controls, and potential harm c) very subjective. The opinions of members of the RA team can highly influence the results of the RA. -the organization has no way to determine the amount of money to spend on controls. - It also has no way of knowing if it is spending too much on a control relative to the actual loss that it could have because of a realized risk 2a) Events that are unlikely to happen within a year b) Events that are somewhat likely to happen within a year c) Events that are likely to happen within a year 3a) A realized risk will have little or no effect on the organization. -The organization will experience light disruption to its business processes. - It will incur only low costs related to lost productivity and data and will not experience reputational loss. b) A realized risk will have a moderate effect on the organization. - The organization may experience moderate disruption to its business processes. -It will incur moderate costs related to loss productivity and data and a moderate reputational loss. c) A realized risk will have a severe effect on the organization. - The organization may experience severe disruption to its business processes. - It will experience high costs related to loss productivity and data, and its reputational loss will be significant.

1. The most basic RM process includes the following steps: a) Risk assessment b) Risk response c) Employee training d) Continuous monitoring 2. risk assessment (RA) b) realized risk c) Residual risk d) The basic steps in a Risk Assessment are: 3. Risk Assessment team ( RA Team) 4. Many laws have RA components. a) The Federal Information Security Modernization Act (FISMA) and the b) Sarbanes-Oxley Act (SOX) are two of them.

1a) Identify the threats and vulnerabilities to the organization's IT resources. Determine the impact of those threats and vulnerabilities. b) Use policies and controls to respond to risk. An organization responds to risk according to its business strategy. c) Train employees on known threats and vulnerabilities. Training can help avoid risk. d) Monitor the organization's policies and controls for continued effectiveness. Update policies and controls that are not effective. 2. identifies the threats and vulnerabilities to IT resources - It reviews the probability of those threats and vulnerabilities actually happening. This is called a realized risk b) The loss that an organization has when a potential threat actually occurs. c) The amount of risk left over after safeguards lessen a vulnerability or threat. d) >> Inventory the assets included in the assessment >> Identify threats and vulnerabilities to those assets >> Categorize likelihood of occurrence and potential loss >> Document where controls are needed 3. must include people in several different roles throughout an organization.

1. Three main types of Contingency plans are:

1a) Incident response (IR) plans b) Disaster recovery (DR) plans c) Business continuity (BC) plans

1. RA team members should include: a)Business personnel b) IT personnel c) Information security managers d) Human resources personnel e) Executive management 2. Conflict of interest 3. Assets to be considered by RA team during inventory:

1a) These people are responsible for business process operations. They know the steps that must be completed in each business process. They also can describe how they use IT systems to accomplish their job duties. b) These people run the organization's various IT systems. This group also might include the IT system owner. These personnel understand how their IT systems work and are responsible for maintaining those resources. They also would be responsible for implementing any changes to IT systems. c) These people run the organization's information security program. They have knowledge about information security threats and vulnerabilities. They also know how threats and vulnerabilities can be mitigated. d) These people understand how to deal with people issues. They can offer advice and input on how to address human-based threats and vulnerabilities. They also will be able to assist with awareness training after the RA is complete. e) These people make sure that the RA team has the support and resources that it needs to complete the assessment. They can hold business units accountable for participating in the assessment. They also can make sure that the RA remains properly scoped to its original goal. 2. Any situation where a person's private interests and professional obligations collide. 3. ---Personnel ----Data ----Hardware and software ---Physical facilities ----Business process workflows -----Current controls that help safeguard any assets

1. Backup Site Options: a) mirrored site b) hot site c) warm site d) cold site

1a) fully operational backup site, actively runs the organization's IT processes in parallel with the organization's main facility. - is a redundant facility. - An organization can immediately transfer all of its IT operations to the mirrored site, which is already staffed with the organization's employees. - is the most expensive type of backup site to maintain. - This type of backup site is appropriate for organizations that have a low MTD for critical processes. (Maximum tolerable downtime (MTD)/maximum acceptable outage (MAO) -This type of backup site supports high availability. b) is an operational backup site that has all of the equipment and infrastructure that an organization needs to continue its business operations. - is fully compatible with the organization's main facility - can become operational within minutes to hours after a disaster. - it is not staffed with people, and it does not process data in parallel with the main facility. - the organization must bring data backups to the hot site facility. -expensive to maintain -may be the best choice for an organization that can afford some, but not a lot, of downtime. c) is a compromise between a hot site and a cold site. - is space that contains some, but not all, of the equipment that an organization will need to continue operations in the event of a disaster. - is partially prepared for operations, in that it has electricity and network connectivity. - is more expensive than a cold site. d) backup site that is little more than reserved space - most inexpensive type of backup site -does not have any equipment or hardware set up. -Although it will have electrical service, it most likely will not have network connectivity - It can take weeks for an organization to get a cold site ready for business operations. -An organization will have to acquire equipment and infrastructure to make the site operational.

1a) vulnerability b) Exploit ii) zero-day exploits c) kinds of vulnerabilities d) Threats e) risk

1a) is a weakness or flaw in an IT system. b) Is a successful attack against a vulnerability. ii) they are exploited so quickly after they are discovered. c) - they fall into four broad categories: ----people, process, facility, and technology vulnerabilities d) anything that can cause harm to an information system. -can be a person or a circumstance -threats also fall into four broad categories: ---human, natural, technology and operational, and physical and environmental. - Threats can be deliberate or accidental. e) the likelihood that a threat will exploit a vulnerability and cause harm. - Likelihood and potential loss can be stated as either a qualitative measure or a quantitative measure