ISA3300 chapter 10
remote journaling differs from electronic vaulting in two ways:
(1) Only transactions are transferred, not archived data; and (2) the transfer takes place online and in much closer to real time.
CPMT conducts the BIA in three stages
1. Determine mission/business processes and recovery criticality. 2. Identify resource requirements. 3. Identify recovery priorities for system resources
Once formed, the contingency planning management team (CPMT) begins developing a CP document, for which NIST recommends using the following steps:
1. Develop the CP policy statement. 2. Conduct the BIA. T. 3. Identify preventive controls. 4. Create contingency strategies. 5. Develop a contingency plan. 6. Ensure plan testing, training, and exercises. 7. Ensure plan maintenance.
the CP team creates three sets of incident-handling procedures:
1. During the Incident—The planners develop and document the procedures that must be performed during the incident. 2. After the Incident—Once the procedures for handling an incident are drafted, the plan- ners develop and document the procedures that must be performed immediately after the incident has ceased. 3. Before the Incident—The planners draft a third set of procedures, those tasks that must be performed to prepare for the incident.
eight-step DR process.
1. Organize the DR Team 2. Develop the DR Planning Policy Statement 3. Review the BIA 4. Identify Preventive Controls 5. Create DR Strategies 6. Develop the DR Plan Document 7. Ensure DR Plan Testing, Training, and Exercises.
When undertaking the BIA, the organization should consider the following:
1. Scope 2. Plan 3. Balance 4. Objective 5. Follow-Up
e-discovery
: The identification and preservation of evidentiary material related to a specific legal action.
electronic vaulting:
A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.
database shadowing:
A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations.
Project Manager—
A champion provides the strategic vision and the linkage to the power structure of the organization but does not manage the project. A project manager—possibly a mid-level operations manager or even the CISO— leads the project, putting in place a sound project planning process, guiding the development of a complete and useful project, and prudently managing resources.
timeshare:
A continuity strategy in which an organization co-leases facilities with a business partner or sister organization. A timeshare allows the organization to have a BC option while reducing its overall costs.
service bureau:
A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.
mutual agreement:
A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.
rolling mobile site:
A continuity strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer.
digital malfeasance:
A crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.
alert message:
A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process
after-action review:
A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery.
alert roster:
A document that contains contact information for personnel to be notified in the event of an incident or disaster.
warm site:
A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications. Warm sites are used for BC operations.
cold site:
A facility that provides only rudimentary services, with no computer hardware or peripherals. Cold sites are used for BC operations.
talk-through:
A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization.
hot site:
A fully configured computing facility that includes all services, communications links, and physical plant operations. Hot sites are used for BC operations.
business process:
A task performed by an organization or one of its units in support of the organization's overall mission.
evidentiary material (EM):
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect.
computer security incident response team (CSIRT):
An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident. The CSIRT may include members of the IRPT.
incident:
An adverse event that could result in a loss of information assets, but does not threaten the viability of the entire organization.
adverse event AKA incident candidate:
An event with negative consequences that could threaten the organization's information assets or operations.
business continuity (BC):
An organization's set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site. The organization temporarily establishes critical operations at an alternate site until it can resume operations at the primary site or select and occupy a new primary site.
crisis management (CM):
An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster.
disaster recovery (DR):
An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster.
incident response (IR):
An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident.
Champion—
As with any strategic function, the CP project must have a high-level manager to support, promote, and endorse the findings of the project. This cham- pion could be the COO or (ideally) the CEO/president.
Contingency Planning consists of four major components:
Business impact analysis (BIA) Incident response plan (IR plan) Disaster recovery plan (DR plan) Business continuity plan (BC plan)
incident response procedures (IR procedures):
Detailed, step-by-step methods of preparing, detecting, reacting to, and recovering from an incident.
Incident response actions can be organized into three basic phases:
Detection Reaction Recovery
slow-onset disasters:
Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects. Examples include droughts, famines, environmental degradation, desertification, deforestation, and pest infestation.
rapid-onset disasters:
Disasters that occur suddenly, with little warning, taking people's lives and destroying the means of production. Examples include earthquakes, floods, storm winds, tornadoes, and mud flows.
digital forensics:
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much art as science.
search warrant:
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination. An affidavit becomes a search warrant when signed by an approving authority.
When organizations consider recovery criticality, key recovery measures are usually described in terms of how much of the asset they must recover within a specified time frame. The terms most commonly used to describe this value are:
Recovery time objective (RTO) Recovery point objective (RPO) Maximum tolerable downtime (MTD) Work recovery time (WRT)
affidavit:
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place. The facts, the items, and the place must be specified in this document.
structured walk-through:
The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event. A walk-through can also be conducted as a conference room talk-through.
full-interruption testing:
The CP testing strategy in which all team members follow each IR/DR/ BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals.
desk check: .
The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components
simulation:
The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts.
DR planning team (DRPT)
The DRPT in turn organizes and prepares the DR response teams (DRRTs) to actually implement the DR plan in the event of a disaster
business resumption planning (BRP):
The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.
business continuity planning (BCP):
The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams.
crisis management planning (CMP):
The actions taken by senior management to develop and implement the CM policy, plan, and response teams.
disaster recovery planning (DRP):
The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams.
incident response planning (IRP):
The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team.
contingency planning (CP):
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis.
work recovery time (WRT):
The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO.
remote journaling:
The backup of data to an off-site facility in close to real time based on transactions as they occur.
forensics:
The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental.
business continuity plan (BC plan):
The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible.
crisis management plan (CM plan):
The documented product of crisis management planning; a plan that shows the organization's intended efforts to protect its personnel and respond to safety threats.
disaster recovery plan (DR plan):
The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster.
incident response plan (IR plan):
The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident.
contingency planning management team (CPMT):
The group of senior managers and project members organized to conduct and lead all CP efforts.
incident detection:
The identification and classification of an adverse event as an incident, accompanied by the CSIRT's notification and the implementation of the IR reaction phase.
crisis management planning team (CMPT):
The individuals from various functional areas of the organization assigned to develop and implement the CM plan.
recovery time objective (RTO):
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the MTD.
apprehend and prosecute AKA "pursue and prosecute":
The organizational CP philosophy that focuses on an attacker's identification and prosecution, the defense of information assets, and preventing reoccurrence.
protect and forget AKA "patch and proceed":
The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution.
recovery point objective (RPO):
The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data.
business continuity policy (BC policy):
The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams.
crisis management policy (CM policy):
The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams
disaster recovery policy (DR policy):
The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams.
evidentiary material policy (EM policy):
The policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.
incident response policy (IR policy):
The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams.
disaster classification:
The process of examining an adverse event or incident and determining whether it constitutes an actual disaster.
incident classification:
The process of examining an adverse event or incident candidate and determining whether it constitutes an actual incident.
Team Members—
The team members should be the managers or their representa- tives from the various communities of interest: business, IT, and InfoSec.
business continuity planning team (BCPT):
The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location.
disaster recovery planning team (DRPT): .
The team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters, including reestablishment of business operations at the primary site after the disaster
incident response planning team (IRPT):
The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents.
maximum tolerable downtime (MTD):
The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations.
CPMT—
This team collects information about the organization and about the threats it faces, conducts the BIA, and then coordinates the development of contingency plans for incident response, disaster recovery, and business continuity.
An organization has several options for protecting its information and getting operations up and running quickly after an incident:
Traditional Data Backups—The organization can use a combination of on-site and off-site tape-drive or hard-drive backup methods, in a variety of rotation schemes Electronic Vaulting—The organization can employ bulk batch-transfer of data to an off-site facility; transfer is usually conducted via leased lines or secure Internet connections. Remote Journaling—The organization can transfer live transactions to an off-site facility; Database Shadowing—The organization can store duplicate online transaction data, along with duplicate databases, at the remote site on a redundant server;
the CSIRT is
a subset of the IR team and is composed of technical and managerial IT and InfoSec professionals prepared to diagnose and respond to an incident. consists of professionals who are capable of handling the information systems and functional areas affected by an incident.
The first major BIA task is the
analysis and prioritization of business processes within the organization, based on their relationship to the organization's mission.
Once the organization has created a prioritized list of its mission/business processes, it needs to
determine what resources would be required in order to recover those processes and the assets associated with them.
As soon as an incident has been confirmed and the notifi- cation process is under way, the team should begin to
document it. The documentation should record the who, what, when, where, why, and how of each action taken while the incident is occurring.
A BIA questionnaire is an
instrument used to collect relevant business impact information for the required analysis. It is useful as a tool for identifying and collecting information about business functions for the analysis just described. It can also be used to allow func- tional managers to directly enter information about the business processes within their area of control, their impacts on the business, and dependencies that exist for the functions from specific resources and outside service providers.
Industry recommendations for data backups include the "3-2-1 rule," which encourages
maintaining three copies of important data (the original and two backup copies) on at least two different media (like hard drives and tape backups), with at least one copy stored off-site.
A weighted table analysis (WTA), sometimes called a weighted factor analysis, can be useful in
resolving the issue of what business function is the most critical. The CPMT can use this tool by first identifying the characteristics of each business function that matter most to the organization—the criteria.
One of the most critical components of IR is
stopping the incident and containing its scope or impact.
business impact analysis (BIA):
the first phase of the CP process. An investigation and assessment of adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and its recovery priorities.
WRT
typically involves the addition of nontechnical tasks required for the organization to make the information asset usable again for its intended business function.
The following types of incident candidates are considered probable indicators of actual incidents:
• Activities at Unexpected Times . • Presence of New Accounts • Reported Attacks • Notification from IDPS
Typical containment strategies include the following:
• Disabling compromised user accounts • Reconfiguring a firewall to block the problem traffic •Temporarily disabling the compromised process or service •Taking down the conduit application or server—for example, the e-mail server •Disconnecting the affected network or network segment •Stopping (powering down) all computers and network devices
adverse event is classified as an InfoSec incident, but only if it has all of the following characteristics:
• It is directed against information assets. • It has a realistic chance of success. • It threatens the confidentiality, integrity, or availability of information resources and assets.
Potential Incident Results
• Loss of Availability • Loss of Integrity • Loss of Confidentiality • Violation of Policy • Violation of Law or Regulation
the IR plan should include the fol- lowing elements:
• Mission • Strategies and goals • Senior management approval • Organizational approach to incident response • How the incident response team will communicate with the rest of the organization and with other organizations • Metrics for measuring incident response capability and its effectiveness • Roadmap for maturing incident response capability • How the program fits into the overall organization
The following types of incident candidates are considered possible indicators of actual incidents:
• Presence of Unfamiliar Files— • Presence or Execution of Unknown Programs or Processes • Unusual Consumption of Computing Resources • Unusual System Crashes
DR policy contains the following key elements:
• Purpose • Scope • Roles and Responsibilities • Resource Requirement • Training Requirements • Exercise and Testing Schedules • Plan Maintenance Schedule • Special Considerations
key components of a typical IR policy
• Statement of management commitment • Purpose and objectives of the policy • Scope of the policy • Definition of InfoSec incidents and related terms • Organizational structure and definition of roles, responsibilities, and levels of authority; • Prioritization or severity ratings of incidents • Performance measures • Reporting and contact forms1
The following five types of incident candidates are definite indica- tors of an actual incident.
• Use of Dormant Accounts • Changes to Logs • Presence of Hacker Tools • Notifications by Partner or Peer • Notification by Hacker