MIS515 - Week 4 - Continuity Planning

Why are business unit analysis important in a BIA process?

Helps planners identify and prioritize critical unit functions

Match the following continuity site strategies with their respective descriptions

Hot site = fully configured computer facility with all services Warm site = functional site but without applications and not kept fully prepared Cold site = rudimentary services and facilities Mutual Agreement = Contract of assist between two organizations Service Bureau = Agency that provide physical facilities

Which of the following are major contingency planning areas of consideration

IRP DRP BCP

Virtualization reduces complexity and downtime by allowing complete virtual servers to be moved from one physical server to another (both running a virtualized environment) for system maintenance or prior to system failure.

TRUE

Virtualized servers can be easily backed up to remote virtual installations because the virtual server is encapsulated in its own snap-shot or save-set provile.

TRUE

Place the steps of the contingency planning process in the correct order

1. Develop Contingency Plan Policy 2. Create Business Impact Analysis 3. Identify Preventive Controls 4. Develop Recovery Strategies 5. Develop Contingency Plans 6. Plan, Testing, Training & Exercises 7. Plan Maintenance

Place the following planning events in their most proper order.

1. Organizational Strategy 2. Information Technology Strategy 3. Information Security Strategy 4. Information Security Tactical Planning 5. Information Security Operational Planning

Place the following information security program life cycles in their proper order

1. Plan & Organize 2. Implement 3. Operate & Manage 4. Monitor & Evaluate

Place the BIA task in proper order

1. Threat/Attack identification and prioritization 2. Business Unit Analysis 3. Attack scenario development 4. Potential damage assessment 5. Subordinate plan classification

When a threat becomes a valid attack, it is classified as an information incident if:

- It is directed against information assets - it threatens the confidentiality, integrity or availability of information assets - it has realistic chance of success

Many organizations are moving to virtualized infrastructures because (select all that apply)

- it reduces physical server counts - it reduces power & HVAC - it reduces downtimes

Oreck's disaster recovery plan was to use their New Orleans site int he case of a disaster at Long Beach and visa-versa.

TRUE

What is an after action review?

A detailed examination of the events that occurred; what worked and what did not work.

Planning is a process that creates and implements strategies oriented towards the accomplishment of organizational objectives

TRUE

Policies must have enforced consequences to be effective.

TRUE

Which of the following is true regarding virtualization?

ALL OF THE ABOVE - It allows multiple operating systems and applications to share a single physical server - It makes more efficient use of server resources that traditional physical-server-per-service methods - It reduces power, HVAC and hardware footprint requirements in a data center -It is easier to deploy and manage servers and services than traditional approaches

Which of the following would NOT be an element of a security program?

ALL OF THE ABOVE ARE ELEMENTS - Risk Management - Life Cycle Planning - Awareness and Training - Logical Access Control

Qualitative metrics are subjective in nature

TRUE

What is the difference between a Recovery Time Objective and a Recovery Point Objective

An RTO deals with the amount of time until an operation or service is made available after a disaster while an RPO deals with how current data backups are.

Match the following business continuity plans with their respective purpose or scope

BCP = Procedures for the relocation of business functions to an alternate site IRP = focus is on immediate responses to incidents affecting systems and/or networks DRP = procedures to recover from a disaster CMP = addresses human issues and communication with personnel and public

Match the following frameworks with the phrase that best describes each

COBIT = Framework for IT Governance COSO = Used by many organizations with Sarbanes-Oxley requirements ISO 17799 = Plan, Do, Check, Act SABSA = Focuses on business processes and slices organization up into process layers ISO 27001 = Considered best practices for controls and improving information security management systems

Which of the following would NOT be considered an information security related planning framework

COBOL Top Down

Tactical planning typically involves a scope of 1-5 years

TRUE

Oreck took care of its employees all throughout the Katrina devastation. They provided shelter, food and essentials and never missed a payroll. In a contingency planning context what does this fall under?

Crisis Management

Match the following BC storage options

Electronic Vaulting = Bulk batch transfer of data to off-site location Remote Journaling = Remote storage of transactions only Database Shadowing = remote storage database and transactions in real time

Which of the following would NOT be a goal of Disaster Recovery Planning?

Ensure an alternate site as adequate resources to facilitate operations

Match each security policy type with its best description

Enterprise = Links to vision and mission statements Issue-Specific = An overall policy regarding documented storage System-Specific = Managerial and technical guidance

A Business Continuity Plan focuses on recovering operations at an organization's primary site

FALSE

A Business Impact Analysis (BIA) is a policy document outlining the goals and scope of contingency efforts

FALSE

A Key Risk Indicator (KRI) is a measurement of how well something is doing.

FALSE

After Hurricane Katrina, it took Oreck Corporate over 6 months until they were able to get business functioning

FALSE

Disaster Recover Plans only focus on natural disasters, Man-Made disasters involving information systems are covered in the Incident Response Plan

FALSE

Disaster Recovery and Business Continuity are really the same thing. That is why many combine them into a Business Resumption Plan

FALSE

In the second phase of the 6-phase planning approach cycle, risks are identified and ranked.

FALSE

Information Security policies only exist to avoid litigation

FALSE

Metrics are really only useful to the CEO and top managers

FALSE

Most planning approaches have 3 basic levels: Strategic, Tactical and Disaster planning.

FALSE

Oversimplification of a security metric, for the sake of clarity, is advisable.

FALSE

Risk Management and Contingency Planning are the same process

FALSE

Strategic planning is "what are we going to do" and "how are we going to do it"

FALSE

The Oreck example shows that supplier and vendor relationships are not that important in times of disaster

FALSE

Virtualization provides less flexibility in quickly deploying services to remote sites.

FALSE

Which of the following best represents the System Development Life Cycle model order

Initiation Acquisition Implementation & Assessment Operations Disposal

Place the following SecSDLC phases in proper order

Investigation Analysis Logical Design Physical Design Implementation Maintenance

A policy describing the protection of privacy would be which type policy?

Issue-Specific Security Policy

Why is an alert roster important in incident response?

It allows the organization to alert the right people in the correct order.

Why is a business impact analysis important to contingency planning?

It provides an assessment of the impact of various attacks on operations and ability to recover from such attacks.

The goal of secSDLC is to ensure information security is addressed throughout a project's lifecycle

TRUE

Match the following planning precursor with their definitions

Mission Statement = More explicit in declaring the business of the organization and intended operations Vision Statement = articulates what the organization wants to look like Value Statement = Statement of qualities and principles matched with benchmarks

In what phase of the 6-phase planning cycle are countermeasures and controls deployed

Phase 4 - Phase 1 - Security Governance Phase 2 - Set Security Goals Phase 3 - Risk Analysis Phase 4 - Risk Reduction Phase 5 - Crisis Management Phase 6 - Assessment

Which of the following is NOT a phase of the 6-phase planning approach

Physical Site - Governance - Setting Goals - Risk Analysis - Physical Site - Risk Reduction - Assessment

Which of the following would not be a strategic level management area?

Policy compliance

Which of the following best represents the order regarding security policy formation?

Policy, standards, (practices, guidelines, procedures)

Match the DRP phases with their descriptions

Preparation = Includes rehearsal necessary to respond to a disaster Response = Includes notifying appropriate key individuals during a disaster Recovery = ensuring the collection of necessary business information and systems after a disaster Resumption = critical business functions brought back online Restoration = normal operations once again secured at the primary site

Which of the following is NOT true regarding the role of security planning?

Should be a bottom-up approach

Good metrics should be:

Specific, Measurable, Attainable, Repeatable, Time-Dependent.

A BIA is the first major phase in the business contingency cycle

TRUE

A Business Continuity Plan ensures that critical business functions can continue in the case of a disaster

TRUE

A Business Impact Analysis assumes all existing controls have been bypassed and a disruption was successful

TRUE

A Key Performance Indicator (KPI) is a measure of how well something is being done.

TRUE

Balanced scorecards are used to show progress of strategy

TRUE

Business Resumption focuses on the remaining unrestored functions of an organization after disaster

TRUE

Contingency Planning's goal is to restore normal modes of operation after unexpected events

TRUE

Crisis management is a series of focused steps that deal with the safety and state of employees and their families during and after a disaster.

TRUE

Full interruption testing of business continuity plans are not frequently (if at all) done by most organizations because they are expensive and disruptive to operations

TRUE

If a disaster is bad enough, a business continuity plan could be executed prior to or concurrent with a Disaster Recovery Plan

TRUE

If countermeasures are adequate to stop an attack, then the attack does not become an incident.

TRUE

In the 6-phase planning approach, governance oversees, review and approves policies while management establishes, ensures and assess them.

TRUE

In the Crisis Management phase of the 6-phase approach, protocols are established to assess and limit damage.

TRUE

Incident response is a reactive measure, not a preventive measure

TRUE

Incident response planning uses the BIA to focus in on what countermeasures, if any, exist and if they are adequate to mitigate an end-case scenario threat.

TRUE

Metrics enable an understanding of security controls and allow an organization to focus limited resources on that which needs fixing most.

TRUE

Why did Oreck's disaster recovery plan faile?

The disaster recovery site was too close and was also rendered unusable

If a countermeasure did not stop an attack and the security incident response team cannot contain the attack, what generally is the next step if the impact of the attack greatly affects the organization?

The incident is quickly escalated to the disaster recovery team in an effort to restore normal functions.