Module 5 Incident response and contingency planning
warm site
A BC facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications
cold site
A BC facility that provides only rudimentary services, with no computer hardware or peripherals
service bureau
A BC strategy in which an organization contracts with a service agency to provide a facility for a fee
mutual agreement
A BC strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster
rolling mobile site
A BC strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer
timeshare
A continuity strategy in which an organization co-leases facilities with a business partner or sister organization, which allows the organization to have a BC option while reducing its overall costs.
talk-through
A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization.
hot site
A fully configured BC facility that includes all computing services, communications links, and physical plan operations
business process
A task performed by an organization or one of its units in support of the organization's overall mission and operations
computer security incident response team (CSIRT)
An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident; may include members of the IRPT
incident
An adverse event that could result in a loss of information assets but does not threaten the viability of the entire organization
Business impact analysis (BIA)
An investigation and assessment of adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning phase of the contingency planning process; it includes a determination of how critical a system or set of information is to the organization's core processes and its recovery priorities.
business continuity (BC)
An organization's set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site; typically includes temporarily establishing critical operations at an alternate site until operations can be resumed at the primary site or a new permanent site.
Crisis management (CM)
An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster
Disaster recovery (DR)
An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster
incident response (IR)
An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident
evidentiary material (EM)
Any information that could potentially support an organization's legal or policy-based case against a suspect; also known as items of potential evidentiary value.
IR procedures
Detailed, step by step methods of preparing, detecting, reacting to, and recovering from an incident
slow-onset disasters
Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects
rapid-onset disasters
Disasters that occur suddenly, with little warning, taking people's lives and destroying the means of production
digital forensics
Investigations that involve the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis, following clear, well-defined methodologies
search warrant
Permission to search for evidentiary material at a specified location or to seize items to return to an investigator's lab for examination
chain of custody
See chain of evidence
affidavit
Sworn testimony that certain facts are in the possession of an investigating officer and that they warrant the examination of specific items located at a specific place; the affidavit specifies the facts, the items, and the place.
structured walk-through
The CP testing strategy in which all involved individuals walk through a site and discuss the steps they would take during an actual CP event; can also be conducted as a conference room talk-through
simulation
The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. the CP team is presented with a scenario in which all member must specify how they would react and communicate their efforts.
business continuity planning (BCP)
The actions taken by senior management to develop an implement the BC policy, plan, and continuity teams.
business resumption planning (BRP)
The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.
crisis management planning (CMP)
The actions taken by senior management to develop and implement the CM policy, plan, and response teams
disaster recovery planning (DRP)
The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams
incident response planning (IRP)
The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team.
contingency planning
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster; CP typically includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis
work recovery time (WRT)
The amount of effort (expressed as elapsed time) needed to make business functions work again after the technology element is recovered. This recovery time is identified by the RTO
forensics
The coherent application of methodical investigatory techniques to present evidence of crimes in a court or similar setting.
full-interruption testing
The cp testing strategy in which all team members follow each IR/DR/BC procedure, including those for interruption of service, restoration of data from backups, and notification of appropriate individuals
chain of evidence
The detailed documentation of the collection, storage, transfer, and ownership of evidentiary material from the crime scene through its presentation in court and its eventual disposition
root cause analysis
The determination of the source or origin of an event, problem, or issue like an incident.
BC plan
The documented product of business continuity planning; a plan that shows the organization's efforts to continue critical functions when operations at the primary site are not feasible
crisis management plan (CM plan)
The documented product of crisis management planning; a plan that shows the organization's intended efforts to protect its personnel and respond to safety threats
disaster recovery plan (DR plan)
The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the even of a disaster
Incident response plan(IR plan)
The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident.
Contingency planning management team (CPMT)
The group of senior managers and project members organized to conduct and lead all CP efforts
crisis management planning team (CMPT)
The individuals from various functional areas of the organization assigned to develop and implement the CM plan
Recovery time objective (RTO)
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the maximum tolerable downtime
apprehend and prosecute
The organizational CP philosophy that focuses on an attacker's identification and prosecution, the defense of information assets, and preventing reoccurrence; also known as pursue and punish
protect and forget
The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution; also known as patch and proceed
recovery point objective (RPO)
The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data
BC policy
The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams.
crisis management policy (CM policy)
The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams.
IR policy
The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams
disaster classification
The process of examining an adverse event or incident and determining whether it constitutes an actual disaster
business continuity planning team (BCPT)
The team responsible for designing and managing the BC plan of relocation the organization and establishing primary operations at an alternate site until disaster recovery planning team can recover the primary site or establish a new location
disaster recovery planning team (DRPT)
The team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recovery from disasters, including reestablishment of business operations at the primary site after the disaster
incident response planning team (IRPT)
The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents
maximum tolerable downtime (MTD)
The total amount of time the system owner of authorizing official is willing to accept for a business process outage or disruption. The MTD includes all impact considerations
3-2-1 backup rule
a backup strategy that recommends the creation of at least three copies of critical data (the original and two copies) on at least two different media, with at least one copy stored off-site
electronic vaulting
a backup strategy that transfers data in bulk batches to an off-site facility.
database shadowing
a backup strategy that transfers duplicate online transaction data an duplicate databases to a remote site on a redundant server, combining electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations
remote journaling
a backup strategy that transfers only transaction data in near real time to an off-site facility.
database shadowing
a backup strategy that transfers only transaction data near real time to an off-site facility.
digital malfeasance
a crime involving digital media computer technology or related components
alert message
a description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement with out slowing down the notification process
after-action review
a detailed examination an discussion of the events that occurred during an incident or disaster, from first detection to final recovery
alert roster
a document that contains contact information for personnel to be notified in the event of an incident or disaster
incident
an adverse event that could result in a loss of information assets but does not threaten the viability of the entire organization
adverse event
an event with negative consequences that could threaten the organization's information assets or operations; also referred to as an incident candidate
incident canidate
any event that may cause damages to the business also called adverse events
desk check
the CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components
DR policy
the policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams.