ISA 10
15. What is a business continuity plan, and why is it important?
Answer: A business continuity plan ensures that critical business functions can continue if disaster occurs; thus, it is essential to the organization's survival in the event of a disaster.
20. What is evidentiary material?
Answer: Also known as "items of potential evidentiary value," it is any information that could potentially support the organization's legal or policy-based case against a suspect.
8. List and describe the sets of procedures used to detect, contain, and resolve an incident.
Answer: The CP team creates three sets of procedures for incident handling. The first set of procedures are those that must be performed during the incident. These procedures are function-specific, and they are grouped and assigned to individuals. The second set of procedures are those that must be performed after the incident. These procedures also may be function-specific. The third set of procedures are those that must be performed to prepare for the incident. These procedures include the details of data backup schedules, disaster recovery preparation, training schedules, testing plans, copies of service agreements, and business continuity plans.
1. What is the name for the broad process of planning for the unexpected? What are its primary components?
Answer: The broad process of planning for the unexpected is called contingency planning. Its major components are business impact analysis, incident response planning, disaster recovery planning, and business continuity planning.
19. What is digital forensics, and when is it used in a business setting?
Answer: Digital forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root-cause analysis. Digital forensics is used in a business setting to investigate policy or legal violations by an employee, contractor, or outsider, and to investigate attacks on a physical or information asset.
5. List and describe the teams that perform the planning and execution of the CP plans and processes. What is the primary role of each?
Answer: • The contingency planning management team collects information about information systems and the threats they face. The team then conducts the BIA and creates the contingency plans for incident response, disaster recovery, and business continuity. • The incident response team manages and executes the IR plan by detecting, evaluating, and responding to incidents. • The disaster recovery team manages and executes the DR plan by detecting, evaluating, and responding to disasters and by reestablishing operations at the primary business site. • The business continuity team manages and executes the BC plan by setting up and starting off-site operations in the event of an incident or disaster.
7. List and describe the criteria used to determine whether an actual incident is occurring.
Answer: An actual incident is occurring if information assets are the targets of attack, if there is a good chance that the attack will succeed, and if the attack threatens the confidentiality, integrity, or availability of information resources.
11. What is an alert roster? What is an alert message? Describe the two ways they can be used.
Answer: An alert roster is a list of individuals within the company who must be notified in the event of an incident. An alert message is a scripted notification that provides just enough information for responders to know the status of the incident and what portion of the incident response plan they need to implement. An alert roster and message can be used in a sequential manner, where one person contacts all members of the alert roster, or they can be used in a hierarchical manner, where the first responder calls designated individuals and those people call another group in turn.
6. Define the term incident as used in the context of IRP. How is it related to the concept of incident response
Answer: An incident, either natural or man-made, is an attack on information or an accident. An incident triggers the incident response plan.
17. Why should continuity plans be tested and rehearsed?
Answer: An untested plan is not a usable plan. Without testing and rehearsal, the quality of the plan and its ability to accomplish its objective of shortening recovery time is unknown. One key objective of this type of planning is to remove as many unknown factors as possible. Testing can also reveal hidden flaws in the plan, which can then be repaired before the plan is needed.
12. List and describe several containment strategies given in the text. On which tasks do they focus?
Answer: Containment strategies include: • Disconnecting affected sources of communication in order to cut off an attack from outside the company network; this strategy can only be used if the designated communications channel is not business-critical • Dynamically applying filtering rules to limit certain types of network access, which targets the specific vulnerability being exploited by the threat agent • Monitoring the incident while developing a more specific strategy All these containment strategies focus on stopping the incident and recovering control of the systems.
9. What is incident classification?
Answer: Incident classification is the process of examining an adverse event that has the potential to escalate into an incident and determining whether it constitutes an actual incident. Classifying an incident is the responsibility of the IR team.
13. What criteria should be used when considering whether to involve law enforcement agencies during an incident?
Answer: Law enforcement should be involved in all situations in which a criminal act has been detected. For acts deemed not to be criminal, the decision to involve law enforcement should be based on the organization's need to prosecute a computer crime. Law enforcement can handle any necessary warrants and subpoenas, and it is better equipped for processing evidence and, in some cases, conducting computer forensics. However, involving law enforcement may lead to loss of control of the investigation, failure to be kept informed as the investigation proceeds, and possible seizure of information assets that are vital to the organization's business operations.
2. Which two communities of interest are usually associated with contingency planning? Which community must give authority to ensure broad support for the plans?
Answer: Most often, the information technology and information security communities are involved in contingency planning. The general business community must give authority to ensure broad support for the plans.
18. Which types of organizations might use a unified continuity plan? Which types of organizations might use the various contingency planning components as separate plans? Why?
Answer: Small to medium-sized organizations might use unified contingency plans because they are concise and easier to test. Large organizations cannot use a unified plan because it would be an overwhelming document to write or test.
3. According to some reports, what percentage of businesses that do not have a disaster plan go out of business after a major loss?
Answer: Some reports are that 40 percent of businesses without a disaster plan will fail after a major loss.
16. What is a business impact analysis, and what is it used for?
Answer: The business impact analysis provides the CP team with information about systems and the threats they face. It is used for providing crucial scenarios so the team can prepare for disasters.
14. What is a disaster recovery plan, and why is it important to the organization?
Answer: The disaster recovery plan covers preparation for a disaster and recovery from it. Disasters may be man-made or natural. The plan is critical to the organization because it allows incidents identified by the incident response team to be escalated to the level of disaster. At this point, the disaster recovery team must use this plan to determine how to reestablish business operations at the location where the disaster occurred and the business is located.
4. List the seven-step CP process recommended by NIST.
Answer: The seven steps recommended by NIST are: 1. Develop the contingency planning policy statement. 2. Conduct the business impact analysis. 3. Identify preventive controls. 4. Develop recovery strategies. 5. Develop an IT contingency plan. 6. Plan testing, training, and exercises. 7. Plan maintenance.
10. List and describe the actions that should be taken during the reaction to an incident.
Answer: The steps involved in the reaction to an incident are incident detection using incident classification, notification of key personnel, documentation of the incident, implementation of required containment strategies, and then either escalation of the incident to a disaster or beginning the incident recovery process.