1. SECURITY AND RISK MANAGEMENT
• The Security and Risk Management deals with many of the foundational elements of security solutions and focuses on risk
analysis and mitigation.
• These include elements essential to the design, implementation, and administration of security mechanisms.
• This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every
section throughout of this course.
• In addition to CIA, principle of least privilege and need to know are presented.
• Lastly concepts related to information security governance such as privacy, due care, due diligence, certification, and
accreditation are also a focus of this chapter.
• Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to
mitigate those risks.
• How much security is enough?...Just enough.
2. Confidentiality, Integrity, and Availability
• Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a
security infrastructure.
• Commonly referenced by the term CIA Triad.
• The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain
intelligence agency), but that is not important; what is critical is understanding each concept.
• These three principles are considered the most important within the realm of security.
• However important each specific principle is to a specific organization depends on the organization’s
security goals and requirements and on the extent to which the organization’s security might be threatened.
• An object is the passive element in a security relationship, such as files, computers, network connections,
and applications.
• A subject is the active element in a security relationship, such as users, programs, and computers.
3. Confidentiality
• Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects,
or resources. In other words, unauthorized disclosure of information;
• The goal of confidentiality protection is to prevent or minimize unauthorized access to data.
• Confidentiality protection provides a means for authorized users to access and interact with resources, but
it actively prevents unauthorized users from doing so.
• For confidentiality to be maintained on a network, data must be protected from unauthorized access, use,
or disclosure while in storage, in process, and in transit.
• Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning,
shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.
Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication
procedures, data classification, and extensive personnel training
4. Integrity
• Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to
prevent unauthorized write access to data.
• It ensures that data remains correct, unaltered, and preserved.
• Properly implemented integrity protection provides a means for authorized changes while protecting
against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes
made by authorized users (such as mistakes or oversights).
• data integrity and system integrity. Data integrity seeks to protect information from unauthorized
modification, while system integrity seeks to protect a system. from unauthorized modification.
• Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious
modification, intentional replacement, and system back doors.
• countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems,
object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive
personnel training.
5. Availability
• Availability ensures that information is available when needed.
• Aauthorized subjects are granted timely and uninterrupted access to objects.
• Availability also implies that the supporting infrastructure—including network services, communications,
and access control mechanisms—is functional and allows authorized users to gain authorized access.
• Attacks - DoS attacks, object destruction, and communication interruptions.
• Countermeasures - designing intermediary delivery systems, properly, using access controls effectively,
monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks,
implementing redundancy for critical systems, and maintaining and testing backup systems.
Disclosure, alteration, and destruction
• Disclosure is the unauthorized release of information.
• Alteration is the unauthorized modification of data.
• Destruction is making systems or data unavailable.
6. CIA Priority
• Every organization has unique security requirements and Knowing which tenet or asset is more important
than another guides the creation of a security stance and ultimately the deployment of a security solution.
• Example - in many cases military and government organizations tend to prioritize confidentiality above
integrity and availability, whereas private companies tend to prioritize availability above confidentiality and
integrity.
• Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the
second or third prioritized items are ignored or improperly addressed.
Other Security Concepts
• Identification: Claiming to be an identity when attempting to access a secured area or system
• Authentication: Proving that you are that identity. eg passwords.
• Authorization: describes the actions you can perform on a system once you have been identified and
authenticated. Actions may include reading, writing, or executing files or programs.
• Auditing: Recording a log of the events and activities related to the system and subjects
• Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically
done by logging and analysing audit data.
• Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It
combines authentication and integrity.
7. Protection Mechanisms
• Protection mechanisms are common characteristics of security controls.
• Layering: also known as defence in depth, is simply the use of multiple controls in a series.
• Data Hiding: preventing data from being discovered or accessed by a subject by positioning the data in a
logical storage compartment that is not accessible or seen by the subject.
• Security through obscurity: attempt to hope something important is not discovered by keeping knowledge of
it a secret hence offers no security and should not be used.
• Encryption: art and science of hiding the meaning or intent of communication from unintended recipients.
• Least Privilege and Need to Know: Least privilege means users should be granted the minimum amount of
access (authorization) required to do their jobs.
• Need to know is more granular than least privilege; the user must need to know that specific piece of
information before accessing it.
8. Organizational Processes
Change Control/Management
• The goal of change management is to ensure that any change does not lead to reduced or compromised
security. Change management is also responsible for making it possible to roll back any change to a
previous secured state.
• Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that
can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically
manage change.
Data Classification
• Data classification, or categorization, is the primary means by which data is protected based on its need for
secrecy, sensitivity, or confidentiality.
• Declassification is required once an asset no longer warrants or needs the protection of its currently
assigned classification or sensitivity level.
• Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified
• Commercial Business: Confidential, Private, Sensitive, Public
9. Organizational Roles and Responsibilities
• Senior Manager: The organizational owner (senior manager) role is assigned to the person who is
ultimately responsible for the security maintained by an organization and who should be most concerned
about the protection of its assets.
• Security Professional: The security professional, information security (InfoSec) officer, or computer incident
response team (CIRT) role is assigned to a trained and experienced network, systems, and security
engineer who is responsible for following the directives mandated by senior management.
• Data Owner: The data owner role is assigned to the person who is responsible for classifying information
for placement and protection within the security solution.
• Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of
implementing the prescribed protection defined by the security policy and senior management.
• Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly
implemented and the derived security solutions are adequate.
• User: The user (end user or operator) role is assigned to any person who has access to the secured
system.
10. Security Governance Principles
• Security governance is the set of responsibilities and practices exercised by executive management with
the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are
managed appropriately, and verifying that the enterprise’s resources are used responsibly.
• Security governance bridges your business priorities with technical implementation like architecture,
standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security
posture over time. These teams also report compliance as required by regulating bodies.
• Some aspects of governance are imposed on organizations due to legislative and regulatory compliance
needs, whereas others are imposed by industry guidelines or license requirements.
• All forms of governance, including security governance, must be assessed and verified from time to time.
• Security governance directly oversees and gets involved in all levels of security and is commonly managed
by a governance committee or at least a board of directors (Top Down approach).
• Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects
every aspect of an organization. It is no longer just something the IT staff can handle on their own.
• Frameworks: NIST 800-53 or 800-100.
11. Security Governance Principles
• The information security (InfoSec) team should be led by a designated chief information security officer
(CISO) who must report directly to senior management. In some organisations chief security officer (CSO)
or information security officer (ISO) is sometimes used as an alternative to CISO.
• Note: The best security plan is useless without one key factor: approval by senior management. Without
senior management’s approval of and commitment to the security policy, the policy will not succeed.
• Developing and implementing a security policy is evidence of due care and due diligence on the part of
senior management.
• If a company does not practice due care and due diligence, managers can be held liable for negligence and
held accountable for both asset and financial losses.
• Strategic Plan vs Tactical Plan vs Operational Plan:
• strategic plan is a long-term plan and defines the organization’s security purpose.
• tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the
strategic plan.
• An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans.
• Security is a continuous process. Thus, the activity of security management planning may have a definitive
initiation point, but its tasks and work are never fully accomplished or complete.
12. Policy, Procedures, Standards and Baselines
• A security policy is a document that defines the scope of security needed by the organization and
discusses the assets that require protection and the extent to which security solutions should go to provide
the necessary protection.
• Policies are high-level management directives and is mandatory.
• It is a strategic plan for implementing security.
• The security policy is used to assign responsibilities, define roles, specify audit requirements, outline
enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as
the proof that senior management has exercised due care in protecting itself against intrusion, attack, and
disaster.
• Examples: organizational security policy, issue-specific security policy, system-specific security policy,
regulatory, advisory, and informative policy.
• A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like
policies, procedures are mandatory.
• Standards are tactical documents that define steps or methods to accomplish the goals and overall
direction defined by security policies. Mandatory
• Baseline defines a minimum level of security that every system throughout the organization must meet.
Mandatory.
• Guideline offers recommendations on how standards and baselines are implemented and serves as an
operational guide for both security professionals and users.
13. Compliance Requirement
• Complying with laws and regulations is a priority for top information security management.
• The world of compliance is a legal and regulatory jungle for information technology (IT) and cybersecurity
professionals. Things become even more complicated for multinational companies, which must navigate the
variations between international law as well.
Categories of Laws
• Criminal Law: Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties
for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties
in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences.
• Civil Law: designed to provide for an orderly society and govern matters that are not crimes but that require an
impartial arbiter to settle between individuals and organizations. Examples of the types of matters that may be judged
under civil law include contract disputes, real estate transactions, employment matters, and estate/probate
procedures.
• Administrative Law: Administrative law or regulatory law is law enacted by government agencies.The executive
branch of government charges numerous agencies with wide-ranging responsibilities to ensure that government
functions effectively.
Due Care and Due Diligence
• Due care is doing what a reasonable person would do in a given situation. Due diligence is the management of due
care.
• Gross negligence is the opposite of due care.
14. Laws
• Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act (CFAA) was the first major piece of
cybercrime-specific legislation in the United States.
• National Information Infrastructure Protection Act of 1996
• Federal Information Security Management Act (FISMA)
• Federal Cybersecurity Laws of 2014
• Copyright and the Digital Millennium Copyright Act
• U.S. Privacy Law
• Health Insurance Portability and Accountability Act of 1996
• Health Information Technology for Economic and Clinical Health Act of 2009
• NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. This
standard is required for use in federal computing systems and is also commonly used as an industry
cybersecurity benchmark.
• NIST SP 800-171: Protecting Controlled Unclassified Information in Non federal Information Systems and
Organizations. Compliance with this standard’s security controls (which are quite similar to those found in
NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors
must often comply with NIST SP 800-171.
• The NIST Cybersecurity Framework (CSF) is a set of standards designed to serve as a voluntary risk-
based framework for securing information and systems.
15. Compliance
• Organizations find themselves subject to a wide variety of laws and regulations imposed by regulatory
agencies or contractual obligations and may be subject to compliance audits, either by their standard
internal and external auditors or by regulators or their agents.
• For example, an organization’s financial auditors may conduct an IT controls audit designed to ensure that
the information security controls for an organization’s financial systems are sufficient to ensure compliance
with the Sarbanes-Oxley Act (SOX). Some regulations, such as PCI DSS, may require the organization to
retain approved independent auditors to verify controls and provide a report directly to regulators.
• The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance
requirement that is not dictated by law but by contractual obligation. PCI DSS governs the security of credit
card information and is enforced through the terms of a merchant agreement between a business that
accepts credit cards and the bank that processes the business’s transactions.
• In addition to formal audits, organizations often must report regulatory compliance to a number of internal
and external stakeholders. For example, an organization’s Board of Directors (or, more commonly, that
board’s Audit Committee) may require periodic reporting on compliance obligations and status. Similarly,
PCI DSS requires organizations that are not compelled to conduct a formal third-party audit to complete
and submit a self-assessment report outlining their compliance status.
16. Understand and Apply Threat Modeling Concepts and Methodologies
• Threat modeling is the security process where potential threats are identified, categorized, and analyzed.
• Threat modeling can be performed as a proactive measure during design and development or as a reactive
measure once a product has been deployed.
• A proactive approach to threat modeling takes place during the early stages of systems development,
specifically during initial design and specifications establishment. This type of threat modeling is also
known as a defensive approach.
• This method is based on predicting threats and designing in specific defences during the coding and
crafting process, rather than relying on post-deployment updates and patches.
• A reactive approach to threat modeling takes place after a product has been created and deployed. This
deployment could be in a test or laboratory environment or to the general marketplace. This type of threat
modeling is also known as the adversarial approach.
• This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source
code review, and fuzz testing.
• Microsoft developed a threat categorization scheme known as the STRIDE threat model.
17. STRIDE
• Spoofing: An attack with the goal of gaining access to a target system through the use of a falsified identity.
• Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in
storage.
• Repudiation: The ability of a user or attacker to deny having performed an action or activity.
• Information disclosure: The revelation or distribution of private, confidential, or controlled information to
external or unauthorized entities.
• Denial of service (DoS): An attack that attempts to prevent authorized use of a resource.
• Elevation of privilege: An attack where a limited user account is transformed into an account with greater
privileges, powers, and access.
Process for Attack Simulation and Threat Analysis (PASTA)
Visual, Agile, and Simple Threat (VAST)
• Generally, the purpose of STRIDE and other threat modeling methodologies is to consider the range of
compromise concerns and tofocus on the goal or end results of an attack.
18. Understand and Apply Risk Management Concepts
• The possibility that something could happen to damage, destroy, or disclose data or other resources is
known as risk.
• Risk management is a detailed process of identifying factors that could damage or disclose data,
evaluating those factors in light of data value and countermeasure cost, and implementing cost effective
solutions for mitigating or reducing risk.
• Risk management concepts are essential to the establishment of a sufficient security stance, proper
security governance, and legal proof of due care and due diligence.
• The overall process of risk management is used to develop and implement information security strategies.
The goal of these strategies is to reduce risk and to support the mission of the organization.
• It is impossible to design and deploy a totally risk-free environment; however, significant risk reduction is
possible, often with little effort.
• The primary goal of risk management is to reduce risk to an acceptable level through finding cost effective
solution depending on the value of its assets, the size of its budget, and many other factors.
• The process by which the goals of risk management are achieved is known as risk analysis.
• It includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring
and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for
each risk, and creating a cost/benefit report for safeguards to present to upper management.
19. Risk Terminology
• Asset: Anything of Value to the company
• Asset Valuation: dollar value assigned to an asset
• Vulnerability: A weakness; the absence of a safeguard
• Threat: Something that could pose loss to all or part of an asset
• Threat Agent: What carries out the attack
• Exposure Exposure is being susceptible to asset loss because of a threat
• Exploit: An instance of compromise
• Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
• Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a
vulnerability or protects against one or more specific threats.
• Attack An attack is the exploitation of a vulnerability by a threat agent.
• Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.
When a breach is combined with an attack, a penetration, or intrusion, can result.
• Controls: Physical, Administrative, and Technical Protections
Safeguards
Countermeasure
20. Risk Management
Risk Management
Risk Assessment
Identify and Valuate Assets
Identify Threats and Vulnerabilities
Risk Analysis
Qualitative: assigns subjective and intangible values to the loss of an asset
Quantitative: assigns real dollar figures to the loss of an asset
Risk Mitigation/Response
Reduce /Avoid
Transfer
Accept /Reject
Ongoing Risk Monitoring
• Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate
and support risk analysis and assessment by defining the scope and purpose of the endeavour.
• The actual processes of performing risk analysis are often delegated to security professionals or an
evaluation team. However, all risk assessments, results, decisions, and outcomes must be understood and
approved by upper management as an element in providing prudent due care.
21. Identification and Valuation of Assets is the first step in risk assessment.
What are we protecting and what is it worth?
Is it valuable to me? To my competitors?
What damage will be caused if it is compromised
How much time was spent in development
Are there compliance/legal issues?
RISK ANALYSIS
Determining a value for a risk
Qualitative vs. Quantitative
Qualitative Analysis (subjective, judgment-based)
Probability and Impact Matrix:
Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a
threat exposing a vulnerability.
Risk Value is Probability * Impact
Probability: How likely is the threat to materialize?
Impact: How much damage will there be if it does?
Could also be referred to as likelihood and severity.
Delphi technique is often used to solicit objective opinions - an anonymous feedback-and-response process
Quantitative Analysis (objective, numbers driven)
Risk Management
22. Risk Management
Quantitative Risk Analysis
• The quantitative method results in concrete probability percentages. That means the end result is a report
that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards.
• The process of quantitative risk analysis starts with asset valuation and threat identification. Next, you
estimate the potential and frequency of each risk. This information is then used to calculate various cost
functions that are used to evaluate safeguards.
• AV (Asset Value)
• EF (Exposure Factor): percentage of loss that an organization would experience if a specific asset were
violated by a realized risk.
• ARO (Annual Rate of Occurrence): expected frequency with which a specific threat or risk will occur (that
is, become realized) within a single year.
• SLE (Single Loss Expectancy)=AV * EF: cost associated with a single realized risk against a specific asset.
• ALE (Annual Loss Expectancy) SLE*ARO: possible yearly cost of all instances of a specific realized threat
against a specific asset.
• Cost of control should be the same or less than the potential for loss
• Example: if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is
.5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user
account) is 15, then the ALE would be $1,350,000.
23. • In addition to determining the annual cost of the safeguard, you must calculate the ALE for the asset if the
safeguard is implemented.
• EF to an asset remains the same even with an applied safeguard but safeguard changes the ARO. In act,
the whole point of a safeguard is to reduce the ARO.
• With the new ARO, a new ALE with the application of a safeguard is computed.
• If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then
you should accept the risk.
• With the pre-safeguard ALE and the post-safeguard ALE calculated, there is yet one more value needed to
perform a cost/benefit analysis. This additional value is the annual cost of the safeguard.
• Once you know the potential cost of a safeguard, it is then possible to evaluate the benefit of that
safeguard if applied to an infrastructure. As mentioned earlier, the annual costs of safeguards should not
exceed the expected annual cost of asset loss.
• ALE before safeguard – ALE after implementing the safeguard –annual cost of safeguard (ACS) = value of
the safeguard to the company
• If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then
that value is the annual savings your organization may reap by deploying the safeguard because the rate of
occurrence is not a guarantee of occurrence.
Risk Management
24. Risk Mitigation/Responses
• Reduce or mitigate: implementation of safeguards and countermeasures to eliminate vulnerabilities or
block threats.
• Assign or transfer: placement of the cost of loss a risk represents onto another entity or organization.
Example: insurance and outsourcing.
• Accept: management has agreed to accept the consequences and the loss if the risk is realized.
• Deter: implementing deterrents to would-be violators of security and policy. Examples: implementation of
auditing, security cameras, security guards etc.
• Avoid: selecting alternate options or activities that have less associated risk than the default, common,
expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of
risk avoidance.
• Reject or ignore: an unacceptable possible response to risk is to reject risk or ignore risk. Denying that a
risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.
• Once countermeasures are implemented, the risk that remains is known as residual risk. It is the risk that
management has chosen to accept rather than mitigate.
threats * vulnerabilities * asset value = total risk
total risk – controls gap = residual risk
25. Countermeasure Selection and Implementation
• The cost of the countermeasure should be less than the value of the asset.
• The cost of the countermeasure should be less than the benefit of the countermeasure.
• The countermeasure should provide a solution to a real and identified problem. (Don’t install
countermeasures just because they are available, are advertised, or sound cool.)
• The countermeasure should provide consistent and uniform protection across all users, systems, protocols,
and so on.
• The countermeasure should have few or no dependencies to reduce cascade failures.
• The countermeasure should require minimal human intervention after initial deployment and configuration.
• The countermeasure should provide fail-safe and/or fail-secure options.
Keep in mind that security should be designed to support and enable business tasks and functions. Thus,
countermeasures and safeguards need to be evaluated in the context of a business task.
26. Business Continuity
Business continuity planning (BCP)
• Focuses on sustaining operations and protecting the viability of the business following a disaster, until
normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans
including the DRP. Long Term focused.
Disaster Recovery Planning
• Goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources,
personnel and business processes are able to resume operations in a timely manner. Deals with the
immediate aftermath of the disaster and is often IT focused. Short Term focused.
The perspective difference is that business continuity activities are typically strategically focused at a high level
and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical
in nature and describe technical activities such as recovery sites, backups, and fault tolerance.
The overall goal of BCP is to provide a quick, calm, and efficient response in the event of an emergency and to
enhance a company’s ability to recover from a disruptive event promptly.
The BCP process has four main steps.
• Project scope and planning
• Business impact assessment
• Continuity planning
• Approval and implementation
The top priority of BCP and DRP is always people.
28. Business Continuity Process
Project Scope and Planning
• Structured analysis of the business’s organization from a crisis planning point of view - to identify all
departments and individuals who have a stake in the BCP process.
• The creation of a BCP team with the approval of senior management - strike a balance between
representing different points of view and creating a team with explosive personality differences. Your goal
should be to create a group that is as diverse as possible and still operates in harmony.
• An assessment of the resources available to participate in business continuity activities
• An analysis of the legal and regulatory landscape that governs an organization’s response to a catastrophic
event
29. Business Impact Assessment
• Identifies and prioritizes all business processes based on criticality
• Addresses the impact on the organization in the event of loss of a specific services or process
Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc..
Qualitative: loss of service quality, competitive advantage, market share, reputation, etc..
• Establishes key metrics for use in determining appropriate counter-measures and recovery strategy (RPO,
RTO etc).
• IMPORTANCE (relevance) vs. CRITICALITY (downtime)
• The Auditing Department is certainly important, though not usually critical. THE BIA FOCUSES ON
CRITICALITY
Business Continuity Process
30. Key Metrics to Establish
• Service Level Objectives: reliability targets for technology products and services.
• RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an
organization can withstand.
• MTD (Maximum Tolerable Downtime) - total time a system can be inoperable before an organization is
severely impacted. Comprised of:
RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems.
WRT (Work Recovery Time): time required to configure a recovered system.
• MTBF (Mean Time Between Failures): how long a new or repaired system will run before failing.
• MTTR (Mean Time To Repair): how long it will take to recover a specific failed system.
• MOR (Minimum Operating Requirements): minimum environmental and connectivity requirements in order
to operate computer equipment.
Business Continuity Process
31. Results of Business Impact Analysis contain
• Identified ALL business processes and assets, not just those considered critical.
• Impact company can handle dealing with each risk
• Outage time that would be critical vs those which would not be critical
• Preventive Controls
• Document and present to management for approval
• Results are used to create the recovery plans
Recovery Strategies:
When preventive controls don’t work, recovery strategies are necessary
Facility Recovery
Hardware and Software Recovery
Personnel recovery
Data Recovery
Business Continuity Process
32. Recovery Strategies
Facility Recovery
• Subscription Services
Hot, warm, cold sites
• Reciprocal Agreements
• Others
Redundant/Mirrored site (partial or full)
Outsourcing
Rolling hot site
Prefabricated building
Offsite Facilities should be no less than 15 miles away for low to medium environments. Critical operations
should have an offsite facility 50-200 miles away.
• Data Recovery:
Electronic Vaulting: Copy of modified file is sent to a remote location where an original backup is
stored.
Remote Journaling: Moves the journal or transaction log to a remote location, not the actual files
33. BCP Plan
Three Phases Following a Disruption
Notification/Activation
• Notifying recovery personnel
• Performing a damage assessment
• Recovery Phase--Failover
Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using
contingency capabilities—performed by recovery team
• Reconstitution--Failback
Outlines actions taken to return the system to normal operating conditions—performed by Salvage team
34. Types of Tests
• Checklist Test: Copies of plan distributed to different departments. Functional managers review
• Structured Walk-Through (Table Top) Test: Representatives from each department go over the plan
• Simulation Test: Going through a disaster scenario. Continues up to the actual relocation to an offsite
facility
• Parallel Test: Systems moved to alternate site, and processing takes place there
• Full-Interruption Test: Original site shut down. All of processing moved to offsite facility
• BCP/DRP Frameworks
• NIST SP 800-34, ISO/IEC-27031, and BCI.
35. Security Awareness Education
• The successful implementation of a security solution requires changes in user behavior.
• To develop and manage security education, training, and awareness, all relevant items of knowledge
transference must be clearly identified and programs of presentation, exposure, synergy, and
implementation crafted.
• The goal of creating awareness is to bring security to the forefront and make it a recognized entity for
users.
• Many tools can be used to create awareness, such as posters, notices, newsletter articles, screen
savers,T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies,
and memos as well as the traditional instructor-led training courses.
• The awareness program in an organization should be tied in with its security policy, incident-handling plan,
business continuity, and disaster recovery procedures.
• Training is typically hosted by an organization and is targeted to groups of employees with similar job
functions.
• An assessment of the appropriate levels of awareness, training, and education required within the
organization should be revised on a regular basis using periodic content reviews.