Successfully reported this slideshow.
Your SlideShare is downloading. ×

2019 FRSecure CISSP Mentor Program: Class Ten

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 118 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to 2019 FRSecure CISSP Mentor Program: Class Ten (20)

Advertisement

Recently uploaded (20)

Advertisement

2019 FRSecure CISSP Mentor Program: Class Ten

  1. 1. 2019 CISSP MENTOR PROGRAM May 15, 2019 ----------- Class 10 – May 15, 2019 Instructors: • Brad Nigh, FRSecure Director of Professional Services & Innovation • Evan Francen, FRSecure & SecurityStudio CEO
  2. 2. I hope everyone is doing well. Looking for questions, so give me some! • Check-in. • How many have read Chapter 1 - 7? • Questions? CISSP® MENTOR PROGRAM – SESSION TEN 1 WELCOME BACK! I mean, it’s good to be back. ;) 115 slides tonight + what I covered Monday at the 2019 North America ISACA CACS Conference. Pretty laid back class tonight, but still quite a bit of content to get through.
  3. 3. 1. During the course of the penetration test: the testers discover signs of an active compromise of the new custom-developed three-tier web application. What is their best source of action? A. Attempt to contain and eradicate the malicious activity B. Continue the test C. Quietly end the test, immediately call the operational IT contact, and escalate the issue D. Shut the server down CISSP® MENTOR PROGRAM – SESSION TEN 2 QUIZ… Questions, questions, questions…
  4. 4. 1. During the course of the penetration test: the testers discover signs of an active compromise of the new custom-developed three-tier web application. What is their best source of action? A. Attempt to contain and eradicate the malicious activity B. Continue the test C. Quietly end the test, immediately call the operational IT contact, and escalate the issue D. Shut the server down CISSP® MENTOR PROGRAM – SESSION TEN 3 QUIZ… Questions, questions, questions…
  5. 5. 2. You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? A. Secure compiler warnings B. Fuzzing C. Static testing D. White box testing CISSP® MENTOR PROGRAM – SESSION TEN 4 QUIZ… Questions, questions, questions…
  6. 6. 2. You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? A. Secure compiler warnings B. Fuzzing C. Static testing D. White box testing CISSP® MENTOR PROGRAM – SESSION TEN 5 QUIZ… Questions, questions, questions…
  7. 7. 3. What type of penetration test will result in the most efficient use of time and hourly consultant expenses? A. Automated knowledge B. Full knowledge C. Partial Knowledge D. Zero Knowledge CISSP® MENTOR PROGRAM – SESSION TEN 6 QUIZ… Questions, questions, questions…
  8. 8. 3. What type of penetration test will result in the most efficient use of time and hourly consultant expenses? A. Automated knowledge B. Full knowledge C. Partial Knowledge D. Zero Knowledge CISSP® MENTOR PROGRAM – SESSION TEN 7 QUIZ… Questions, questions, questions…
  9. 9. 4. What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope? A. Security assessment B. Security audit C. Penetration test D. Vulnerability assessment CISSP® MENTOR PROGRAM – SESSION TEN 8 QUIZ… Questions, questions, questions…
  10. 10. 4. What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope? A. Security assessment B. Security audit C. Penetration test D. Vulnerability assessment CISSP® MENTOR PROGRAM – SESSION TEN 9 QUIZ… Questions, questions, questions…
  11. 11. 5. What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs? A. Combinatorial software testing B. Dynamic testing C. Misuse case testing D. Static Testing CISSP® MENTOR PROGRAM – SESSION TEN 10 QUIZ… Questions, questions, questions…
  12. 12. 5. What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs? A. Combinatorial software testing B. Dynamic testing C. Misuse case testing D. Static Testing CISSP® MENTOR PROGRAM – SESSION TEN 11 QUIZ… Questions, questions, questions…
  13. 13. 6. What term describes a no-tech or low-tech method that uses the human mind to bypass security controls? A. Fuzzing B. Social engineering C. War dialing D. Zero-knowledge test CISSP® MENTOR PROGRAM – SESSION TEN 12 QUIZ… Questions, questions, questions…
  14. 14. 6. What term describes a no-tech or low-tech method that uses the human mind to bypass security controls? A. Fuzzing B. Social engineering C. War dialing D. Zero-knowledge test CISSP® MENTOR PROGRAM – SESSION TEN 13 QUIZ… Questions, questions, questions…
  15. 15. CISSP® MENTOR PROGRAM – SESSION TEN 14 LET’S DO THIS! Where we left off, we had just talked about incident management/response… Page 363 starts the new stuff.
  16. 16. Incident Response Management – Methodology 2. Detection (aka Identification) • What are all of the inputs into my incident response process? • Events  Incidents 3. Response (aka Containment) • Step-by-step, depending upon classification & severity • Forensic response? Protection of evidence, while containing damage • Start root cause analysis CISSP® MENTOR PROGRAM – SESSION TEN 15 LECTURE Domain #7: Security Operations
  17. 17. Incident Response Management – Methodology 4. Mitigation (aka Eradication) • Root cause analysis completed (mostly/hopefully) • Get rid of the bad things 5. Reporting • Actually not really a step (happens throughout) • More formal here; include incident responders (technical and non-technical) CISSP® MENTOR PROGRAM – SESSION TEN 16 LECTURE Domain #7: Security Operations
  18. 18. Incident Response Management – Methodology 6. Recovery • Restore systems and operations • Increase monitoring 7. Remediation – broader in context 8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting) – there’s always lessons CISSP® MENTOR PROGRAM – SESSION TEN 17 LECTURE Domain #7: Security Operations
  19. 19. Operational Preventive And Detective Controls • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) • True Positive: Conficker worm is spreading on a trusted network, and NIDS alerts • True Negative: User surfs the Web to an allowed site, and NIDS is silent • False Positive: User surfs the Web to an allowed site, and NIDS alerts • False Negative: Conficker worm is spreading on a trusted network, and NIDS is silent CISSP® MENTOR PROGRAM – SESSION TEN 18 LECTURE Domain #7: Security Operations
  20. 20. Operational Preventive And Detective Controls • NIDS, NIPS, HIDS, and HIPS (detection types) • Pattern Matching • Protocol Behavior • Anomaly Detection • Security Information and Event Management (SIEM) • Continuous Monitoring • Data Loss Prevention (network & host) CISSP® MENTOR PROGRAM – SESSION TEN 19 LECTURE Domain #7: Security Operations
  21. 21. Operational Preventive And Detective Controls • NIDS, NIPS, HIDS, and HIPS CISSP® MENTOR PROGRAM – SESSION TEN 20 LECTURE Domain #7: Security Operations
  22. 22. Operational Preventive And Detective Controls Continuous Monitoring • Assessing and reassessing as ongoing processes. • A modern improvement to legacy Certifications and Accreditations. Data Loss Prevention (DLP) • Class of solutions used to detect and/or prevent data from leaving the organization. • Host-based, network-based, and application-based DLP solutions. CISSP® MENTOR PROGRAM – SESSION TEN 21 LECTURE Domain #7: Security Operations
  23. 23. Operational Preventive And Detective Controls Endpoint Security • HIDS/HIPS • Antivirus • Application Whitelisting • Removable Media Controls • Disk Encryption • Privileged Access CISSP® MENTOR PROGRAM – SESSION TEN 22 LECTURE Domain #7: Security Operations
  24. 24. Operational Preventive And Detective Controls Endpoint Security • HIDS/HIPS • Antivirus • Application Whitelisting • Removable Media Controls • Disk Encryption • Privileged Access CISSP® MENTOR PROGRAM – SESSION TEN 23 LECTURE Domain #7: Security Operations Most effective on the list
  25. 25. Operational Preventive And Detective Controls Honeypots • System designed to attract attackers. CAREFUL: enticement vs. entrapment. • Learn (or research) attack methods. • Low-interaction (simulate systems) and high-interaction (actual systems) honeypots. Honeynets – real or simulated network of honeypots. CISSP® MENTOR PROGRAM – SESSION TEN 24 LECTURE Domain #7: Security Operations
  26. 26. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 25 LECTURE Domain #7: Security Operations
  27. 27. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 26 LECTURE Domain #7: Security Operations
  28. 28. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 27 LECTURE Domain #7: Security Operations
  29. 29. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 28 LECTURE Domain #7: Security Operations Basic Principles of Security 1.You can’t secure things if you don’t know you have them (Asset Management). 2.You can’t secure the things you can’t control (Configuration Management, Change Control, Access Control, etc.)
  30. 30. Asset Management (Configuration Management) Baselining • The process of capturing a point in time understanding of the current system security configuration • Helpful in responding to a potential security incident • Continual baselining is important CISSP® MENTOR PROGRAM – SESSION TEN 29 LECTURE Domain #7: Security Operations
  31. 31. Asset Management (Configuration Management) Vulnerability Management • Vulnerability scanning is a way to discover poor configurations and missing patches in an environment • Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information • Prioritization and remediation of the vulnerabilities CISSP® MENTOR PROGRAM – SESSION TEN 30 LECTURE Domain #7: Security Operations
  32. 32. Asset Management (Configuration Management) Vulnerability Management • Vulnerability scanning is a way to discover poor configurations and missing patches in an environment • Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information • Prioritization and remediation of the vulnerabilities CISSP® MENTOR PROGRAM – SESSION TEN 31 LECTURE Domain #7: Security Operations
  33. 33. Asset Management (Configuration Management) Vulnerability Management • Vulnerability scanning is a way to discover poor configurations and missing patches in an environment • Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information • Prioritization and remediation of the vulnerabilities CISSP® MENTOR PROGRAM – SESSION TEN 32 LECTURE Domain #7: Security Operations
  34. 34. Asset Management (Configuration Management) Vulnerability Management CISSP® MENTOR PROGRAM – SESSION TEN 33 LECTURE Domain #7: Security Operations Section 12.6 of the ISO/IEC 27002:2013 provides guidance on technical vulnerability management. A vulnerability management process should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Vulnerability management starts with asset management, the information required to support systems technically includes tracking operating system software, version numbers, lists of software installed, and the person or persons responsible for maintaining the systems. Additionally, the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required thereof.
  35. 35. Asset Management (Configuration Management) Vulnerability Management Once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken - such action could involve the patching of vulnerable systems and/or applying other controls. Depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management or by following information security incident response procedures. Critical- risk and high-risk systems should be addressed first. Patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered. The technical vulnerability management process should be regularly monitored and evaluated in order to ensure its effectiveness and efficiency. CISSP® MENTOR PROGRAM – SESSION TEN 34 LECTURE Domain #7: Security Operations
  36. 36. Asset Management (Configuration Management) Zero-Day Vulnerabilities and Zero-Day Exploits • The average window of time between a patch being released and an associated exploit being made public is decreasing • Recent research even suggests that for some vulnerabilities, an exploit can be created within minutes based simply on the availability of the unpatched and patched program • The term for a vulnerability being known before the existence of a patch (or workaround) is zero day vulnerability. • A zero-day exploit, rather than vulnerability, refers to the existence of exploit code for a vulnerability which has yet to be patched CISSP® MENTOR PROGRAM – SESSION TEN 35 LECTURE Domain #7: Security Operations
  37. 37. Change Management • A system that does not change will become less secure over time • Not an exact science, every organization will be a little different • The general flow of the change management process includes: • Identifying a change • Proposing a change • Assessing the risk associated with the change • Testing the change (backout plan) • Scheduling the change • Notifying impacted parties of the change • Implementing the change • Reporting results of the change implementation • Changes must be closely tracked and auditable CISSP® MENTOR PROGRAM – SESSION TEN 36 LECTURE Domain #7: Security Operations
  38. 38. Continuity of Operations Service Level Agreements (SLA) • Critical where organizations have external entities perform critical services or host significant assets and applications • Goal is to stipulate all expectations regarding the behavior of the department or organization that is responsible for providing services and the quality of the services provided • Availability is usually the most critical security consideration of a service level agreement • Organizations must negotiate all security terms of a service level agreement prior to engaging with the company • Cloud computing CISSP® MENTOR PROGRAM – SESSION TEN 37 LECTURE Domain #7: Security Operations
  39. 39. Fault Tolerance Backup • Recoverability in the event of a failure • Magnetic tape media is old technology, but still is the most common repository of backup data • Three basic types of backups exist: full backup; the incremental backup; and the differential backup CISSP® MENTOR PROGRAM – SESSION TEN 38 LECTURE Domain #7: Security Operations
  40. 40. Fault Tolerance Backup • Full backup - a replica of all allocated data on a hard disk • The most costly in terms of media and time to backup • Often coupled with either incremental or differential backups to balance the time and media considerations CISSP® MENTOR PROGRAM – SESSION TEN 39 LECTURE Domain #7: Security Operations
  41. 41. Fault Tolerance Backup • Incremental backup - only archive files that have changed since the last backup of any kind was performed • The most recent full backup and each and every incremental backup since the full backup is required to initiate a recovery • Time to perform each incremental backup is extremely short; however, the downside is that a full restore can require many tapes, especially if full backups are performed less frequently • The odds of a failed restoration due to a tape integrity issue (such as broken tape) rise with each additional tape required CISSP® MENTOR PROGRAM – SESSION TEN 40 LECTURE Domain #7: Security Operations
  42. 42. Fault Tolerance Backup • Differential - will back up any files that have been changed since the last full backup • Only the most recent full backup and most recent differential backup are required to initiate a full recovery • As more time passes since the last full backup the length of time to perform a differential backup will also increase CISSP® MENTOR PROGRAM – SESSION TEN 41 LECTURE Domain #7: Security Operations
  43. 43. Fault Tolerance Redundant Array of Inexpensive Disks (RAID) • Mitigates the risk associated with hard disk failures CISSP® MENTOR PROGRAM – SESSION TEN 42 LECTURE Domain #7: Security Operations
  44. 44. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) Three terms that are important to understand with respect to RAID are: mirroring; striping; and parity • Mirroring - used to achieve full data redundancy by writing the same data to multiple hard disks • Write times are slower • Read times are faster • Most costly in terms of disk usage - at least half of the drives are used for redundancy CISSP® MENTOR PROGRAM – SESSION TEN 43 LECTURE Domain #7: Security Operations
  45. 45. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) Three terms that are important to understand with respect to RAID are: mirroring; striping; and parity • Striping - increased the read and write performance by spreading data across multiple hard disks • Reads and writes can be performed in parallel across multiple disks rather than serially on one disk • Parallelization provides a performance increase, and does not aid in data redundancy • Parity - achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance CISSP® MENTOR PROGRAM – SESSION TEN 44 LECTURE Domain #7: Security Operations
  46. 46. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 0: Striped Set • Striping to increase the performance of read and writes • No data redundancy - poor choice if recovery of data is the reason for leveraging RAID CISSP® MENTOR PROGRAM – SESSION TEN 45 LECTURE Domain #7: Security Operations
  47. 47. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 1: Mirrored Set • Creates/writes an exact duplicate of all data to an additional disk • Write performance is decreased • Read performance can increase • Highest disk cost CISSP® MENTOR PROGRAM – SESSION TEN 46 LECTURE Domain #7: Security Operations
  48. 48. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 2: Hamming Code • Not considered commercially viable for hard disks and is not used • Requires either 14 or 39 hard disks and a specially designed hardware controller • Cost prohibitive • RAID 2 is not likely to be tested CISSP® MENTOR PROGRAM – SESSION TEN 47 LECTURE Domain #7: Security Operations
  49. 49. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 3: Striped Set with Dedicated Parity (byte level) • Data, at the byte level, is striped across multiple disks • An additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure RAID 4: Striped Set with Dedicated Parity (block level) • Exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level • Employs a dedicated parity drive rather than having parity data distributed amongst all disks, as in RAID 5 CISSP® MENTOR PROGRAM – SESSION TEN 48 LECTURE Domain #7: Security Operations
  50. 50. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 5: Striped Set with Distributed Parity • One of the most popular RAID configurations • Striped Set with Distributed Parity • Leverages a block level striping • Writes parity information that is used for recovery purposes • Distributes the parity information across multiple disks • Disk cost for redundancy is lower than that of a Mirrored set • Support for both hardware and software based implementations • Allows for data recovery in the event that any one disk fails CISSP® MENTOR PROGRAM – SESSION TEN 49 LECTURE Domain #7: Security Operations
  51. 51. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 5: Striped Set with Distributed Parity • One of the most popular RAID configurations • Striped Set with Distributed Parity • Leverages a block level striping • Writes parity information that is used for recovery purposes • Distributes the parity information across multiple disks • Disk cost for redundancy is lower than that of a Mirrored set • Support for both hardware and software based implementations • Allows for data recovery in the event that any one disk fails CISSP® MENTOR PROGRAM – SESSION TEN 50 LECTURE Domain #7: Security Operations
  52. 52. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 6: Striped Set with Dual Distributed Parity • Can allow for the failure of two drives and still function • Redundancy is achieved by writing the same parity information to two different disks RAID 1+0 or RAID 10 • Example of what is known as nested RAID or multi-RAID (one standard RAID level is encapsulated within another) • Configuration is a striped set of mirrors NOTE: There are many and varied RAID configurations which are simply combinations of the standard RAID levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that require a high degree of both reliability and speed. Some common nested RAID levels include RAID 0+1, 1+0, 5+0, 6+0, and (1+0)+0, which are also commonly written as RAID 01, 10, 50, 60, and 100, respectively. CISSP® MENTOR PROGRAM – SESSION TEN 51 LECTURE Domain #7: Security Operations
  53. 53. Fault Tolerance - System Redundancy Redundant Hardware • Built-in redundancy (power supplies, disk controllers, and NICs are most common) • An inventory of spare modules to service the entire datacenter's servers would be less expensive than having all servers configured with an installed redundant power supply Redundant Systems • Entire systems available in inventory to serve as a means to recover • Have an SLA with hardware manufacturers to be able to quickly procure replacement equipment in a timely fashion CISSP® MENTOR PROGRAM – SESSION TEN 52 LECTURE Domain #7: Security Operations
  54. 54. BCP and DRP Overview and Process (used to be Domain by itself) Unique terms and definitions • Business Continuity Plan (BCP)—a long-term plan to ensure the continuity of business operations • Continuity of Operations Plan (COOP)—a plan to maintain operations during a disaster. • Disaster—any disruptive event that interrupts normal system operations • Disaster Recovery Plan (DRP)—a short-term plan to recover from a disruptive event • Mean Time Between Failures (MTBF)—quantifies how long a new or repaired system will run on average before failing • Mean Time to Repair (MTTR)—describes how long it will take to recover a failed system. CISSP® MENTOR PROGRAM – SESSION TEN 53 LECTURE Domain #7: Security Operations
  55. 55. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Business Continuity Planning (BCP) • Goal of a BCP is for ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced • Focus of a BCP is on the business as a whole • Business Continuity Planning provides a long-term strategy • Takes into account items such as people, vital records, and processes in addition to critical systems CISSP® MENTOR PROGRAM – SESSION TEN 54 LECTURE Domain #7: Security Operations
  56. 56. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Disaster Recovery Planning (DRP) • Disaster Recovery Plan is more tactical in its approach • Short-term plan for dealing with specific IT-oriented disruptions • Provides a means for immediate response to disasters • Does not focus on long-term business impact CISSP® MENTOR PROGRAM – SESSION TEN 55 LECTURE Domain #7: Security Operations
  57. 57. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Relationship between BCP and DRP • Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan • Two plans, which have different scopes, are intertwined • Disaster Recovery Plan serves as a subset of the overall Business Continuity Plan • NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others. CISSP® MENTOR PROGRAM – SESSION TEN 56 LECTURE Domain #7: Security Operations
  58. 58. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Relationship between BCP and DRP • Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan • Two plans, which have different scopes, are intertwined • Disaster Recovery Plan serves as a subset of the overall Business Continuity Plan • NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others. CISSP® MENTOR PROGRAM – SESSION TEN 57 LECTURE Domain #7: Security Operations
  59. 59. Disasters or Disruptive Events Classifications of disasters • Three common ways of categorizing the causes for disasters are as to whether the threat agent is natural, human, or environmental in nature • Natural—the most obvious type of threat that can result in a disaster are naturally occurring. This category includes such threats as earthquakes, hurricanes, tornadoes, floods, and some types of fires (closely related to geographical location) • Human—the human category of threats represents the most common source of disasters. Human threats can be further classified as to whether they constitute an intentional or unintentional threat • Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc. • Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption • Environmental—focused on environment as it pertains to the information systems or datacenter. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, application or software flaws • Analysis of threats and associated likelihoods is an important part of the BCP and DRP process CISSP® MENTOR PROGRAM – SESSION TEN 58 LECTURE Domain #7: Security Operations
  60. 60. Disasters or Disruptive Events Classifications of disasters • Three common ways of categorizing the causes for disasters are as to whether the threat agent is natural, human, or environmental in nature • Natural—the most obvious type of threat that can result in a disaster are naturally occurring. This category includes such threats as earthquakes, hurricanes, tornadoes, floods, and some types of fires (closely related to geographical location) • Human—the human category of threats represents the most common source of disasters. Human threats can be further classified as to whether they constitute an intentional or unintentional threat • Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc. • Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption • Environmental—focused on environment as it pertains to the information systems or datacenter. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, application or software flaws • Analysis of threats and associated likelihoods is an important part of the BCP and DRP process CISSP® MENTOR PROGRAM – SESSION TEN 59 LECTURE Domain #7: Security Operations
  61. 61. Disasters or Disruptive Events Errors and omissions • Typically considered the single most common source of disruptive events • Threat is inadvertently caused by humans, most often in the employ of the organization, who unintentionally serve as a source of harm • Data entry mistakes are an example of errors and omissions Natural Disasters • Include earthquakes, hurricanes, floods, tsunamis, etc. • Likelihood of natural threats occurring is largely based upon the geographical location of the organization's information systems or datacenters • Generally have a rather low likelihood of occurring • Impact can be severe CISSP® MENTOR PROGRAM – SESSION TEN 60 LECTURE Domain #7: Security Operations
  62. 62. Disasters or Disruptive Events Errors and omissions • Typically considered the single most common source of disruptive events • Threat is inadvertently caused by humans, most often in the employ of the organization, who unintentionally serve as a source of harm • Data entry mistakes are an example of errors and omissions Natural Disasters • Include earthquakes, hurricanes, floods, tsunamis, etc. • Likelihood of natural threats occurring is largely based upon the geographical location of the organization's information systems or datacenters • Generally have a rather low likelihood of occurring • Impact can be severe CISSP® MENTOR PROGRAM – SESSION TEN 61 LECTURE Domain #7: Security Operations
  63. 63. Disasters or Disruptive Events Electrical or power Problems • Much more common than natural disasters • Considered an environmental disaster • Uninterruptible power supplies (UPS) and/or backup generators Temperature and Humidity Failures • Critical controls that must be managed during a disaster • Increased server density can provide for significant heat issues • Mean Time Between Failures (MTBF) for electrical equipment will decrease if temperature and humidity levels are not within an tolerable range. CISSP® MENTOR PROGRAM – SESSION TEN 62 LECTURE Domain #7: Security Operations
  64. 64. Disasters or Disruptive Events Warfare, terrorism, and sabotage • Human-intentional threats • Threat can vary dramatically based on geographic location, industry, brand value, as well as the interrelatedness with other high-value target organizations • Cyber-warfare • “Aurora” attacks (named after the word “Aurora,” which was found in a sample of malware used in the attacks). As the New York Times reported on 2/18/2010: “A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation.” CISSP® MENTOR PROGRAM – SESSION TEN 63 LECTURE Domain #7: Security Operations
  65. 65. Disasters or Disruptive Events Financially-motivated Attackers • Exfiltration of cardholder data, identity theft, pump-and-dump stock schemes, bogus anti-malware tools, or corporate espionage, etc. • Organized crime syndicates Personnel Shortages • Another significant source of disruption can come by means of having staff unavailable • Most organizations will have some critical processes that are people- dependent CISSP® MENTOR PROGRAM – SESSION TEN 64 LECTURE Domain #7: Security Operations
  66. 66. Disasters or Disruptive Events Financially-motivated Attackers • Exfiltration of cardholder data, identity theft, pump-and-dump stock schemes, bogus anti-malware tools, or corporate espionage, etc. • Organized crime syndicates Personnel Shortages • Another significant source of disruption can come by means of having staff unavailable • Most organizations will have some critical processes that are people- dependent CISSP® MENTOR PROGRAM – SESSION TEN 65 LECTURE Domain #7: Security Operations
  67. 67. Disasters or Disruptive Events Personnel Shortages • Pandemics and Disease • Major biological problems such as pandemic flu or highly communicable infectious disease outbreaks • A pandemic occurs when an infection spreads through an extremely large geographical area, while an epidemic is more localized • Strikes • Strikes usually are carried out in such a manner that the organization can plan for the occurrence • Most strikes are announced and planned in advance, which provides the organization with some lead time • Personnel Availability • Sudden separation from employment of a critical member of the workforce CISSP® MENTOR PROGRAM – SESSION TEN 66 LECTURE Domain #7: Security Operations
  68. 68. Disasters or Disruptive Events Communications Failure • Increasing dependence of organizations on call centers, IP telephony, general Internet access, and providing services via the Internet • One of the most common disaster-causing events is telecommunications lines being inadvertently cut by someone digging where they are not supposed to NOTE: One of the eye-opening impacts of Hurricane Katrina was a rather significant outage of Internet2, which provides high-speed connectivity for education and research networks. Qwest, which provides the infrastructure for Internet2, suffered an outage in one of the major long-haul links that ran from Atlanta to Houston. Reportedly, the outage was due to lack of availability of fuel in the area. In addition to this outage, which impacted more than just those areas directly affected by the hurricane, there were substantial outages throughout Mississippi, which at its peak had more than a third of its public address space rendered unreachable. CISSP® MENTOR PROGRAM – SESSION TEN 67 LECTURE Domain #7: Security Operations
  69. 69. The Disaster Recovery Process The general process of disaster recovery involves responding to the disruption; activation of the recovery team; ongoing tactical communication of the status of disaster and its associated recovery; further assessment of the damage caused by the disruptive event; and recovery of critical assets and processes in a manner consistent with the extent of the disaster. • Different organizations and experts alike might disagree about the number or names of phases in the process • Personnel safety remains the top priority CISSP® MENTOR PROGRAM – SESSION TEN 68 LECTURE Domain #7: Security Operations
  70. 70. The Disaster Recovery Process Respond • Initial response begins the process of assessing the damage • Speed is essential (initial assessment) • The initial assessment will determine if the event in question constitutes a disaster • The initial response team should be mindful of assessing the facility's safety for continued personnel usage Activate Team If during the initial response to a disruptive event a disaster is declared, then the team that will be responsible for recovery needs to be activated. CISSP® MENTOR PROGRAM – SESSION TEN 69 LECTURE Domain #7: Security Operations
  71. 71. The Disaster Recovery Process Communicate • Ensure that consistent timely status updates are communicated back to the central team managing the response and recovery process • Communication often must occur out-of-band • The organization must also be prepared to provide external communications Assess • More detailed and thorough assessment • Assess the extent of the damage and determine the proper steps to ensure the organization's ability to meet its mission and Maximum Tolerable Downtime (MTD) • Team could recommend that the ultimate restoration or reconstitution occurs at the alternate site CISSP® MENTOR PROGRAM – SESSION TEN 70 LECTURE Domain #7: Security Operations
  72. 72. The Disaster Recovery Process Reconstitution • Successfully recover critical business operations either at primary or secondary site • If an alternate site is leveraged, adequate safety and security controls must be in place in order to maintain the expected degree of security the organization typically employs • A salvage team will be employed to begin the recovery process at the primary facility that experienced the disaster CISSP® MENTOR PROGRAM – SESSION TEN 71 LECTURE Domain #7: Security Operations
  73. 73. Developing a BCP/DRP • High-level steps, according to NIST 800-34: • Project Initiation • Scope the Project • Business Impact Analysis • Identify Preventive Controls • Recovery Strategy • Plan Design and Development • Implementation, Training, and Testing • BCP/DRP Maintenance • NIST 800-34 is the National Institute of Standards and Technologies Information Technology Contingency Planning Guide, which can be found at http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf. CISSP® MENTOR PROGRAM – SESSION TEN 72 LECTURE Domain #7: Security Operations
  74. 74. Project Initiation In order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones: 1. Develop the contingency planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2. Conduct the business impact analysis (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user. 3. Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. CISSP® MENTOR PROGRAM – SESSION TEN 73 LECTURE Domain #7: Security Operations
  75. 75. Project Initiation In order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones: 4. Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5. Develop an IT contingency plan: The contingency plan should contain detailed guidance and procedures for restoring a damaged system. 6. Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. 7. Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements. CISSP® MENTOR PROGRAM – SESSION TEN 74 LECTURE Domain #7: Security Operations
  76. 76. Management Support “C”-level managers: • Must agree to any plan set forth • Must agree to support the action items listed in the plan if an emergency event occurs • Refers to people within an organization like the chief executive officer (CEO), the chief operating officer (COO), the chief information officer (CIO), and the chief financial officer (CFO) • Have enough power and authority to speak for the entire organization when dealing with outside media • High enough within the organization to commit resources CISSP® MENTOR PROGRAM – SESSION TEN 75 LECTURE Domain #7: Security Operations
  77. 77. Other Roles BCP/DRP Project Manager • Key Point of Contact for ensuring that a BCP/DRP is completed and routinely tested • Must be a good manager and leader in case there is an event that causes the BCP or DRP to be implemented • Point of Contact (POC) for every person within the organization during a crisis • Must be very organized • Credibility and enough authority within the organization to make important, critical decisions with regard to implementing the BCP/DRP • Does not need to have in-depth technical skills CISSP® MENTOR PROGRAM – SESSION TEN 76 LECTURE Domain #7: Security Operations
  78. 78. Other Roles Continuity Planning Project Team (CPPT) • Comprises those personnel that will have responsibilities if/when an emergency occurs • Comprised of stakeholders within an organization • Focuses on identifying who needs to play a role if a specific emergency event were to occur • Includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions CISSP® MENTOR PROGRAM – SESSION TEN 77 LECTURE Domain #7: Security Operations
  79. 79. Scoping the Project • Define exactly what assets are protected by the plan, which emergency events the plan will be able to address, and determining the resources necessary to completely create and implement the plan • “What is in and out of scope for this plan?” • After receiving C-level approval and input from the rest of the organization, objectives and deliverables can be determined CISSP® MENTOR PROGRAM – SESSION TEN 78 LECTURE Domain #7: Security Operations
  80. 80. Scoping the Project • Objectives are usually created as “if/then” statements • For example, “If there is a hurricane, then the organization will enact plan H—the Physical Relocation and Employee Safety Plan.” Plan H is unique to the organization but it does encompass all the BCP/DRP subplans required • An objective would be to create this plan and have it reviewed by all members of the organization by a specific date. • The objective will have a number of deliverables required to create and fully vet this plan: for example, draft documents, exercise planning meetings, table top preliminary exercises, etc. CISSP® MENTOR PROGRAM – SESSION TEN 79 LECTURE Domain #7: Security Operations
  81. 81. Scoping the Project • Executive management must at least ensure that support is given for three BCP/DRP items: • 1. Executive management support is needed for initiating the plan. • 2. Executive management support is needed for final approval of the plan. • 3. Executive management must demonstrate due care and due diligence and be held liable under applicable laws/regulations. CISSP® MENTOR PROGRAM – SESSION TEN 80 LECTURE Domain #7: Security Operations
  82. 82. Assessing the Critical State • Assessing the critical state can be difficult because determining which pieces of the IT infrastructure are critical depends solely on the how it supports the users within the organization. • When compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called the “Business Impact” section. CISSP® MENTOR PROGRAM – SESSION TEN 81 LECTURE Domain #7: Security Operations
  83. 83. Assessing the Critical State • Assessing the critical state can be difficult because determining which pieces of the IT infrastructure are critical depends solely on the how it supports the users within the organization. • When compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called the “Business Impact” section. CISSP® MENTOR PROGRAM – SESSION TEN 82 LECTURE Domain #7: Security Operations
  84. 84. Conduct Business Impact Analysis (BIA) • Formal method for determining how a disruption to the IT system(s) of an organization will impact the organization • An analysis to identify and prioritize critical IT systems and components • Enables the BCP/DRP project manager to fully characterize the IT contingency requirements and priorities CISSP® MENTOR PROGRAM – SESSION TEN 83 LECTURE Domain #7: Security Operations
  85. 85. Conduct Business Impact Analysis (BIA) • Objective is to correlate the IT system components with the critical service it supports • Also aims to quantify the consequence of a disruption to the system component and how that will affect the organization • Determine the Maximum Tolerable Downtime (MTD) for a specific IT asset • Also provides information to improve business processes and efficiencies because it details all of the organization's policies and implementation efforts CISSP® MENTOR PROGRAM – SESSION TEN 84 LECTURE Domain #7: Security Operations The BIA is comprised of two processes; Identification of critical assets and a comprehensive risk assessment.
  86. 86. Conduct Business Impact Analysis (BIA) Identify Critical Assets • BIA and Critical State Asset List is conducted for every IT system within the organization, no matter how trivial or unimportant, leading to… • A list of those IT assets that are deemed business- essential by the organization Conduct BCP/DRP-focused Risk Assessment • Determines what risks are inherent to which IT assets • A vulnerability analysis is also conducted for each IT system and major application CISSP® MENTOR PROGRAM – SESSION TEN 85 LECTURE Domain #7: Security Operations
  87. 87. Conduct Business Impact Analysis (BIA) Identify Critical Assets • BIA and Critical State Asset List is conducted for every IT system within the organization, no matter how trivial or unimportant, leading to… • A list of those IT assets that are deemed business- essential by the organization Conduct BCP/DRP-focused Risk Assessment • Determines what risks are inherent to which IT assets • A vulnerability analysis is also conducted for each IT system and major application CISSP® MENTOR PROGRAM – SESSION TEN 86 LECTURE Domain #7: Security Operations
  88. 88. Determine Maximum Tolerable Downtime • Describes the total time a system can be inoperable before an organization is severely impacted • It is also the maximum time it takes to execute the reconstitution phase • Comprised of two metrics; Recovery Time Objective (RTO) and the Work Recovery Time (WRT) Alternate terms for MTD • Depending on the business continuity framework that is used, other terms may be substituted for Maximum Tolerable Downtime. These include Maximum Allowable Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable Outage (MAO). CISSP® MENTOR PROGRAM – SESSION TEN 87 LECTURE Domain #7: Security Operations
  89. 89. Failure and Recovery Metrics • Used to quantify how frequently systems fail, how long a system may exist in a failed state, and the maximum time to recover from failure. • These metrics include the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Work Recovery Time (WRT), Mean Time Between Failures (MTBF), Mean Time to Repair (MTTR), and Minimum Operating Requirements (MOR). CISSP® MENTOR PROGRAM – SESSION TEN 88 LECTURE Domain #7: Security Operations
  90. 90. Recovery Point Objective • The amount of data loss or system inaccessibility (measured in time) that an organization can withstand. • “If you perform weekly backups, someone made a decision that your company could tolerate the loss of a week's worth of data. If backups are performed on Saturday evenings and a system fails on Saturday afternoon, you have lost the entire week's worth of data. This is the recovery point objective. In this case, the RPO is 1 week.” • RPO represents the maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event CISSP® MENTOR PROGRAM – SESSION TEN 89 LECTURE Domain #7: Security Operations
  91. 91. Recovery Time Objective (RTO) and Work Recovery Time (WRT) • Recovery Time Objective (RTO) describes the maximum time allowed to recover business or IT systems • RTO is also called the systems recovery time. One part of Maximum Tolerable Downtime: once the system is physically running, it must be configured. • Work Recovery Time (WRT) describes the time required to configure a recovered system. • “Downtime consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO + WRT.” CISSP® MENTOR PROGRAM – SESSION TEN 90 LECTURE Domain #7: Security Operations
  92. 92. Mean Time Between Failures • Quantifies how long a new or repaired system will run before failing • Typically generated by a component vendor and is largely applicable to hardware as opposed to applications and software. • A vendor selling LCD computer monitors may run 100 monitors 24 hours a day for 2 weeks and observe just one monitor failure. The vendor then extrapolates the following: 100 LCD Monitors x 14 days x 24 hours/day = 1 failure/33,600 hours • The BCP/DRP team determines the correct amount of expected failures within the IT system during a course of time. • Calculating the MTBF becomes less reliant when an organization uses fewer and fewer hardware assets. CISSP® MENTOR PROGRAM – SESSION TEN 91 LECTURE Domain #7: Security Operations
  93. 93. Mean Time to Repair (MTTR) • Describes how long it will take to recover a specific failed system • Best estimate for reconstituting the IT system so that business continuity may occur Minimum Operating Requirements • Describes the minimum environmental and connectivity requirements in order to operate computer equipment • Important to determine and document for each IT-critical asset because, in the event of a disruptive event or disaster, proper analysis can be conducted quickly to determine if the IT assets will be able to function in the emergency environment CISSP® MENTOR PROGRAM – SESSION TEN 92 LECTURE Domain #7: Security Operations
  94. 94. Identify Preventive Controls • Preventive controls prevent disruptive events from having an impact • The BIA will identify some risks which may be mitigated immediately Recovery Strategy • Once the BIA is complete, the BCP team knows the Maximum Tolerable Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, are used to determine the recovery strategy. • Always maintain technical, physical, and administrative controls when using any recovery option CISSP® MENTOR PROGRAM – SESSION TEN 93 LECTURE Domain #7: Security Operations
  95. 95. Identify Preventive Controls • Preventive controls prevent disruptive events from having an impact • The BIA will identify some risks which may be mitigated immediately Recovery Strategy • Once the BIA is complete, the BCP team knows the Maximum Tolerable Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, are used to determine the recovery strategy. • Always maintain technical, physical, and administrative controls when using any recovery option CISSP® MENTOR PROGRAM – SESSION TEN 94 LECTURE Domain #7: Security Operations
  96. 96. Recovery Strategy Supply Chain Management • In an age of “just in time” shipment of goods, organizations may fail to acquire adequate replacement computers. • Some computer manufactures offer guaranteed replacement insurance for a specific range of disasters. The insurance is priced per server, and includes a service level agreement that specifies the replacement time. All forms of relevant insurance should be analyzed by the BCP team. CISSP® MENTOR PROGRAM – SESSION TEN 95 LECTURE Domain #7: Security Operations
  97. 97. Recovery Strategy Telecommunication Management • Ensures the availability of electronic communications during a disaster • Often one of the first processes to fail during a disaster • Wired circuits such as T1s, T3s, frame relay, etc., need to be specifically addressed • Power can be provided by generator if necessary. CISSP® MENTOR PROGRAM – SESSION TEN 96 LECTURE Domain #7: Security Operations
  98. 98. Recovery Strategy Utility Management • Utility management addresses the availability of utilities such as power, water, gas, etc. during a disaster • The utility management plan should address all utilities required by business operations, including power, heating, cooling, and water. • Specific sections should address the unavailability of any required utility. Recovery options • Once an organization has determined its maximum tolerable downtime, the choice of recovery options can be determined. For example, a 10-day MTD indicates that a cold site may be a reasonable option. An MTD of a few hours indicates that a redundant site or hot site is a potential option. CISSP® MENTOR PROGRAM – SESSION TEN 97 LECTURE Domain #7: Security Operations
  99. 99. Recovery Strategy Redundant Site • A redundant site is an exact production duplicate of a system that has the capability to seamlessly operate all necessary IT operations without loss of services to the end user of the system. • A redundant site receives data backups in real time so that in the event of a disaster, the users of the system have no loss of data. • The most expensive recovery option CISSP® MENTOR PROGRAM – SESSION TEN 98 LECTURE Domain #7: Security Operations
  100. 100. Recovery Strategy Hot Site • A hot site is a location that an organization may relocate to following a major disruption or disaster. • It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. • Will have all necessary hardware and critical applications data mirrored in real time. • A hot site will have the capability to allow the organization to resume critical operations within a very short period of time— sometimes in less than an hour. • Has all the same physical, technical, and administrative controls implemented of the production site. CISSP® MENTOR PROGRAM – SESSION TEN 99 LECTURE Domain #7: Security Operations
  101. 101. Recovery Strategy Warm Site • Has some aspects of a hot site, for example, readily- accessible hardware and connectivity, but it will have to rely upon backup data in order to reconstitute a system after a disruption. • It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. • MTD of at least 1-3 days • The longer the MTD is, the less expensive the recovery solution will be. CISSP® MENTOR PROGRAM – SESSION TEN 100 LECTURE Domain #7: Security Operations
  102. 102. Recovery Strategy Cold Site • The least expensive recovery solution to implement. • Does not include backup copies of data, nor does it contain any immediately available hardware. • Longest amount of time of all recovery solutions to implement and restore critical IT services for the organization • MTD—usually measured in weeks, not days. • Typically a datacenter with a raised floor, power, utilities, and physical security, but not much beyond that. CISSP® MENTOR PROGRAM – SESSION TEN 101 LECTURE Domain #7: Security Operations
  103. 103. Recovery Strategy Reciprocal Agreement • A bi-directional agreement between two organizations in which one organization promises another organization that it can move in and share space if it experiences a disaster. • Documented in the form of a contract • Also referred to as Mutual Aid Agreements (MAAs) CISSP® MENTOR PROGRAM – SESSION TEN 102 LECTURE Domain #7: Security Operations
  104. 104. Recovery Strategy Mobile Site • “datacenters on wheels”: towable trailers that contain racks of computer equipment, as well as HVAC, fire suppression and physical security. • A good fit for disasters such as a datacenter flood • Typically placed within the physical property lines, and are protected by defenses such as fences, gates, and security cameras CISSP® MENTOR PROGRAM – SESSION TEN 103 LECTURE Domain #7: Security Operations
  105. 105. Recovery Strategy Subscription Services • Some organizations outsource their BCP/DRP planning and/or implementation by paying another company to perform those services. • Effectively transfers the risk to the insurer company. • Based upon a simple insurance model, and companies such as IBM have built profit models and offer services for customers offering BCP/DRP insurance. CISSP® MENTOR PROGRAM – SESSION TEN 104 LECTURE Domain #7: Security Operations
  106. 106. Related Plans The Business Continuity Plan is an umbrella plan that contains others plans: • Disaster recovery plan • Continuity of Operations Plan (COOP) • Business Resumption/Recovery Plan (BRP) • Continuity of Support Plan • Cyber Incident Response Plan • Occupant Emergency Plan (OEP) • Crisis Management Plan (CMP) CISSP® MENTOR PROGRAM – SESSION TEN 105 LECTURE Domain #7: Security Operations
  107. 107. Related Plans The Business Continuity Plan is an umbrella plan that contains others plans: • Disaster recovery plan • Continuity of Operations Plan (COOP) • Business Resumption/Recovery Plan (BRP) • Continuity of Support Plan • Cyber Incident Response Plan • Occupant Emergency Plan (OEP) • Crisis Management Plan (CMP) CISSP® MENTOR PROGRAM – SESSION TEN 106 LECTURE Domain #7: Security Operations
  108. 108. Related Plans Continuity of Operations Plan (COOP) • Describes the procedures required to maintain operations during a disaster • Includes transfer of personnel to an alternate disaster recovery site, and operations of that site. CISSP® MENTOR PROGRAM – SESSION TEN 107 LECTURE Domain #7: Security Operations
  109. 109. Related Plans Business Recovery Plan (BRP) • Also known as the Business Resumption Plan • Details the steps required to restore normal business operations after recovering from a disruptive event • May include switching operations from an alternate site back to a (repaired) primary site. • Picks up when the COOP is complete • Narrow and focused: the BRP is sometimes included as an appendix to the Business Continuity Plan CISSP® MENTOR PROGRAM – SESSION TEN 108 LECTURE Domain #7: Security Operations
  110. 110. Related Plans Continuity of Support Plan • Focuses narrowly on support of specific IT systems and applications • Also called the IT Contingency Plan, emphasizing IT over general business support Cyber Incident Response Plan • Designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc. CISSP® MENTOR PROGRAM – SESSION TEN 109 LECTURE Domain #7: Security Operations
  111. 111. Related Plans Occupant Emergency Plan (OEP) • Provides the “response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency.” • Facilities-focused, as opposed to business or IT-focused. • Focused on safety and evacuation, and should describe specific safety drills, including evacuation drills (also known as fire drills) • Specific safety roles should be described, including safety warden and meeting point leader CISSP® MENTOR PROGRAM – SESSION TEN 110 LECTURE Domain #7: Security Operations
  112. 112. Related Plans Crisis Management Plan (CMP) • Designed to provide coordination among the managers of the organization in the event of an emergency or disruptive event • Details the actions management must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster • Crisis Communications Plan • Component of the Crisis Management Plan • Sometimes called the communications plan • A plan for communicating to staff and the public in the event of a disruptive event CISSP® MENTOR PROGRAM – SESSION TEN 111 LECTURE Domain #7: Security Operations
  113. 113. Related Plans Crisis Management Plan (CMP) Call Trees • Used to quickly communicate news throughout an organization without overburdening any specific person • Works by assigning each employee a small number of other employees they are responsible for calling in an emergency event • Most effective when there is two-way reporting of successful communication • Should contain alternate contact methods, in case the primary methods are unavailable CISSP® MENTOR PROGRAM – SESSION TEN 112 LECTURE Domain #7: Security Operations
  114. 114. Related Plans Crisis Management Plan (CMP) Call Trees • Used to quickly communicate news throughout an organization without overburdening any specific person • Works by assigning each employee a small number of other employees they are responsible for calling in an emergency event • Most effective when there is two-way reporting of successful communication • Should contain alternate contact methods, in case the primary methods are unavailable CISSP® MENTOR PROGRAM – SESSION TEN 113 LECTURE Domain #7: Security Operations
  115. 115. Related Plans Crisis Management Plan (CMP) Automated Call Trees • Automatically contact all BCP/DRP team members after a disruptive event • Tree can be activated by an authorized member, triggered by a phone call, email, or Web transaction • Once triggered, all BCP/DRP members are automatically contacted • Can require positive verification of receipt of a message, such as “press 1 to acknowledge receipt.” • Automated call trees are hosted offsite, and typically supported by a third-party BCP/DRP provider CISSP® MENTOR PROGRAM – SESSION TEN 114 LECTURE Domain #7: Security Operations
  116. 116. Related Plans Crisis Management Plan (CMP) Emergency Operations Center (EOC) • The command post established during or just after an emergency event • Placement of the EOC will depend on resources that are available CISSP® MENTOR PROGRAM – SESSION TEN 115 LECTURE Domain #7: Security Operations
  117. 117. Related Plans Crisis Management Plan (CMP) Vital Records • Should be stored offsite, at a location and in a format that will allow access during a disaster • Have both electronic and hardcopy versions of all vital records • Include contact information for all critical staff. Additional vital records include licensing information, support contracts, service level agreements, reciprocal agreements, telecom circuit IDs, etc. CISSP® MENTOR PROGRAM – SESSION TEN 116 LECTURE Domain #7: Security Operations
  118. 118. Please try to catch up in your reading. • We left off on page 411 in the book. • Monday (5/20) we’ll start again with “Executive Succession Planning” • Come with questions! • CATCH UP ON READING! Have a great evening, talk to you Monday! CISSP® MENTOR PROGRAM – SESSION TEN 117 WE MADE IT THROUGH CLASS 10! Not the most exciting, but important nonetheless.

×