The document appears to be an order form template for a fishing division. It includes fields for customer information, ship to state, item numbers and descriptions, quantities, pricing, discounts, shipping costs, and a table of state abbreviations and regions. There are also references to item price schedules, soft bait packaging pricing, and shipping cost tables for regular and preferred customers based on region.
3. Principles of Incident Response and Disaster Recovery, 2nd
Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the
development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd
Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
4. Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd
Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information
security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of
information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd
Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss
to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information
5. of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd
Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design,
implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd
Edition
7
7
Key Information Security Concepts (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
8
6. 8
Key Information Security Concepts (cont’d.)
Trespass
Broad category of electronic and human activities
Can breach information confidentiality
Leads to unauthorized real or virtual actions
Results in unauthorized access to premises or system
Software attacks
Malicious code, malicious software, malware
Designed to damage, destroy, deny service to the target systems
Example: hackers
Principles of Incident Response and Disaster Recovery, 2nd
Edition
9
9
Key Information Security Concepts (cont’d.)
Common malicious code instances
Viruses and worms, Trojan horses, logic bombs, bots, rootkits,
back doors, denial-of-service (DoS) attack, distributed DoS
(DDoS) attack
Malicious code threats: sources of confusion
Method of propagation, payload, vector of infection
Viruses
Segments of code that perform malicious actions
Macro virus: embedded automatically in macrocode
Boot virus: infects key operating systems files
Principles of Incident Response and Disaster Recovery, 2nd
7. Edition
10
10
Key Information Security Concepts (cont’d.)
Worms
Replicate themselves constantly
No other program needed
Can replicate until available resources filled
Back doors and trap doors
Installed by virus or worm payload
Provides at will special privilege system access
Polymorphism
Threat changes apparent shape over time
Elude antivirus software detection
Principles of Incident Response and Disaster Recovery, 2nd
Edition
11
11
Key Information Security Concepts (cont’d.)
Propagation vectors
Manner by which malicious code spreads can vary
May use social engineering: Trojan horse looks desirable, but is
not
May leverage open network connection, file shares or software
vulnerability
Malware hoaxes
Well-meaning people send random e-mails warning of fictitious
8. dangerous malware
Wastes a lot of time and energy
Principles of Incident Response and Disaster Recovery, 2nd
Edition
12
12
Key Information Security Concepts (cont’d.)
Human error or failure
Introduces acts performed by an authorized user
No malicious intent or purpose
Human error
Small mistakes produce extensive damage with catastrophic
results
Human failure
Intentional refusal or unintentional inability to comply with
policies, guidelines, and procedures, with a potential loss of
information
Principles of Incident Response and Disaster Recovery, 2nd
Edition
13
13
Key Information Security Concepts (cont’d.)
Theft
Illegal taking of another’s property
Property: physical, electronic, intellectual
Includes acts of espionage and breach of confidentiality
Methods
9. Competitive intelligence or industrial espionage
Theft or loss of mobile devices
Phones, tablets, and computers
Stored information more important than devices
Principles of Incident Response and Disaster Recovery, 2nd
Edition
14
14
Key Information Security Concepts (cont’d.)
Compromises to intellectual property
FOLDOC intellectual property (IP) definition
The ownership of ideas and control over the tangible or virtual
representation of those ideas. Use of another person’s
intellectual property may or may not involve royalty payments
or permission but should always include proper credit to the
source
Includes
Trade secrets, copyrights, trademarks, patents
Exfiltration, or unauthorized removal of information
Software piracy
Principles of Incident Response and Disaster Recovery, 2nd
Edition
15
15
Key Information Security Concepts (cont’d.)
Sabotage or vandalism
Destroys asset or damages an organization’s image
10. Assault on an organization’s Web site
Cyberterrorism (more sinister hacking)
Technical software failures or errors
Software with unknown hidden faults
Code sold before security-related bugs detected
Trap doors
Helpful Web sites
Bugtraq and National Vulnerability Database
Principles of Incident Response and Disaster Recovery, 2nd
Edition
16
16
Key Information Security Concepts (cont’d.)
Technical hardware failures or errors
Equipment distributed with known or unknown flaw
System performs outside expected parameters
Errors can be terminal or intermittent
Forces of nature
Known as force majeure, or acts of God
Pose most dangerous threats imaginable
Occur with very little warning
Principles of Incident Response and Disaster Recovery, 2nd
Edition
17
17
Key Information Security Concepts (cont’d.)
Deviations in quality of service by service providers
Product or service not delivered as expected
11. Support systems interrupted by storms, employee illnesses,
unforeseen events
Technological obsolescence
Antiquated or outdated infrastructure
Leads to unreliable and untrustworthy systems
Risk loss of data integrity from attacks
Principles of Incident Response and Disaster Recovery, 2nd
Edition
18
18
Key Information Security Concepts (cont’d.)
Information extortion
Attacker or trusted insider steals information from a computer
system
Demands compensation for its return or for an agreement to not
disclose the information
Common in credit card number theft
Other threats
See Table 1-2
Principles of Incident Response and Disaster Recovery, 2nd
Edition
19
19
Principles of Incident Response and Disaster Recovery, 2nd
Edition
20
12. 20
Overview of Risk Management
Risk management process
Identifying and controlling information asset risks
Security managers play the largest roles
Includes contingency planning
Risk identification process
Examining, documenting, and assessing the security posture of
an organization’s IT and the risks it faces
Risk control process
Applying controls to reduce the risks
Principles of Incident Response and Disaster Recovery, 2nd
Edition
21
21
Overview of Risk Management (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
22
22
Overview of Risk Management (cont’d.)
13. Risk management redefined
Process of identifying vulnerabilities and taking carefully
reasoned steps to ensure the confidentiality, integrity, and
availability of the information system
“If you know the enemy and know yourself, you need not fear
the result of a hundred battles. If you know yourself but not the
enemy, for every victory gained you will also suffer a defeat. If
you know neither the enemy nor yourself, you will succumb in
every battle.”
- Chinese General Sun Tzu
Source: Oxford University Press
Principles of Incident Response and Disaster Recovery, 2nd
Edition
23
23
Overview of Risk Management (cont’d.)
Know yourself
Identify, examine, and understand the information and systems
currently in place
Asset: information and systems that use, store, and transmit
information
Question to ask when protecting assets
What are they?
How do they add value to the organization?
To which vulnerabilities are they susceptible?
Have periodic review, revision, and maintenance of control
mechanisms
Principles of Incident Response and Disaster Recovery, 2nd
Edition
24
14. 24
Overview of Risk Management (cont’d.)
Know the enemy
Identify, examine, and understand threats
Determine threat aspects affecting the organization and the
security of the assets
List threats prioritized by importance
Conduct periodic management reviews
Verify completeness and accuracy of asset inventory
Review and verify identified threats and vulnerabilities
Review current controls and mitigation strategies
Review cost effectiveness and deployment issues
Verify ongoing effectiveness of every control
Principles of Incident Response and Disaster Recovery, 2nd
Edition
25
25
Risk Identification
Identify, classify, and prioritize information assets
Threat identification process begins afterwards
Asset examined to identify vulnerabilities
Controls identified
Controls assessed
Regarding capability to limit possible losses should attack occur
Principles of Incident Response and Disaster Recovery, 2nd
Edition
26
15. 26
Principles of Incident Response and Disaster Recovery, 2nd
Edition
27
27
Asset Identification and Value Assessment
Iterative process of identifying assets and assessing their value
Information asset classification
Classify with respect to security needs
Components must be specific for the creation of various priority
levels
Components ranked according to criteria established by the
categorization
Use comprehensive and mutually exclusive categories
Establish clear and comprehensive category sets
Principles of Incident Response and Disaster Recovery, 2nd
Edition
28
28
Asset Identification and Value Assessment (cont’d.)
Information asset valuation
Is this asset the most critical to the organizations’ success?
Does it generate the most revenue?
16. Does it generate the most profit?
Would it be the most expensive to replace?
Will it be the most expensive to protect?
If revealed, would it cause the most embarrassment or greatest
damage?
Does the law or other regulation require us to protect this asset?
Principles of Incident Response and Disaster Recovery, 2nd
Edition
29
29
Asset Identification and Value Assessment (cont’d.)
Answers determine weighting criteria
Used for asset valuation and impact evaluation
Must decide criteria best suited to establish the information
asset value
Perform weighted factor analysis
Calculates relative importance of each asset
Assign score from 0.1 to 1.0 for each critical factor
Assign each critical factor a weight from 1 to 100
Identify, document and add company-specific criteria
Principles of Incident Response and Disaster Recovery, 2nd
Edition
30
30
Asset Identification and Value Assessment (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
17. 31
31
Data Classification and Management
(cont’d.)
Data classification schemes
Procedures requiring organizational data to be classified into
mutually exclusive categories
Based on need to protect data category confidentiality
Military specialized classification ratings
“Public” to “For Official Use Only” to “Confidential“ to
“Secret” to “Top Secret”
Principles of Incident Response and Disaster Recovery, 2nd
Edition
32
32
Data Classification and Management (cont’d.)
Alternative information classification scheme
Public: for general public dissemination
For official use: Not particularly sensitive but not for public
release
Sensitive: important to the business and could cause
embarrassment or loss of market share if revealed
Classified: requires utmost security; disclosure could severely
impact the organization
Personnel information security clearances
On a need-to-know basis
18. Principles of Incident Response and Disaster Recovery, 2nd
Edition
33
33
Threat Identification
Conduct a threat assessment
Which threats present a danger to the organization’s assets in
the given environment?
Which threats represent the most danger to the organization’s
information?
Which threats would cost the most to recover from if there was
an attack?
Which threats require the greatest expenditure to prevent?
Principles of Incident Response and Disaster Recovery, 2nd
Edition
34
34
Vulnerability Identification
Review each asset and each threat it faces
Create list of vulnerabilities
Examine how each threat could be perpetrated
List organization’s assets and its vulnerabilities
Notes
Threat may yield multiple vulnerabilities
People with diverse backgrounds should participate
Principles of Incident Response and Disaster Recovery, 2nd
Edition
19. 35
35
Risk Assessment
Process of assigning a risk rating or score to each information
asset
Goal
Determine relative risk of each vulnerability using various
factors
Likelihood
Probability that a specific vulnerability will be successfully
attacked
Many asset/vulnerability combinations have external references
for likelihood values
Principles of Incident Response and Disaster Recovery, 2nd
Edition
36
36
Valuation of Information Assets
Assign weighted scores for the value to the organization of each
information asset
Re-ask questions described in the “Threat Identification”
section
Which of these questions is most important to the protection of
the organization’s information?
Examine how current controls can reduce risk faced by specific
vulnerabilities
Impossible to know everything about each vulnerability
20. Principles of Incident Response and Disaster Recovery, 2nd
Edition
37
37
Risk Determination
Risk = (likelihood of vulnerability x value) – percent of risk
currently controlled + uncertainty of assumptions
Qualitative Risk Management
General categories and ranking used to evaluate risk
Factor Analysis of Information Risk (FAIR) strategy
Promoted by CXOWARE
Residual risk
Remaining risk after control applied
Principles of Incident Response and Disaster Recovery, 2nd
Edition
38
38
Identify Possible Controls
Controls, safeguards, and countermeasures
Represent security mechanisms, policies, and procedures that
reduce risk
Three types of security policies
Enterprise information security policy
Issue-specific policies
Systems-specific policies
Programs
Activities performed within the organization to improve
security
21. Principles of Incident Response and Disaster Recovery, 2nd
Edition
39
39
Risk Control Strategies
Defense approach (preferred approach)
Attempts to prevent vulnerability exploitation
Risk defense methods
Defense through application of policy
Defense through training and education programs
Defense through technology application
Usually requires technical solutions
Eliminate asset exposure
Attempt to reduce risk to an acceptable level
Principles of Incident Response and Disaster Recovery, 2nd
Edition
40
40
Risk Control Strategies (cont’d.)
Implement security controls and safeguards
Deflect attacks to minimize the successful probability
Transference
Attempts to shift risk to other assets, processes, organizations
Rethink how services offered
Revise deployment models
Outsource to other organizations
Purchase insurance
Implement service contracts with providers
22. Principles of Incident Response and Disaster Recovery, 2nd
Edition
41
41
Risk Control Strategies (cont’d.)
Mitigation
Attempts to reduce impact caused by the vulnerability
exploitation
Through planning and preparation
Includes contingency planning
Business impact analysis
Incident response plan
Disaster recovery plan
Business continuity plan
Requires quick attack detection and response
Relies on existence and quality of the other plans
Principles of Incident Response and Disaster Recovery, 2nd
Edition
42
42
Risk Control Strategies (cont’d.)
Acceptance
Do nothing to protect an information asset
Accept the outcome of its potential exploitation
Only valid when the organization has:
Determined the level of risk
Assessed the probability of attack
Estimated potential damage that could occur
23. Performed a thorough cost-benefit analysis
Evaluated controls
Decided asset did not justify the cost of protection
Principles of Incident Response and Disaster Recovery, 2nd
Edition
43
43
Risk Control Strategies (cont’d.)
Termination
Difference from acceptance
Remove asset from the environment representing risk
Two main reasons
Cost of protecting an asset outweighs its value
Too difficult or expensive to protect asset compared to value or
advantage asset offers
Termination must be a conscious business decision
Not simple asset abandonment
Principles of Incident Response and Disaster Recovery, 2nd
Edition
44
44
Contingency Planning and Its Components
Contingency plan
Used to anticipate, react to, and recover from events threatening
events
Restores organization to normal modes of business operations
Four subordinate functions
24. Business impact assessment (BIA)
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
45
45
Business Impact Analysis
Business impact analysis (BIA)
Investigation and assessment of the impact of attacks
Adds detail to prioritized threat and vulnerability list created in
the risk management process
Provides detailed scenarios of potential impact of each type of
attack
Principles of Incident Response and Disaster Recovery, 2nd
Edition
46
46
Incident Response Plan
Incident
Any clearly identified attack on assets
Incident response plan (IRP)
Deals with the identification, classification, response, and
recovery from an incident
Assesses the likelihood of imminent damage
25. Informs key decision makers
Enables the organization to take coordinated action
Principles of Incident Response and Disaster Recovery, 2nd
Edition
47
47
Disaster Recovery Plan
Preparation for and recovery from natural or man-made disaster
Includes:
Preparations for the recovery process
Strategies to limit losses during the disaster
Detailed steps to follow after immediate danger
Focus
Preparation before the incident
Actions taken after the incident
Principles of Incident Response and Disaster Recovery, 2nd
Edition
48
48
BCP and BRP
Business continuity plan (BCP)
Expresses how to ensure critical business functions continue at
an alternate location
After catastrophic incident or disaster
Used when DRP cannot restore primary site operations
Most strategic and long-term plan
26. Business resumption plan (BRP)
Emerging new concept in contingency planning
Merges the DRP and BCP into a single process
Principles of Incident Response and Disaster Recovery, 2nd
Edition
49
49
Contingency Planning Timeline
Steps in contingency planning
IR plan focuses on immediate response
May move to DRP and BCP if disastrous
DR plan focuses on restoring systems at original site
BC runs concurrently with DRP
When major or long-term damage occurs
IRP, DRP, and BCP distinction
When each comes into play during the incident
Principles of Incident Response and Disaster Recovery, 2nd
Edition
50
50
Principles of Incident Response and Disaster Recovery, 2nd
Edition
51
27. 51
Principles of Incident Response and Disaster Recovery, 2nd
Edition
52
52
Contingency Planning Timeline (cont’d.)
Seven steps in NIST SP 800-34, Revision 1
Principles of Incident Response and Disaster Recovery, 2nd
Edition
53
53
Role of Information Security Policy in Developing Contingency
Plans
Policy needs to enforce information protection requirements
Before, during, and after incident
Quality security programs
Begin and end with policy
Information security
A management problem
28. Difficulties in shaping policy
Must never conflict with laws; must stand up in court if
challenged; must be properly administered
Principles of Incident Response and Disaster Recovery, 2nd
Edition
54
54
Key Policy Definitions
Policy
Plan or course of action
Conveys instructions from senior management to those who
make decisions, take action, perform duties
Organizational law
Dictates acceptable and unacceptable behavior
Defines penalties for violations
Standard
Detailed statement of what must be done to comply
De facto standard (informal standard)
De jure standard (formal standard)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
55
55
Principles of Incident Response and Disaster Recovery, 2nd
29. Edition
56
56
Key Policy Definitions (cont’d.)
Mission
Written statement of an organization’s purpose
Vision
Written statement about organization’s goals
Strategic planning
Process of moving organization toward its vision
Information security policy
Provides rules for protecting information assets
Enterprise information security policy, issue-specific security
policy, systems-specific security policy
Principles of Incident Response and Disaster Recovery, 2nd
Edition
57
57
Enterprise Information Security Policy
Enterprise information security policy (EISP)
Based on and directly supports the mission, vision, and
direction of the organization
Executive-level
Sets strategic direction, scope, and tone for all security efforts
30. Contains requirements to be met
Defines purpose, scope, constraints, and applicability
Assigns responsibilities
Addresses legal compliance
Principles of Incident Response and Disaster Recovery, 2nd
Edition
58
58
Issue-Specific Security Policy
Issue-specific security policy (ISSP)
Addresses specific areas of technology
Three common approaches to creating ISSPs
Independent ISSP documents, each tailored to a specific issue
A single comprehensive ISSP document covering all issues
Modular ISSP document that unifies policy creation and
administration while maintaining each specific issue’s
requirements
Principles of Incident Response and Disaster Recovery, 2nd
Edition
59
59
Principles of Incident Response and Disaster Recovery, 2nd
Edition
60
31. 60
Issue-Specific Security Policy (cont’d.)
Statement of policy
Defines scope, responsibility for implementation, technologies
and issues being addressed
Authorized access and usage of equipment
Addresses who can use technology and for what it can be used
Defines “fair and responsible use”
Addresses key legal issues
Prohibited usage of equipment
Outlines what technology cannot be used for
Principles of Incident Response and Disaster Recovery, 2nd
Edition
61
61
Issue-Specific Security Policy (cont’d.)
Systems management
Focuses on users’ relationship to management
Violations of policy
Specifies penalties and how to report violations
Policy review and modification
Procedures and a timetable for periodic review so users do not
circumvent it as it grows obsolete
Limitations of liability
32. States company will not protect user and is not liable for their
actions
Principles of Incident Response and Disaster Recovery, 2nd
Edition
62
62
Systems-Specific Policy
Systems-specific security policies (SysSPs)
Standards and procedures used when configuring or maintaining
systems
Access control lists (ACLs)
Govern rights and privileges of particular users to particular
systems
Configuration rules
Specific configuration codes entered into security systems
Principles of Incident Response and Disaster Recovery, 2nd
Edition
63
63
Systems-Specific Policy (cont’d.)
ACL policies
Translated into configuration sets
Controls access to systems
Regulate the who, what, when, and where of access
ACL rules
Known as capability tables, user profiles, user policies
33. Specify what a user can and cannot do with resources
Rule policies
More specific than ACLs
May or may not deal with users directly
Principles of Incident Response and Disaster Recovery, 2nd
Edition
64
64
Policy Management
Policies
Constantly changing and growing
Must be properly disseminated
Security policies must have the following
Individual responsible for creation, revision, distribution, and
storage
Schedule of reviews
Mechanism for recommendations for revisions
Policy/revision date; possibly “sunset” expiration date
Policy management software (optional)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
65
65
Summary
Information security protects information and its critical
elements
34. C.I.A. triangle: basis for CNSS model
Threat: entity posing potential for loss to an asset
Asset: has value to the organization
Vulnerability: weakness in protection mechanisms
Risk management process: identify vulnerabilities and taking
steps to protect assets
Principles of Incident Response and Disaster Recovery, 2nd
Edition
66
66
Summary (cont’d.)
Risk identification: process of identifying risks
Risk control: applying controls to reduce risk
Contingency planning: avoidance, transference, mitigation,
acceptance strategies
Business impact analysis: assess attack type impact
Incident response plan: actions taken when an incident in
progress
Disaster recovery plan: preparation for and recovery from a
disaster
Principles of Incident Response and Disaster Recovery, 2nd
Edition
67
67
35. Summary (cont’d.)
Business continuity plan: ensures critical business functions
continue after a disaster
Policies: organizational laws dictating behavior
Enterprise information security policy: sets strategic scope,
direction, tone
Issue-specific security policy: addresses specific areas of
technology
Systems-specific security policy: used when configuring or
maintaining systems
Principles of Incident Response and Disaster Recovery, 2nd
Edition
68
68
Principles of Incident Response and Disaster Recovery, 2nd
Edition
Chapter 02
Planning for Organizational
Readiness
1
1
Objectives
Discuss why an individual or group needs to be appointed to
create a contingency policy and plan
36. Describe the elements needed to begin the contingency planning
process
Define business impact analysis and describe each of its
components
List the steps needed to create and maintain a budget used for
the contingency planning process
Principles of Incident Response and Disaster Recovery, 2nd
Edition
2
2
Introduction
Planning for contingencies
Complex and demanding process
Systematic methodology
Organize the planning process
Prepare detailed and complete plans
Commit to maintaining those plans
Rehearse plans with a military rigor
Completed after normal working hours
Maintain the processes
Principles of Incident Response and Disaster Recovery, 2nd
Edition
3
3
Beginning the Contingency Planning Process
Contingency planning management team (CPMT)
Consists of an individual or team
CPMT responsibilities
37. Obtain commitment and support
Manage and conducting the overall CP process
Write the master CP document
Conduct the business impact analysis (BIA)
Assist in identifying and prioritizing threats and attacks
Assist in identifying and prioritizing business functions
Principles of Incident Response and Disaster Recovery, 2nd
Edition
4
4
Beginning the Contingency Planning Process (cont’d.)
CPMT responsibilities (cont’d.)
Organize and staff subordinate teams leadership
Incident response
Disaster recovery
Business continuity
Crisis management
Provide guidance to and integrate the work of the subordinate
teams
Principles of Incident Response and Disaster Recovery, 2nd
Edition
5
5
Beginning the Contingency Planning Process (cont’d.)
CPMT positions
Champion
Project manager
Team members
38. Representatives from other business units
Business managers
Information technology managers
Information security managers
Representatives from subordinate teams
Principles of Incident Response and Disaster Recovery, 2nd
Edition
6
6
Beginning the Contingency Planning Process (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
7
7
Commitment and Support of Senior Management
Clear and formal senior executive management commitment
required
Prevents CP process failure
Managers and employees provide time and resources
Support gained from communities of interest
Each should complement the others
Information security communities of interest
Information security managers and professionals
Information technology managers and professionals
General management managers and professional
39. Principles of Incident Response and Disaster Recovery, 2nd
Edition
8
8
Information Security Management and Professionals
Protect information systems and stored information from attacks
Tightly focused on protecting system integrity and
confidentiality
Sometimes lose sight of availability
Principles of Incident Response and Disaster Recovery, 2nd
Edition
9
9
Information Technology Management and Professionals
Design, build, or operate information systems
IT managers and skilled professionals
Systems design, programming, networks
Related disciplines categorized as information technology (IT)
Same objectives as information security community
Focus
System creation and operation costs
System users ease of use
System creation timeliness; transaction response time
Principles of Incident Response and Disaster Recovery, 2nd
Edition
10
40. 10
Organizational Management and Professionals
Includes executive management, production management,
human resources, accounting, legal, and others
IT community category reference
Users of information technology systems
Information security community category reference
Security subjects
All IT systems and information security objectives
Implement broader organizational community objectives and
safeguard effective use and operation
Principles of Incident Response and Disaster Recovery, 2nd
Edition
11
11
Elements Required to Begin Contingency Planning
Four required CP process elements
Planning methodology
Policy environment (enables planning process)
Understanding causes and effects of core precursor activities
(business impact analysis)
Access to financial and other resources
Articulated and outlined by the planning budget
Development of CP policies and plans
Occurs once CPMT organized and staffed
Expands the four elements
Principles of Incident Response and Disaster Recovery, 2nd
Edition
12
41. 12
Elements Required to Begin Contingency Planning (cont’d.)
Complete CP development methodology adaption
NIST Special Publications 800-34, Rev. 1, Contingency
Planning Guide for Federal Information Systems (2010)
Special Publications 800-61, Rev. 2, Computer Security
Incident Handling Guide (2012)
Complete process
Form the CPMT
Develop contingency planning policy statement
Conduct the business impact analysis (BIA)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
13
13
Elements Required to Begin Contingency Planning (cont’d.)
Form subordinate planning teams
Develop subordinate planning policies
Integrate the BIA
Identify preventive controls
Organize response teams
Create contingency strategies
Develop subordinate plans
Ensure plan testing, training, and exercises
Ensure plan maintenance
Principles of Incident Response and Disaster Recovery, 2nd
Edition
14
42. 14
Contingency Planning Policy
Required for effective contingency planning
Purpose of policy
Define the CP operations scope
Establish managerial intent with regard to timetables for
incident response
Recovery from disasters
Reestablishment of operations for continuity
Establish responsibility for the development and operations of
the CPMT in general
Provide specifics on CP-related team constituencies
Principles of Incident Response and Disaster Recovery, 2nd
Edition
15
15
Contingency Planning Policy (cont’d.)
CP policy sections
Introductory statement
Scope and purpose statement
Call for periodic risk assessment and BIA
Specification of major CP components to be designed
Call for, and guidance in, selection of recovery options and BC
strategies
Requirement to test the plans on a regular basis
Identification of key regulations and standards impacting CP
planning
43. Principles of Incident Response and Disaster Recovery, 2nd
Edition
16
16
Contingency Planning Policy (cont’d.)
Identification of key individuals responsible for CP operations
Challenge to individual members
Asking for their support
Reinforcing their importance in the overall CP process
Additional administrative information
Each CP meeting should be documented
Principles of Incident Response and Disaster Recovery, 2nd
Edition
17
17
Business Impact Analysis
Business impact analysis (BIA)
Investigation and assessment of the impact that various events
or incidents can have on the organization
Provides detailed identification and prioritization of critical
business functions
Different from the risk management process
Begins with prioritized list of threats and vulnerabilities
Question
If an attack succeeds, what do you do next?
Principles of Incident Response and Disaster Recovery, 2nd
Edition
44. 18
18
Business Impact Analysis (cont’d.)
Five “keys to BIA success”
Set the project scope carefully
Initiate data-gathering process
Find information senior managers need
Seek out objective rather than subjective data
Determine higher management needs prior to data collection
Gain validation of the results:
Derived from risk assessment and BIA
From owners of the business processes being examined
Principles of Incident Response and Disaster Recovery, 2nd
Edition
19
19
Business Impact Analysis (cont’d.)
CPMT conducts the BIA in three stages
Principles of Incident Response and Disaster Recovery, 2nd
Edition
20
20
Determine Mission/Business Processes and Recovery Criticality
45. First major BIA task
Analyze and prioritize business processes
Based on relationships to mission
Evaluate independently to compare with organization as a whole
Business process = “mission/business process”
Task performed in support of the overall mission
Collect critical information before prioritizing
Avoid “turf war”
Useful tool: BIA questionnaire
Principles of Incident Response and Disaster Recovery, 2nd
Edition
21
21
Determine Mission/Business Processes and Recovery Criticality
(cont’d.)
Weighted analysis table resolves most critical issues
Weighted analysis process
Identify organization categories
Assign weights to each category
Assigned weights add to a value of one (100 percent)
Identify various business functions
Importance value assessed on a scale of one to 10
Weights are multiplied by the scores in each category
Weights summed to obtain that business function’s overall value
to the organization
Principles of Incident Response and Disaster Recovery, 2nd
Edition
22
46. 22
Determine Mission/Business Processes and Recovery Criticality
(cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
23
23
Determine Mission/Business Processes and Recovery Criticality
(cont’d.)
NIST Business Process and Recovery Criticality
NIST Special Publication 800-34 Rev. 1
Large quantities of information needed
BIA data collection process needed
Principles of Incident Response and Disaster Recovery, 2nd
Edition
24
24
Determine Mission/Business Processes and Recovery Criticality
47. (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
25
25
Key Downtime Metrics
Maximum tolerable downtime (MTD)
Total amount of time the system owner/authorizing official
willing to accept for a process outage
Includes all impact considerations
Recovery time objective (RTO)
Time period within which systems, applications, or functions
must be recovered after an outage
Recovery point objective (RPO)
Point in time to which lost systems and data can be recovered
after outage; determined by business unit
Principles of Incident Response and Disaster Recovery, 2nd
Edition
26
26
Key Downtime Metrics (cont’d.)
NIST Special Publication 800-34 Rev. 1
Contains additional definitions for MTD, RTO, RPO
Reducing RTO requires mechanisms to shorten start-up time or
provisions
To make data available online at a failover site
Reducing RPO requires mechanisms to increase data replication
48. synchronicity between production systems and backup
implementations
Critical need: avoid exceeding MTD
RTO must be shorter than MTD
Principles of Incident Response and Disaster Recovery, 2nd
Edition
27
27
Cost Balance Point
Different for every organization and system
Based on financial constraint, operating requirement
Principles of Incident Response and Disaster Recovery, 2nd
Edition
28
28
Prioritize Information Assets
Helpful to understand information assets used by prioritized
processes
High-value information assets
May influence a particular business process valuation
Task normally performed as part of the risk-assessment function
of risk management
Perform task now if organization has not performed this task
Principles of Incident Response and Disaster Recovery, 2nd
Edition
29
49. 29
Identify Resource Requirements
Need to determine resources needed to recover prioritized
processes and associated assets
Resource intensive processes: IT functions
Resources require extensive sets of information processing,
storage, and transmission
Supporting customer data, production data, and other
organizational information
Business production-oriented processes
Require complex or expensive components to operate
Principles of Incident Response and Disaster Recovery, 2nd
Edition
30
30
Principles of Incident Response and Disaster Recovery, 2nd
Edition
31
31
Identify System Resource Recovery Priorities
Last stage of the BIA
Prioritize resources associated with the mission/business
processes
Brings better understanding of what must be recovered first
50. Create additional weighted tables of the resources
Develop a custom-designed “to-do” list
Use a simple valuation scale
Primary/Secondary/Tertiary
Critical/Very important/Important/Routine
Principles of Incident Response and Disaster Recovery, 2nd
Edition
32
32
BIA Data Collection
Not a discrete step
Methods
Online questionnaires
Facilitated data-gathering sessions
Process flows and interdependency studies
Risk assessment research
IT application or system logs
Financial reports and departmental budgets
BCP/DRP audit documentation
Production schedule
Principles of Incident Response and Disaster Recovery, 2nd
Edition
33
33
Online Questionnaires
Online or printed questionnaire
Identify and classify
Business functions and impact they have on other organization
51. areas
Enables a structured collection method
Collect information directly from those most knowledgeable
Examples
Web site for the Texas State Office of Risk Management BIA
questionnaire areas
See Table 2-3 and Table 2-4
Principles of Incident Response and Disaster Recovery, 2nd
Edition
34
34
Online Questionnaires (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
35
35
Online Questionnaires (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
36
36
Facilitated Data-Gathering Sessions
52. Focus group (facilitated data-gathering session)
Collecting information directly from the end users and business
managers
Individuals brought together
Brainstorm answers to BIA process questions
To yield quantity or quality of information desired
Ensure a relaxed, productive session
Provide clear session structure
Encourage dialog
Restrict managers’ ability to take control
Principles of Incident Response and Disaster Recovery, 2nd
Edition
37
37
Process Flows and Interdependency Studies
Systems diagramming
Documents ways systems operate
Charts process flows and interdependency studies
Used for both manual and automated systems
Common diagramming techniques
Use case diagrams and supporting use cases
Specifically designed to help understand interactions between
entities and business functions
Principles of Incident Response and Disaster Recovery, 2nd
Edition
38
38
53. Principles of Incident Response and Disaster Recovery, 2nd
Edition
39
39
Process Flows and Interdependency Studies (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd
Edition
40
40
Principles of Incident Response and Disaster Recovery, 2nd
Edition
41
41
Process Flows and Interdependency Studies (cont’d.)
Uniform modeling language (UML) models
Class diagrams, sequence diagrams, collaboration diagrams
Traditional systems analysis and design approaches
Workflow, functional decomposition, and dataflow diagrams
Quite complex
Only use if organization has them in place
54. Principles of Incident Response and Disaster Recovery, 2nd
Edition
42
42
Principles of Incident Response and Disaster Recovery, 2nd
Edition
43
43
Principles of Incident Response and Disaster Recovery, 2nd
Edition
44
44
Principles of Incident Response and Disaster Recovery, 2nd
Edition
45
45
Risk Assessment Research
55. Risk assessment and risk management effort
Provides a wealth of information for BIA effort
Some modification may be necessary
Risk management process
Primary starting point for the BIA
Alternative efforts required if risk assessment not performed
Teams may collect information from outside sources on risk
assessment
Principles of Incident Response and Disaster Recovery, 2nd
Edition
46
46
IT Application or System Logs
IT staff
Valuable in determining categorical data
Frequency of occurrence
Probability of success
Provide information from various logs
Logs collect and provide reports
Failed login attempts, probes, scans, denial-of-service attacks,
malware detected
Provides more accurate attack environment description
Principles of Incident Response and Disaster Recovery, 2nd
Edition
47
47
Financial Reports and Departmental Budgets
Documents from normal operations
56. Provide insight into business operations
Costs and revenues provided by each functional area
Useful in prioritizing business areas and functions
Provides insight into the area’s profitability and revenues
contribution
Calculating business impact most common method
Review financial reports and budgets
Lost sales, idle personnel costs, and other opportunity costs
easily obtained
Principles of Incident Response and Disaster Recovery, 2nd
Edition
48
48
Audit Documentation
Paid external consultant audits
Used by larger organizations and publicly traded firms
Audit function compliance
Federal and state regulations
National or international standards,
Part of proactive ongoing improvement program
Audit reports
Provide additional information for the BIA process
Principles of Incident Response and Disaster Recovery, 2nd
Edition
49
49
57. Production Schedules
Information valuable in the completion of the BIA
Production schedules, marketing forecasts, productivity reports,
other business documents
Include information collected from multiple sources
Rather than redundantly re-collecting it from the same sources
If information not collected directly by the BIA team
Make sure it is current and accurate
Undated information often worse than no information
Principles of Incident Response and Disaster Recovery, 2nd
Edition
50
50
Budgeting for Contingency Operations
Incident response
May not require dedicated budgeting
Disaster recovery and business continuity
Require ongoing expenditures, investment, and service contracts
to support their implementation
Many organizations are “self-insured”
Put money into an account
Draw upon it should replacements be required
Some organization forego “self-insured” investments
Due to tight budgets and drops in revenues
Principles of Incident Response and Disaster Recovery, 2nd
Edition
51
51
58. Incident Response Budgeting
IR capabilities
Part of a normal IT budget
Data protection and response, backup and recovery methods
Uninterruptible power supplies (UPSs)
Antivirus/antispyware/antimalware software
Redundant arrays of independent disks (RAID)
Network-attached storage (NAS) or storage area networks
(SANs)
Additional expenses
Protection of user data outside common storage areas
Principles of Incident Response and Disaster Recovery, 2nd
Edition
52
52
Incident Response Budgeting (cont’d.)
Required budgeting
Maintenance of redundant equipment
Use the “rule of three”
Keep an online production system
Keep an online or very nearly online backup system
Keep an offline testing and development system
Online “hot” servers have redundancy incorporated
Backup or “warm ”server
Provides redundant functions standing by in a near-online state
Principles of Incident Response and Disaster Recovery, 2nd
Edition
53
53
59. Disaster Recovery Budgeting
Number one DR budgetary expense
Insurance policies
Provide for the capabilities to rebuild and reestablish operations
at the primary site
Data loss policies
Many organizations cannot afford them
Losses from a distributed denial-of-service attack (DDoS) not
so familiar
Insurance difficult to estimate exactly
Many expenses not covered by insurance
Loss of water, electricity, data, and the like
Principles of Incident Response and Disaster Recovery, 2nd
Edition
54
54
Business Continuity Budgeting
Requires the largest budget expenditure
Staggering cost to maintain high level of redundancy
Example: service level agreements (SLAs) for hot sites
Set aside “war chest” of funds for items needed during
continuity operations
Safety deposit boxes at a local bank
Store corporate credit cards, purchase orders, cash
Consider nonsalaried employee overtime
Principles of Incident Response and Disaster Recovery, 2nd
Edition
55
60. 55
Crisis Management Budgeting
Fundamentals of crisis management
Focused physical and psychological losses associated with
catastrophic disasters
Primary budget item
Employee salaries if unable to come to work
Establish a minimum budget for paid leave
Other items
Funeral and burial expenses; employee counseling services
Principles of Incident Response and Disaster Recovery, 2nd
Edition
56
56
Summary
Approach CP using a systematic methodology
CPMT responsible for contingency policy and plans
Obtains commitment and support, manages the overall process,
writes documents, conducts the BIA, organizes and staffs
leadership, provides guidance
Roster includes champion, project manager, others
Effective CP begins with effective policy
Policy provides guidance from executives
Policy contains statements, calls for action, guidelines and
additional administrative information
Principles of Incident Response and Disaster Recovery, 2nd
Edition
57
61. 57
Summary (cont’d.)
BIA: investigation and assessment of event impact
Detailed identification and prioritization of critical business
functions
Key element: placing priorities and values on mission/business
process
Insurance : number-one budgetary expense for DR
Larger deductibles provide lower monthly premiums
Set aside funds to cover deductibles
Business continuity: largest budget expenditure
Consider employee overtime, employee loss expenses
Principles of Incident Response and Disaster Recovery, 2nd
Edition
58
58
1
WEEK # 2 - EXERCISES CHAPTER # 5
Exercise 2: Level 2 – Order 2 Form for Golf Balls
Now that Vijay has completed the order form for tennis
products, he needs to work on the order form for golf
equipment. As with
tennis products, Vijay must include shipping charges and a
discount for orders according to their total amount. In addition,
62. he must
add a handling charge because most golf equipment must be
packed by hand. TheZone calculates handling costs for golf
equipment as
shown in Table 5.9.
Vijay has updated the Golf workbook and renamed it Golf2. He
consolidated the order information on a worksheet named
Orders, and
added worksheets for pricing information, handling charges
(including a maximum fee), discounts, and shipping charges.
Figure 5.25
shows the Orders worksheet with some order-related data
already entered.
In these steps, you need to complete the Orders worksheet using
lookup functions to display the product description, and to
calculate
the order total and shipping, handling, and discount charges.
2
63. WEEK # 2 - EXERCISES CHAPTER # 5
Complete the following:
1. Open the workbook named Golf2.xlsx located in the
assignment, and then save the file as
W2-2-Golf-Orders2 -YourName.xlsx.
2. Examine the contents of each worksheet, and name the ranges
listed in Table 5.10. Use these range names as appropriate in
Questions 3 through 9.
3. In cell C8 of the Orders worksheet, write a formula that
displays the product description for the first item in the order.
Copy the
formula into cells C9:C12.
4. In cell D8 of the Orders worksheet, calculate the total value
of the item (price multiplied by quantity). Copy the formula into
cells
D9:D12.
5. In cell D15 of the Orders worksheet, calculate the total cost
of the order.
6. In cell D16 of the Orders worksheet, calculate the total
shipping charge for this order based on four variables: the ship
to region, the
64. customer type (standard, preferred, or most preferred), the total
weight, and the method of shipping.
7. In cell D17 of the Orders worksheet, calculate the handling
cost. Be certain to account for the maximum handling charge.
Handling
fees are based on the total order value excluding shipping and
discounts.
8. In cell D18 of the Orders worksheet, calculate the discount.
Be certain to write the formula so that the discount is deducted
from the
total amount when all values are added. Discounts are again
based on the total order value excluding shipping and handling
fees.
9. In cell D20 of the Orders worksheet, calculate the grand total
for the order.
10. Save and close the W2-2-Golf-Orders2 -YourName.xlsx
workbook.
LEVEL
3
WEEK # 2 - EXERCISES CHAPTER # 5
Exercise 3: Level 3 – Fishing Order
65. Vijay has been asked to develop an order form for fishing
equipment. He has already created a workbook named
Fishing.xlsx, which
contains the worksheets described in Table 5.14.
In these steps, you will complete the order form, creating the
formulas so that new items can be added easily to the item list.
You’ll
need to design the order form so that it works as follows:
• Prices for fixed-price items are listed in the Sched1
worksheet. Prices for variable-priced soft bait packages are
listed in the
Sched2 worksheet. A price schedule code (1 for fixed priced, 2
for soft bait variable priced) is included in the Item List
worksheet.
• Shipping costs are based on the freight customer type,
destination region, shipping method, and total shipping volume.
Users enter the freight customer type text and state
abbreviation. You need to use this information to retrieve the
freight
customer type number and region number.
Calculate the shipping volume based on the volumes listed by
item number in the Item List worksheet.
66. • Discounts are calculated as a percentage of the total order
value as listed in the Discounts worksheet. Orders of less than
$3,000 receive no discount, orders of at least $3,000 but less
than $5,000 receive a 2% discount, orders of at least $5,000 but
less than $10,000 receive a 3% discount, and orders of at least
$10,000 but less than $25,000 received a 4% discount. Orders
of $25,000 or more receive a 6% discount as you complete the
Orders worksheet, select functions that are flexible enough to
allow for additional items or up to 23 pricing schedules.
Use range names to make the form easy to use and troubleshoot.
If the item number field is blank, be certain your form displays
a blank cell for the resulting unit price and total.
Test that your workbook calculates the correct values.
Where appropriate, formulas should work when copied down the
column or across the row.
Format your values appropriately.
4
67. WEEK # 2 - EXERCISES CHAPTER # 5
Complete the following:
1. Open the workbook named Fishing.xlsx located in the
assignment, and then save the file as
W2-3-Fishing-Orders-YourName.xlsx.
2. Use the following test data:
• Orders: Item #201 (150 items), Item #209 (315 items), Item
#218 (500 items)
• Shipped by truck to California (CA) to a preferred customer
3. In cell B9 of the Orders worksheet, write a formula that
enters the item description.
Copy the formula to cells B10:B14.
4. In cell D9 of the Orders worksheet, write a formula that
calculates the total volume of the first line item (quantity
multiplied by
volume per item).
Copy the formula to cells D10:D14.
5. In cell E9 of the Orders worksheet, write a formula that
calculates the unit price.
Copy the formula to cells E10:E14.
6. In cell F9 of the Orders worksheet, write a formula that
68. calculates the total value of this line item.
Copy the formula to cells F10:F14.
7. In cell F16 of the Orders worksheet, write a formula that
calculates the total for all items, excluding discounts and
shipping.
8. In cell D16 of the Orders worksheet, write a formula that
calculates the total shipping volume of this order.
9. In cell F17 of the Orders worksheet, write a formula that
calculates the discount, if any, on this order.
10. In cell F18 of the Orders worksheet, write a formula that
calculates the shipping costs directly from the state and ship
method
(Truck, Rail, or Air).
TROUBLESHOOTING: In order to complete this step so that
the cost of shipping automatically updates correctly based on
the shipping parameters, you should calculate the value
manually for several different options and compare it against
the
resulting values on your worksheet. Using range names will
help simplify the formulas.
If incorrect values result, break down the formula to test each
argument as a separate formula to determine where the
discrepancies can be found.
69. 11. In cell F20 of the Orders worksheet, write a formula that
calculates the grand total of this order.
12. Test the formulas by entering different order values, and
then repeat Step 2.
13. Save and close the W2-3-Fishing-Orders-YourName.xlsx
workbook.
Golf2Golf Products Order FormShipping weight175Region
number 1Shipping method3Customer
type2Item#QuantityDescriptionTotal1107248152520Total
OrderShippingHandlingDiscountGrand TotalFNU-A
CostsPricing Information for Golf EquipmentTheZone
Equipment DivisionItem#DescriptionPrice/item1Titanium
Driver - Men$ 325.002Fusion Driver - Women$
545.003Titanium Driver - Women$ 300.004Fairway Woods -
Men$ 199.005Hybrid Woods - Men$ 59.956Fusion Fairway -
Women$ 500.007Stainless Steel Fairway - Women$
200.008Irons w/Steel Shafts - Men$ 525.009Hybrid Irons -
Men$ 399.0010Irons w/Steel Shafts - Women$
375.0011Hybrid Irons - Women$ 399.0012Steel Putter - Men$
119.9913Steel Putter - Women$ 119.9914Forged Wedges -
Men$ 105.0015Package - Men$ 675.0016Package - Women$
675.00
HandlingHandling charges:Total order value$ - 0$ 2,500$
5,000$ 7,500$ 10,000$ 12,500Handling charge (% of order
value)0.0070.0060.0050.0040.0030.002Maximum Handling
Fee$ 30.00
DiscountsDiscountTotal Order ValueDescription$ -$ -Less
than $5,000, no discount$ 125$ 5,000At least $5,000 but less
than $10,000, $150 discount$ 500$ 10,000At least $10,000
but less than $50,000, $400 discount$ 1,000$ 50,000$50,000
or more, $1000 discount
71. 1=Item#
2=Description
3=Quantity
4=Volume
5= $/Unit
6=Total
7=Discount
8=Shipping
9=Grand Total Sum of Total Order + Discount + Shipping
Freight Customer Type (regular, preferred)
Ship to State abbreviation
Ship Method (truck,rail,air,boat)
Find the Discount ==> =-
HLOOKUP(F16,Discounts,2,TRUE) * F16 ==> - Discount *
Total Order
Find the Discount ==>
=INDEX((Ship1,Ship2),VLOOKUP(F5,States,3,FALSE),MATC
H(F6,Ship!B3:D3,0),MATCH(F4,{"regular","preferred"},0))*D
16 ==> - Discount * Total Order
Select the Column in the Table
2
=IF(ISBLANK(A9), "", C9* E9)
72. Setup the following Name Defined:
Choose the FALSE for Sched1 and TRUE for Sched2 ==>
VLOOKUP(A9, ItemList, 3, FALSE)>1
VLOOKUP(IF(VLOOKUP(A9,
ItemList, 3, FALSE) = 1, A9, C9),CHOOSE(VLOOKUP(A9,
ItemList, 3, FALSE), Sched1,Sched2),2,VLOOKUP(A9,
ItemList, 3, FALSE)>1)
Choose the Price Schedule Table ==>
CHOOSE(VLOOKUP(A9, ItemList, 3, FALSE), Sched1,Sched2)
IF(VLOOKUP(A9,
ItemList, 3, FALSE) = 1, A9, C9) ==> Sched 1 use Item# and
Sched2 use Quantity
Find the Price Schedule ==> VLOOKUP(A9, ItemList, 3,
FALSE)
Fishing Division Order Form
=IF(ISBLANK(A9),"",VLOOKUP(IF(VLOOKUP(A9, ItemList,
3, FALSE) = 1, A9, C9),CHOOSE(VLOOKUP(A9, ItemList, 3,
FALSE), Sched1,Sched2),2,VLOOKUP(A9, ItemList, 3,
FALSE)>1))
=IF(ISBLANK(A9)," ",VLOOKUP(A9,ItemList,2,FALSE))
Enter Item #
Enter Quantity
=IF(ISBLANK(A9), "", VLOOKUP(A9,ItemList,4,FALSE)*C9)