This document discusses contingency planning for disasters and business continuity. It defines incident response planning, disaster recovery planning, and business continuity planning as the three main components of contingency planning. It provides learning objectives and outlines the major steps in contingency planning, including conducting a business impact analysis, developing an incident response plan, and creating disaster recovery and business continuity plans.
The document discusses security policies and standards. It defines different types of policies like enterprise, issue-specific, and systems-specific policies. It also discusses how policies are developed based on an organization's mission and vision. Effective policies require dissemination, review, comprehension, and compliance. Frameworks and industry standards also guide policy development. Additionally, the document outlines the importance of security education, training, and awareness programs to inform employees and reinforce security practices.
This document discusses information security policies and their components. It begins by outlining the learning objectives, which are to understand management's role in developing security policies and the differences between general, issue-specific, and system-specific policies. It then defines what policies, standards, and practices are and how they relate to each other. The document outlines the three types of security policies and provides examples of issue-specific and system-specific policies. It emphasizes that policies must be managed and reviewed on a regular basis to remain effective.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
The document discusses the importance of physical security for protecting information systems. It covers various physical security controls for restricting access to facilities, including locks, ID badges, alarms, security cameras and fire suppression systems. The document also addresses the need to protect against threats from utilities failures, temperature fluctuations, water damage and theft of computing devices through measures like uninterruptible power supplies, air conditioning and physical access restrictions.
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...Edureka!
** Cybersecurity Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka live session on "How to become a Cybersecurity Engineer" covers all the basic aspects of becoming a certified Cybersecurity Engineer.
Below is the list of topics covered in this session:
1. Who is a Cybersecurity Engineer?
2. Cybersecurity Engineer Job Roles
3. Cybersecurity Engineer Job Skills
4. Cybersecurity Engineer Career Pathway
5. Cybersecurity Engineer Salary
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Information Security Governance and Strategy - 3Dam Frank
The document discusses information security governance and strategy. It defines governance and management, with governance determining decision rights and providing oversight, while management implements controls. Effective governance is risk-based, defines roles and responsibilities, and commits adequate resources. Challenges include understanding security implications and establishing proper structures. Outcomes include strategic alignment of security and risk management. Governance structures depend on desired outcomes such as revenue growth or profit.
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
The document discusses security policies and standards. It defines different types of policies like enterprise, issue-specific, and systems-specific policies. It also discusses how policies are developed based on an organization's mission and vision. Effective policies require dissemination, review, comprehension, and compliance. Frameworks and industry standards also guide policy development. Additionally, the document outlines the importance of security education, training, and awareness programs to inform employees and reinforce security practices.
This document discusses information security policies and their components. It begins by outlining the learning objectives, which are to understand management's role in developing security policies and the differences between general, issue-specific, and system-specific policies. It then defines what policies, standards, and practices are and how they relate to each other. The document outlines the three types of security policies and provides examples of issue-specific and system-specific policies. It emphasizes that policies must be managed and reviewed on a regular basis to remain effective.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
The document discusses the importance of physical security for protecting information systems. It covers various physical security controls for restricting access to facilities, including locks, ID badges, alarms, security cameras and fire suppression systems. The document also addresses the need to protect against threats from utilities failures, temperature fluctuations, water damage and theft of computing devices through measures like uninterruptible power supplies, air conditioning and physical access restrictions.
This document provides an overview of information security risk management. It defines risk management as identifying risks, their owners, probability, impact, suitable mitigations, and contingency plans. The objectives of information security risk management are ensuring risks to confidentiality, integrity, availability, and traceability of information are effectively managed. Common problems with risk management include poor risk descriptions, ineffective mitigation actions, and a reactive rather than proactive approach. The document outlines identifying risks from sources like cloud computing and third parties, recording risks in a risk register, assigning owners, and monitoring mitigation progress.
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...Edureka!
** Cybersecurity Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka live session on "How to become a Cybersecurity Engineer" covers all the basic aspects of becoming a certified Cybersecurity Engineer.
Below is the list of topics covered in this session:
1. Who is a Cybersecurity Engineer?
2. Cybersecurity Engineer Job Roles
3. Cybersecurity Engineer Job Skills
4. Cybersecurity Engineer Career Pathway
5. Cybersecurity Engineer Salary
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Information Security Governance and Strategy - 3Dam Frank
The document discusses information security governance and strategy. It defines governance and management, with governance determining decision rights and providing oversight, while management implements controls. Effective governance is risk-based, defines roles and responsibilities, and commits adequate resources. Challenges include understanding security implications and establishing proper structures. Outcomes include strategic alignment of security and risk management. Governance structures depend on desired outcomes such as revenue growth or profit.
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
This document discusses security and personnel issues related to an information technology security course. It covers positioning the security function within an organization, staffing the security team, and qualifications for security roles. It also addresses how to integrate security practices into human resources policies like hiring, contracting, and training new employees. The overall goal is to successfully implement security while gaining employee acceptance and support.
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
This document discusses software security engineering. It covers security concepts like assets, vulnerabilities and threats. It discusses why security engineering is important to protect systems from malicious attackers. The document outlines security risk management processes like preliminary risk assessment. It also discusses designing systems for security through architectural choices that provide protection and distributing assets. The document concludes by covering system survivability through building resistance, recognition and recovery capabilities into systems.
The United Nations uses a risk management process that involves assessing the criticality of programs to balance security risks. It uses a risk matrix to determine risk levels and requires a program criticality assessment for activities with high or very high residual risks. The assessment evaluates the contribution of activities to strategic results and their likelihood of implementation against criteria to designate them as Priority 1 activities that are lifesaving or directed by the Secretary-General. Risk level and program criticality are determined separately without consideration of each other.
This document discusses information security management systems (ISMS). It defines information and its lifecycle, including how information can be created, stored, processed, transmitted, used, lost, corrupted, etc. It then defines the key aspects of information security - integrity, availability, and confidentiality. It emphasizes that information is a valuable asset for organizations that needs to be protected. The document outlines some of the main components of establishing an ISMS, including risk management, policies, training, and processes. It also discusses ISO 27001 as the international standard for ISMS and its various control areas.
Information Security Career Day Presentationdjglass
I had the privilege of presenting to over 50 13 year olds at a middle school’s career day. It was a ton of fun, the kids asked great questions, and were generally very interested in information security as a subject. I’ve included the slides I presented to the classes to this post.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
Laws define prohibited and mandated behaviors while ethics define socially acceptable behaviors based on cultural mores. Relevant US laws include the Computer Fraud and Abuse Act, National Information Infrastructure Protection Act, USA Patriot Act, and others. Organizations can establish codes of ethics and reduce liability by exercising due care and due diligence in protecting information.
Vulnerability assessment is the systematic evaluation of an organization's exposure to threats. It involves identifying assets, evaluating threats against those assets, determining vulnerabilities, assessing risks, and selecting appropriate controls. Various techniques can be used including asset identification, threat modeling, vulnerability scanning, penetration testing, and risk assessment. The goal is to establish a security baseline and mitigate risks through hardening systems and ongoing monitoring.
This document provides an overview of ISO 27001, which establishes requirements for an Information Security Management System (ISMS). It discusses the requirements to establish, implement, maintain, and continually improve the ISMS. The key requirements include establishing the scope and policy of the ISMS, conducting a risk assessment, selecting controls, implementing controls, monitoring and reviewing the system, taking corrective and preventive actions, and conducting management reviews. The purpose is to introduce a systematic approach to managing information security risks and ensure the confidentiality, integrity and availability of information assets.
This document discusses data security and password protection. It explains that passwords should be strong, with a minimum of 6 characters including letters, numbers, and symbols. Longer passwords are more secure, with 12+ character passwords being very secure. The document also discusses encryption, explaining that encryption translates plain text into encrypted ciphertext using a key, and the same key is needed for decryption. Encryption securely protects data by allowing only authorized parties with the key to access it. Common encryption methods include DES, RSA, AES, Blowfish and Twofish. Free encryption tools include Veracrypt, Bitlocker and AxCrypt.
This document provides an overview of governance of security operations centers. It discusses the impact of disruptive technologies on organizations and the need for security operations centers to manage security risks. It covers designing an effective SOC including defining threats, processes, technology and acquiring a SOC. Operating a SOC includes defining expectations, baselining normal activity, using threat intelligence and handling incidents. Qualities of analysts and measuring SOC success are also discussed. Sustainable SOC governance principles like investing in people and emphasizing teamwork are presented.
This document discusses information security policies and standards. It defines a security policy as a set of rules that define what it means to be secure for a system or organization. An information security policy sets rules to ensure all users and networks follow security prescriptions for digitally stored data. The challenges are to define policies and standards, measure against them, report violations, correct violations, and ensure compliance. It then discusses the key elements of developing an information security program, including performing risk assessments, creating review boards, developing plans, implementing policies and standards, providing awareness training, monitoring compliance, evaluating effectiveness, and modifying policies over time.
Executive Perspective Building an OT Security Program from the Top Downaccenture
Designed for executives, this non-technical track addresses key components of a successful OT security program. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3N7KmiZ
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
This document discusses physical security for protecting enterprise resources including people, data, and facilities. It covers assessing threats and vulnerabilities, choosing a secure site location, designing security for the building structure and environment, implementing physical and administrative controls, and ensuring life safety measures like fire detection and suppression. Key considerations include perimeter security, access control, environmental factors, emergency procedures, and compliance with standards to help ensure security.
This document outlines the topics and structure of an Information Security Management course. The course will cover planning for security, information security policy, developing security programs, risk management, protection mechanisms, personnel security, law and ethics, and security in the cloud. Assessments, case studies, presentations, labs, and class participation will be used for evaluation. Current security topics will be researched and presented. A term paper and demonstration project will also be required. The goal is to examine information security holistically within an organization.
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Chapter 11: Information Security Incident ManagementNada G.Youssef
This document discusses information security incident management. It defines what constitutes an information security incident, such as unauthorized access or denial of service attacks. It also outlines the key aspects of an incident response program, including preparation, detection, response, and documentation. The document explains the roles of incident response coordinators, handlers, and teams. It also covers investigation practices, evidence handling, and federal and state data breach notification requirements.
This document is a slide presentation for a risk management course at Illinois Institute of Technology. It discusses risk control strategies such as avoidance, transference, mitigation and acceptance. It also covers categories of controls including control function, architectural layer, strategy layer and information security principles. The overall goal is to help students understand how to identify, analyze and address risks to ensure the confidentiality, integrity and availability of organizational systems and data.
This document provides an overview of risk management concepts and the risk management process as it relates to information security. It discusses defining risk management and its role in the secure software development lifecycle. It also describes identifying risks through asset identification, classification, and valuation. Additionally, it covers identifying threats, assessing risks based on likelihood and impact, and documenting the risk identification and assessment process. The overall purpose is to teach students the fundamentals of risk management for information security.
This document discusses security and personnel issues related to an information technology security course. It covers positioning the security function within an organization, staffing the security team, and qualifications for security roles. It also addresses how to integrate security practices into human resources policies like hiring, contracting, and training new employees. The overall goal is to successfully implement security while gaining employee acceptance and support.
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
This document discusses software security engineering. It covers security concepts like assets, vulnerabilities and threats. It discusses why security engineering is important to protect systems from malicious attackers. The document outlines security risk management processes like preliminary risk assessment. It also discusses designing systems for security through architectural choices that provide protection and distributing assets. The document concludes by covering system survivability through building resistance, recognition and recovery capabilities into systems.
The United Nations uses a risk management process that involves assessing the criticality of programs to balance security risks. It uses a risk matrix to determine risk levels and requires a program criticality assessment for activities with high or very high residual risks. The assessment evaluates the contribution of activities to strategic results and their likelihood of implementation against criteria to designate them as Priority 1 activities that are lifesaving or directed by the Secretary-General. Risk level and program criticality are determined separately without consideration of each other.
This document discusses information security management systems (ISMS). It defines information and its lifecycle, including how information can be created, stored, processed, transmitted, used, lost, corrupted, etc. It then defines the key aspects of information security - integrity, availability, and confidentiality. It emphasizes that information is a valuable asset for organizations that needs to be protected. The document outlines some of the main components of establishing an ISMS, including risk management, policies, training, and processes. It also discusses ISO 27001 as the international standard for ISMS and its various control areas.
Information Security Career Day Presentationdjglass
I had the privilege of presenting to over 50 13 year olds at a middle school’s career day. It was a ton of fun, the kids asked great questions, and were generally very interested in information security as a subject. I’ve included the slides I presented to the classes to this post.
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
Laws define prohibited and mandated behaviors while ethics define socially acceptable behaviors based on cultural mores. Relevant US laws include the Computer Fraud and Abuse Act, National Information Infrastructure Protection Act, USA Patriot Act, and others. Organizations can establish codes of ethics and reduce liability by exercising due care and due diligence in protecting information.
Vulnerability assessment is the systematic evaluation of an organization's exposure to threats. It involves identifying assets, evaluating threats against those assets, determining vulnerabilities, assessing risks, and selecting appropriate controls. Various techniques can be used including asset identification, threat modeling, vulnerability scanning, penetration testing, and risk assessment. The goal is to establish a security baseline and mitigate risks through hardening systems and ongoing monitoring.
This document provides an overview of ISO 27001, which establishes requirements for an Information Security Management System (ISMS). It discusses the requirements to establish, implement, maintain, and continually improve the ISMS. The key requirements include establishing the scope and policy of the ISMS, conducting a risk assessment, selecting controls, implementing controls, monitoring and reviewing the system, taking corrective and preventive actions, and conducting management reviews. The purpose is to introduce a systematic approach to managing information security risks and ensure the confidentiality, integrity and availability of information assets.
This document discusses data security and password protection. It explains that passwords should be strong, with a minimum of 6 characters including letters, numbers, and symbols. Longer passwords are more secure, with 12+ character passwords being very secure. The document also discusses encryption, explaining that encryption translates plain text into encrypted ciphertext using a key, and the same key is needed for decryption. Encryption securely protects data by allowing only authorized parties with the key to access it. Common encryption methods include DES, RSA, AES, Blowfish and Twofish. Free encryption tools include Veracrypt, Bitlocker and AxCrypt.
This document provides an overview of governance of security operations centers. It discusses the impact of disruptive technologies on organizations and the need for security operations centers to manage security risks. It covers designing an effective SOC including defining threats, processes, technology and acquiring a SOC. Operating a SOC includes defining expectations, baselining normal activity, using threat intelligence and handling incidents. Qualities of analysts and measuring SOC success are also discussed. Sustainable SOC governance principles like investing in people and emphasizing teamwork are presented.
This document discusses information security policies and standards. It defines a security policy as a set of rules that define what it means to be secure for a system or organization. An information security policy sets rules to ensure all users and networks follow security prescriptions for digitally stored data. The challenges are to define policies and standards, measure against them, report violations, correct violations, and ensure compliance. It then discusses the key elements of developing an information security program, including performing risk assessments, creating review boards, developing plans, implementing policies and standards, providing awareness training, monitoring compliance, evaluating effectiveness, and modifying policies over time.
Executive Perspective Building an OT Security Program from the Top Downaccenture
Designed for executives, this non-technical track addresses key components of a successful OT security program. The discussions are intended to spark conversation and this guide highlights key takeaways on what works, what doesn’t and what’s next. https://accntu.re/3N7KmiZ
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
This document discusses physical security for protecting enterprise resources including people, data, and facilities. It covers assessing threats and vulnerabilities, choosing a secure site location, designing security for the building structure and environment, implementing physical and administrative controls, and ensuring life safety measures like fire detection and suppression. Key considerations include perimeter security, access control, environmental factors, emergency procedures, and compliance with standards to help ensure security.
This document outlines the topics and structure of an Information Security Management course. The course will cover planning for security, information security policy, developing security programs, risk management, protection mechanisms, personnel security, law and ethics, and security in the cloud. Assessments, case studies, presentations, labs, and class participation will be used for evaluation. Current security topics will be researched and presented. A term paper and demonstration project will also be required. The goal is to examine information security holistically within an organization.
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Chapter 11: Information Security Incident ManagementNada G.Youssef
This document discusses information security incident management. It defines what constitutes an information security incident, such as unauthorized access or denial of service attacks. It also outlines the key aspects of an incident response program, including preparation, detection, response, and documentation. The document explains the roles of incident response coordinators, handlers, and teams. It also covers investigation practices, evidence handling, and federal and state data breach notification requirements.
This document is a slide presentation for a risk management course at Illinois Institute of Technology. It discusses risk control strategies such as avoidance, transference, mitigation and acceptance. It also covers categories of controls including control function, architectural layer, strategy layer and information security principles. The overall goal is to help students understand how to identify, analyze and address risks to ensure the confidentiality, integrity and availability of organizational systems and data.
This document provides an overview of risk management concepts and the risk management process as it relates to information security. It discusses defining risk management and its role in the secure software development lifecycle. It also describes identifying risks through asset identification, classification, and valuation. Additionally, it covers identifying threats, assessing risks based on likelihood and impact, and documenting the risk identification and assessment process. The overall purpose is to teach students the fundamentals of risk management for information security.
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
Threat management continues to be a hot topic within cybersecurity, and rightfully so.
Understanding the evolving technical and behavioral threat landscape and adapting
mitigation controls is the key to proactive risk management. Actionable threat intelligence is critical to enabling effective threat management. It provides visibility into the temperature within the threat actor community, what they are doing and how they are doing it (tactics techniques and procedures (TTPs)). The challenge is sorting through the volumes of threat data to identify what’s relevant and actionable.
This document is intended to communicate how threat intelligence can be used to reduce business risk. The audience is security, compliance and IT professionals interested in
proactive risk management.
The document outlines the IT Manager's contingency plan presentation to the Executive Board and President of the bank. The plan addresses disaster events, recovery planning, technologies used, contingency operations, costs of recovery, employee awareness, impacts on business operations, and conclusions. It includes a table of contents and sections on prologue, disaster events, recovery planning, technology used, contingency of operations, costs of recovery, employee awareness, impacts on business operations, and conclusion. The plan aims to safeguard the bank's systems and operations in the event of an earthquake, political unrest, or other disruptions through strategies such as data backup, identification of roles and solutions, testing, and employee training.
NIST SP 800-34, Revision 1 updates the guidance for contingency planning for federal information systems. The revision:
- Aligns with NIST SP 800-53 and incorporates contingency planning into the Risk Management Framework.
- Provides more templates and guidance for developing system-specific contingency plans tailored to impact levels.
- Clarifies relationships between various continuity/contingency plans like COOP, BCP, and ISCPs.
- Links testing, training, and exercise requirements more closely to NIST and FIPS standards.
This study will articulate the need for contingency planning and explore the major components of contingency planning. the reader will learn how to create a simple set of contingency plans using business impact analysis and prepare and execute a test of contingency plans.
Coordinating Security Response and Crisis Management PlanningCognizant
Security or emergency response for businesses must be tactically and strategically integrated with disaster recovery, with a plan for root cause analysis and next steps coordinated by the CIO and chief information security officer in conjunction with business units.
ISOL 533 - Information Security and Risk Management R.docxchristiandean12115
ISOL 533 - Information Security and Risk Management Risk Management Plan
University of the Cumberlands
Executive Summary
<Review the Scenario on Page #2 of the publisher’s Project: Risk Management Plan. Summarize the information about the company provided in the scenario and place it into this section of the report. Remove these instructions and all other instructions below before submitting the document for grading.>
This Risk Management Plan covers the Risks, Threats and Weaknesses of the Health Network, Inc. (Health Network).Risks - Threats – Weaknesses within each domain
<Using the Threats listed on Page #3 of the publisher’s Project: Risk Management Plan and the 7 Domains diagram on Page #3 of this template, complete the table on Page #2 of this template (review your Lab #1 solution). Once you enter the Threats into the table, list one or more Weaknesses that might exist in a typical organization using research and your imagination) and then list the Risk to the company if the Threat exploits that Weakness. Then group these Risks-Threats-Weaknesses (R-T-W) by Domain and discuss them below in this section.>
User Domain: <list each User Domain R-T--W identified in the table>
Workstation Domain: <list each Workstation Domain R-T--W identified in the table>
LAN Domain: <list each User Domain R-T--W identified in the table>
WAN-to-LAN Domain: <list each Workstation Domain R-T--W identified in the table>
WAN Domain: <list each User Domain R-T--W identified in the table>
Remote Access Domain: <list each Workstation Domain R-T--W identified in the table>
System/Application Domain: <list each User Domain R-T--W identified in the table>Compliance Laws and Regulations
<List the laws and regulations that affect this industry.>
…
Your Organization
.
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
Enter details about the organization and it IT Infrastructure.
•
•
•
organization
division
organization's
organizational
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
organization .
organization
organization d
organization'
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
organization changes to the
systems, applications and organizational data can undermine the organization's
violations of federal or state mandates and laws can
lead to major . potential to impact the
organization
organization
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
organization
ISOL 533 - InfoSecurity & Risk
Management University of the Cumberlands
central respoitory accessible via the
orporate
ISOL 533 - InfoSecurity & Risk
Management Uni.
Presented at National Webinar of ISACA Student Group, Universitas Kristen Satya Wacana, indonesia.
Title: Cyber Resilience: Post COVID-19 - Welcoming New Normal
2 July 2020
Information security as an ongoing effortDhani Ahmad
This document discusses the importance of ongoing maintenance for information security programs. It provides an overview of recommended security management models, such as the ISO model, and outlines key aspects of a full maintenance program including external and internal monitoring, vulnerability assessment, and review procedures. The goal of maintenance is to allow security programs to adapt to changes in threats, assets, vulnerabilities and the internal/external environment over time.
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
E’s Data Security Company Strategic Security Plan – 2015
Table of Contents
1 EXECUTIVE SUMMARY 3
1.1 Introduction 3
1.2 Objectives 3
1.3 Determine company position 4
2 INTRODUCTION TO SECURITY 4
2.1 Develop 4
2.2 Information Security Employee Responsibilities 4
2.3 Establish Oversight Authority for Information Security 4
2.4 Establish Reporting Procedures for Leaders 5
2.5 Review of Pertinent or Sensitive Data 5
2.6 Purge Unneeded Data 5
3.3 Unauthorized Systems Access – 6
4.3 Educate employees on cyber threats and trends 6
5 EMERGENCY SITUATIONS 7
5.1 Chain of Command 7
5.2 Communications plan 7
5.3 Safety and Security Drills 7
6. SECURITY RISK MANAGEMENT 7
7 REFERENCES 9
1 EXECUTIVE SUMMARY
Per APA, Always Use Times new Roman 12 Font…
E’s Data Security Company was established in 2010. It is an organization that provides data security and network solutions to the state and local government of the US Virgin Islands. An executive summary is much more than just one sentence… Add much more detail here… I suggest you eliminate the executive summary and start with your introduction.. 1.1 Introduction
In April 2014 E’s Data Security Company began its first phase of implementing a security plan for use within the company. This began what began?? Add more clarity here… by hiring its first Chief Information Security Officer (CISO) for the sole purpose of creating a security program for IT purposes (Scalet, 2006). Initially, the efforts of this plan were focused on obtaining the proper staffing to provide support in the implementation of this plan. It is imperative to understand that the development of an IT Security Program is an ongoing process that is ever-evolving, and a shared responsibility (M.U.S.E., n.d.). By coordinating efforts with local, state, and federal government entities, this plan creates a comprehensive opportunity to address the need for such a plan. Due to the fact that this organization serves a small community, the planning process will mainly rely principally on informal relationships. The formalization of this planning process varies based on the frequency of a particular hazard and its impact on the community.
1.2 Objectives This plan is presented and lists a set of goals for oversight and program implementation.
A. Implement and maintain policies and procedures for data security. B. Implement and maintain procedures to test system resilience.
C. Implement and maintain education for employees regarding system vulnerabilities.
D. Implement and maintain physical security procedures.
E. Implement, maintain and review policies for emergency response(s). 1.3 Determine company position
In order tTo determine where the organization stands, an external and internal audit will be conducted to determine its competency (Entrepreneurs, 2011). What is the purpose of this section?? 2 INTRODUCTION TO SECURITY
2.1 Develop – In collaboration with government agencies, the strategic plan ...
Ise viii-information and network security [10 is835]-solutionVivek Maurya
This document contains the question paper solution from VTU for the course Information and Network Security 10IS835. It discusses various topics in system security policies, including:
- How managerial guidelines and technical specifications can be used in system-specific security policies.
- Who is responsible for policy management and how policies are managed.
- The different approaches for creating and managing issue-specific security policies.
- The major steps and components of contingency planning, including the business impact analysis.
- Pipkin's three categories of incident indicators and the ISO/IEC 270xx standard for information security management.
- The importance of incident response planning and testing security response plans.
- The
Implementing CSIRT based on some frameworks and maturity modelRakuten Group, Inc.
We implemented CSIRT based on some frameworks and maturity model including FIRST Service Framework, SIM3 and some document devised in Japan. We will explain how to use these documents in this presentation.
The Perfect Storm - How We Talk About DisastersDevOps.com
Failures are inevitable. Every once in a long while, those failures can become major outages so big that they can cause irreversible damage to your company's brand and reputation. During these rare events, how you communicate with customers can make or break the valuable relationships you've built with them over the years. But when the blast radius of a technical outage is so big that it requires involvement from other parts of your company (like legal, marketing, and sales) many companies inadvertently make problems worse.
To minimize damage to customers, companies must have a well-developed plan to respond effectively during big technical outages.
In this webinar, we will explore how applying DevOps principles learned from managing technical incidents can apply to other parts of your organization to create effective crisis communications strategies. Join us and you'll also learn:
How to create an effective technical incident response plan
How to develop a crisis communications plan across various non-technical cross-functional teams
Mechanisms for coordinating between both technical and non-technical teams during major outages
Step-by-step considerations for creating your own customized response plan
Running Head Personal Reflection1Personal Reflection1.docxjeanettehully
This document summarizes key aspects of cybersecurity incident response based on a chapter from the textbook "Protecting National Infrastructure". It discusses the importance of both front-loaded prevention and back-loaded recovery in incident response processes. It also covers the roles of incident response teams, forensic analysis, disaster recovery planning, and national response program coordination. Maintaining situational awareness is highlighted as important for understanding an organization's security posture and risk levels over time.
The document describes how incident management, which manages emergency situations, is a specialized form of project management. It introduces the Incident Command System (ICS), which provides standardized guidance and best practices for emergency response management in the US. ICS resulted from the need for a new approach to managing wildfires in the 1970s. It addresses common challenges faced in emergency responses through a functional, hierarchical organization with standardized communication and terminology. The key project planning document in ICS is the Incident Action Plan, which is updated at least twice daily to adapt to changing conditions, similar to how a project manager would update plans. ICS provides a detailed, documented process for developing, approving, and implementing the IAP during each operational period.
This document outlines a cyber threat intelligence (CTI) project for Strong Manufacturing Corp. It discusses CTI concepts like the intelligence lifecycle and team structure. It proposes a CTI team of 6 members and describes how the team would integrate with security operations, incident response, and external organizations. The document also covers threat modeling approaches like PASTA and proposes a 50/20/30 budgeting strategy to fund CTI training, partnerships, and tools.
MIT BUSINESS CONTINUITY PLAN This is an external rele.docxannandleola
MIT BUSINESS CONTINUITY PLAN
This is an external release of the MIT Business Continuity Plan.
For information on the plan or Business Continuity Planning at MIT, call Jerry Isaacson MIT
Information Security Office at (617) 253-1440 or send e-mail to [email protected]
Copyright 1995 Massachusetts Institute of Technology
To Page the BCMT Duty Person:
Duty Person To just leave phone number To leave an 80 character message
Number to call back dial: call ______________and give PIN #
1
2
For recorded disaster recovery status reports and announcements
during the emergency
call: _________
Copyright 1995 Massachusetts Institute of Technology
Table of Contents
Part I. Introduction
1Introduction to This Document 1
Part II. Design of the Plan 3
Overview of the Business Continuity Plan 3
Purpose 3
Assumptions 3
Development 4
Maintenance 4
Testing 4
Organization of Disaster Response and Recovery 4
Administrative Computing Steering Committee 4
Business Continuity Management Team 5
Business Continuity Management Team 5
Institute Support Teams: 6
Disaster Response 7
Disaster Detection and Determination 7
Disaster Notification 8
Initiation of the Institute's Business Continuity Plan 8
Activation of a Designated Hot Site 8
Dissemination of Public Information 9
Disaster Recovery Strategy 9
Scope of the Business Continuity Plan 11
Category I Critical Functions 11
Category II Essential Functions 11
Category III - Necessary Functions 11
Category IV - Desirable Functions 11
Part III. Team Descriptions 12
Institute Support Teams 14
Business Continuity Management Team 14
Damage Assessment/Salvage 15
Campus Police 16
MIT News Office - Public Information 17
Insurance 19
Telecommunications 20
Part IV. Recovery Procedures 21
Notification List 21
To reach the BCMT Duty Person: 22
Business Continuity Management Team Coordinator 25
Damage Assessment/Salvage 26
Salvage Operations 27
Campus Police 28
MIT News Office - Public Information 29
Insurance Team 31
Telecommunications 32
Appendix A - Recovery Facilities 33
Emergency Operations Centers 33
Appendix B - Category I, II & III functions 34
Appendix C - Plan Distribution List 35
Business Continuity Management Team 37
BCMT Duty Person Procedures 38
GUIDE TO BCMT ACTIVATION 39
Part I. Introduction
Part I contains information about this document, which provides the written record of the
Massachusetts Institute of Technology Business Continuity Plan.
Introduction to This Document
Planning for the business continuity of MIT in the aftermath of a disaster is a complex task.
Preparation for, response to, and recovery from a disaster affecting the administrative functions
of the Institute requires the cooperative efforts of many support organizations in partnership with
the functional areas supporting the "busine ...
Similar to Disaster recovery & business continuity (20)
The document discusses several analytical methods used for strategic analysis including SWOT analysis, critical success factors analysis, matrix analysis, value chain analysis, and Porter's five forces analysis. It provides details on how to conduct a SWOT analysis, including examining a company's internal strengths and weaknesses as well as external opportunities and threats. It also outlines the key components of Porter's five forces model which examines the competitive environment including threats from new entrants, power of suppliers and buyers, and rivalry among existing competitors.
This document discusses strategic issues for information systems planning (SISP) in the 1990s. It notes key business forces of globalization, competition, and productivity requirements. Strategic issues include increased connectivity within and between organizations, as well as new information technology opportunities from advances in networks, databases, and interfaces. SISP aims to align information systems with organizational objectives and strategies in a cost-effective way that provides competitive advantage. It helps prioritize investments, integrate systems, and manage information and relationships between users and IT specialists.
Opportunities, threats, industry competition, and competitor analysisDhani Ahmad
This document provides an overview of analyzing a company's external environment and competitors. It discusses the components of the general environment including political, economic, technological, and other factors. It also explains SWOT analysis and its purpose in developing a strategic overview of a company. Porter's Five Forces model is introduced as a framework for assessing industry competition, including threats from new entrants, power of suppliers and buyers, substitute products, and rivalry among existing competitors. The chapter emphasizes that competitor analysis should follow industry analysis by evaluating a competitor's objectives, strategies, assumptions, capabilities, and likely responses. The purpose is to understand relative strengths and weaknesses compared to competitors.
This document defines key concepts related to information systems. It distinguishes between data and information, noting that information involves processed data that is meaningful. It also categorizes different types of information systems, including transaction processing systems, knowledge work systems, office automation systems, management information systems, decision support systems, and executive information systems. Finally, it provides examples of information systems that various organizational functions may use at different levels, from operational to strategic.
This document provides an overview of information resource management (IRM). It discusses the history of cryptography and securing information. IRM is defined as the process of managing information as a valuable organizational resource. The components of an IRM system include information resources, facilities, hardware, software, databases, information specialists, and users. IRM provides benefits such as identifying redundant information, clarifying roles, and supporting management decision-making. Adaptive, knowing, and learning organizations especially need IRM to effectively share information. Enterprise resource planning (ERP) systems and the Willard model are approaches for implementing IRM.
Types of islamic institutions and recordsDhani Ahmad
There are eleven categories of Islamic institutions in Malaysia that create and manage various records. These institutions include Islamic educational institutions, Islamic courts, Islamic museums, Islamic banks, zakat institutions, Islamic preaching organizations, Islamic libraries, non-governmental Islamic organizations, Islamic training centers, Islamic insurance companies, and Islamic foundation organizations. The records managed by these institutions provide information on Islamic knowledge, laws, history, financial transactions, religious obligations, training programs, and more, depending on the specific role and functions of each organization.
The document discusses sources of Islamic information for Muslim information seekers. It describes various Islamic institutions in Malaysia that provide Islamic education, courts, museums, and other services. It also mentions Muslim scholars and resources persons. For printed sources, it lists many books, journals, magazines, bibliographies, indexes, encyclopedias, and dictionaries available. The document provides a detailed overview of where Muslims in Malaysia can seek Islamic knowledge.
This document discusses Islamic information management. It begins by providing contact information for the instructor, Nor Kamariah BT Chik.
It then covers key topics including terminologies related to Islamic information and records, the scope of Islamic information management and Islamic records management, and the characteristics of Islamic information and records.
Terminologies discussed include data, information, records, Islam, records management, information management, Islamic information, Islamic records, Islamic information management, Islamic records management, and Islamic information/records managers.
The document differentiates between Islamic information management, which organizes information according to classification, and Islamic records management, which organizes records according to their lifecycle. Finally, it outlines the characteristics of Islamic records
Islamic information management sources in islamDhani Ahmad
This document discusses sources of knowledge in Islam and how knowledge is classified from an Islamic perspective. It outlines that primary sources in Islam are the Quran and Hadith, which are directly revealed by God. Secondary sources include consensus of scholars, analogy, and reasoning based on public interest. Knowledge can be acquired through revelation, senses, mind, and ideas. The hierarchy of knowledge receivers starts with prophets, then pious people, scholars, and finally the public. Knowledge is typically divided into revealed knowledge from the Quran and Hadith, and acquired knowledge from observation and reasoning. It can also be categorized as individual or social obligations.
This document discusses the need for information security. It covers threats to information security like human error, hackers, malware attacks, and natural disasters. The document is from an Illinois Institute of Technology course on information security and outlines objectives, threats, and examples of common threats like software attacks, intellectual property theft, and power outages. It aims to explain the business need for security and describe common information security threats.
This document discusses the process of conducting an information security audit. It begins by defining an information security audit and explaining that it assesses how an organization's security policies protect information. It then describes the general methodology, which involves assessing general controls at the entity, application, and technical levels. The document outlines the planning, internal control, testing, and reporting phases of an audit. It provides details on tasks like developing audit scopes and checklists, assessing policies and documentation, and writing the final audit report. The overall purpose is to explain the end-to-end process of performing an information security audit.
This document discusses security technologies taught in an Illinois Institute of Technology course. It covers firewalls, intrusion detection systems, dial-up protection, and other topics. The learning objectives are to define types of firewalls, discuss firewall implementation approaches, and understand technologies like encryption and biometrics. Firewalls examined include packet filtering, proxy, stateful inspection, dynamic, and kernel proxy firewalls. Intrusion detection systems can be host-based or network-based, using signatures or anomalies. Remote authentication and terminal access control systems help secure dial-up access.
The document discusses security and ethics issues related to information management in government offices. It provides an overview of areas that need to be addressed to ensure proper policies and procedures are in place, including security, privacy, intellectual property, appropriate use, and social impacts of technology. The summary discusses how the office needs to have security policies, privacy protections, and records of compliance in order to be prepared for an upcoming audit and allow the director to enjoy an upcoming vacation without concerns.
This document provides an overview of the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It discusses who and what organizations are affected by HIPAA, the standards it sets for electronic health information transactions, and the penalties for non-compliance. It also summarizes the requirements of the HIPAA Privacy Rule regarding use and disclosure of protected health information and the HIPAA Security Rule regarding safeguarding electronic protected health information.
This document discusses laws and ethics related to information security. It begins with an overview of the differences between laws and ethics. It then provides details on several relevant US and international laws, such as the Computer Fraud and Abuse Act, Sarbanes-Oxley Act, and various privacy and copyright laws. The document also discusses ethics, fair use, and how culture influences conceptions of ethical behavior.
This document is a slide presentation for an introduction to information security course at Illinois Institute of Technology. It begins with an overview of the course objectives and policies. It then provides a history of information security, defining key terms. It discusses approaches to implementing security through a systems development life cycle and the roles of security professionals.
The document discusses implementing security projects through proper project management. It describes developing a detailed project plan using a work breakdown structure to identify tasks, assign responsibilities, and track costs and dependencies. Special considerations in planning include finances, priorities, timing, staffing, scope, procurement, organizational feasibility, training, and change management. Effective project management is key to successfully translating a security blueprint into concrete implementation.
The document discusses information security threats and attacks. It provides examples of different types of threats including human error, intellectual property theft, espionage, service disruptions, natural disasters, hardware and software failures, and obsolescence. It also describes different categories of attacks such as malware, password cracking, denial of service, and how multi-vector worms can use various techniques like IP scanning, web browsing, file shares, and email to replicate. The document emphasizes that management must understand security threats in order to implement proper controls and safeguard the organization's data, systems, and ability to operate.
The document discusses various aspects of research, including:
1) It describes different types of research studies such as reporting, descriptive, explanatory, and predictive research.
2) It outlines styles of research including applied research, pure/basic research, and business research.
3) It discusses what constitutes good research including clearly defined purposes, detailed research processes, and thoroughly planned designs.
The document discusses various aspects of research, including:
1) It describes different types of research studies such as reporting, descriptive, explanatory, and predictive research.
2) It outlines styles of research including applied research, pure/basic research, and business research.
3) It discusses what constitutes good research including clearly defined purposes, detailed research processes, and thoroughly planned designs.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Understanding User Behavior with Google Analytics.pdf
Disaster recovery & business continuity
1. TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
DisasterRecovery & Business Continuity
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
2. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives
Upon completion of this lesson the student should
be able to:
– Describe what contingency planning is and
how incident response planning, disaster
recovery planning, and business continuity
plans are related to contingency planning.
– Discuss the elements that comprise a business
impact analysis and the information that is
collected for the attack profile.
– Recognize the components of an incident
response plan.
3. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives
Upon completion of this lesson the student should
be able to:
– Explain the steps involved in incident reaction
and incident recovery.
– Define the disaster recovery plan and its parts.
– Define the business continuity plan and its
parts.
– Discuss the reasons for and against involving
law enforcement officials in incident responses
and when may be required.
4. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
FIGURE 7-1 Contingency Planning and the SecSDLCContingency Planning and the SecSDLC
Contingency Planning
Design:
planning for continuty
Chapter 7
Investigate
Analyze
Implement
Maintain
Physical Design
5. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Continuity Strategy
Managers must provide strategic
planning to assure continuous
information systems availability ready
to use when an attack occurs
Plans for events of this type are
referred to in a number of ways:
– Business Continuity Plans (BCPs)
– Disaster Recovery Plans (DRPs)
– Incident Response Plans (IRPs)
– Contingency Plans
6. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Continuity Strategy
Large organizations may have many
types of plans, small organizations
may have one simple plan, but most
have inadequate planning
7. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning
Components of Contingency Planning
(CP):
– Incident Response Planning (IRP)
– Disaster Recovery Planning (DRP)
– Business Continuity Planning (BCP)
8. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning
The primary functions of these three
planning components:
– IRP focuses on immediate response, but if the
attack escalates or is disastrous the process
changes to disaster recovery and BCP
– DRP typically focuses on restoring systems after
disasters occur, and as such is closely associated
with BCP
– BCP occurs concurrently with DRP when the
damage is major or long term, requiring more
than simple restoration of information and
information resources
9. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Team
Before any planning can begin, a team
has to plan the effort and prepare the
resulting documents
Champion - A high-level manager to
support, promote, and endorse the
findings of the project
10. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Team
Project Manager - Leads the project and
makes sure a sound project planning
process is used, a complete and useful
project plan is developed, and project
resources are prudently managed
Team Members - Should be the managers
or their representatives from the various
communities of interest: Business, IT, and
Information Security
11. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Hierarchy
ContingencyContingency
PlanningPlanning
DisasterDisaster
RecoveryRecovery
IncidentIncident
ResponseResponse
BusinessBusiness
ContinuityContinuity
FIGURE 7-2 Contingency Planning Hierarchy
12. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Timeline
FIGURE 7-3 Contingency Planning Timeline
Incident Response (IRP)Incident Response (IRP)
Disaster Recovery Planning (DRP)Disaster Recovery Planning (DRP)
Business Continuity (BCP)Business Continuity (BCP)
Attack Post Attack
(hours)
Post Attack
(days)
13. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Major Steps in Contingency Planning
Identification ofIdentification of
threats and attacksthreats and attacks
Business unit analysisBusiness unit analysis
Scenarios ofScenarios of
successful attackssuccessful attacks
Assessment ofAssessment of
potential damagespotential damages
Classification ofClassification of
subordinate planssubordinate plans
IncidentIncident
planningplanning
IncidentIncident
detectiondetection
IncidentIncident
reactionreaction
IncidentIncident
recoveryrecovery
Plan forPlan for
disasterdisaster
recoveryrecovery
CrisisCrisis
ManagementManagement
RecoveryRecovery
operationsoperations
EstablishEstablish
ContinuityContinuity
strategystrategy
Plan forPlan for
continuity ofcontinuity of
operationsoperations
ContinuityContinuity
managementmanagement
Incident
response
planning
Business impact
analysis (BIA)
Disaster
recovery
planning
Business
continuity
planning
FIGURE 7-4 Major Steps in Contingency Planning
14. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Impact Analysis
Begin with Business Impact Analysis
(BIA)
if the attack succeeds, what do we do then?
The CP team conducts the BIA in the
following stages:
1.Threat attack identification
2.Business unit analysis
3.Attack success scenarios
4.Potential damage assessment
5.Subordinate plan classification
15. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Threat Attack Identification & Prioritization
Update threat list with latest developments
and add the attack profile
The attack profile is the detailed description
of activities during an attack
Must be developed for every serious threat
the organization faces
Used to determine the extent of damage that
could result to a business unit if the attack
were successful
16. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Table 7-1 – Attack Profile
Date of AnalysisDate of Analysis
Attack name & descriptionAttack name & description
Threat & probable threat agentThreat & probable threat agent
Known or possible vulnerabilitiesKnown or possible vulnerabilities
Likely precursor activities or indicatorsLikely precursor activities or indicators
Likely attack activities or indicators of attack inLikely attack activities or indicators of attack in
progressprogress
Information assets or risk from this attackInformation assets or risk from this attack
Damage or loss to information assets likelyDamage or loss to information assets likely
from this attackfrom this attack
Other assets at risk from this attackOther assets at risk from this attack
Damage or loss to other assets likely from thisDamage or loss to other assets likely from this
attackattack
TABLE 7-1 Attack Profile
17. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Unit Analysis
The second major task within the BIA
is the analysis and prioritization of
business functions within the
organization
Identify the functional areas of the
organization and prioritize them as to
which are most vital
Focus on a prioritized list of the
various functions the organization
performs
18. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Attack Success Scenario Development
Next create a series of scenarios depicting
the impact a successful attack from each
threat could have on each prioritized
functional area with:
– details on the method of attack
– the indicators of attack
– the broad consequences
Attack success scenarios details are added to
the attack profile including:
– Best case
– Worst case
– Most likely alternate outcomes
19. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Potential Damage Assessment
From the attack success scenarios
developed, the BIA planning team
must estimate the cost of the best,
worst, and most likely cases
Costs include actions of the response
team
This final result is referred to as an
attack scenario end case
20. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Subordinate Plan Classification
Once potential damage has been assessed, a
subordinate plan must be developed or
identified
Subordinate plans will take into account the
identification of, reaction to, and recovery
from each attack scenario
An attack scenario end case is categorized
as disastrous or not
The qualifying difference is whether or not
an organization is able to take effective
action during the event to combat the effect
of the attack
21. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Planning
Incident response planning covers the
identification of, classification of, and
response to an incident
An incident is an attack against an
information asset that poses a clear
threat to the confidentiality, integrity,
or availability of information resources
22. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Planning
Attacks are only classified as incidents if
they have the following characteristics:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten the confidentiality, integrity, or
availability of information resources
IR is more reactive, than proactive, with
the exception of the planning that must
occur to prepare the IR teams to be ready
to react to an incident
23. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Planning
The pre-defined responses enable the
organization to react quickly and
effectively to the detected incident
This assumes two things:
– first, the organization has an IR team
– second, the organization can detect the
incident
The IR team consists of those
individuals needed to handle the
systems as incident takes place
24. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Planning
The military process of planned team
responses can be used in an incident
response
The planners should develop a set of
documents that guide the actions of each
involved individual reacting to and
recovering from the incident
These plans must be properly organized
and stored
25. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Plan
Format and Content
– The plan must be organized to support
quick and easy access to the information
needed
Storage
– The plan should be protected as sensitive
information
– On the other hand, the organization needs
this information readily available
26. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Plan
Testing
– An untested plan is not a useful plan.
The levels of testing strategies can vary:
– Checklist
– Structured walk-through
– Simulation
– Parallel
– Full-interruption
27. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Detection
The most common occurrence is a complaint about
technology support, often delivered to the help desk
Possible detections:
– intrusion detection systems, both host-based and
network-based
– virus detection software
– systems administrators
– end users
Only through careful training can the organization
hope to quickly identify and classify an incident
Once an attack is properly identified, the
organization can respond
28. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Indicators
Possible indicators of
incidents:
– Presence of unfamiliar
files
– Unknown programs or
processes
– Unusual consumption of
computing resources
– Unusual system crashes
Probable indicators of
incidents:
– Activities at unexpected
times
– Presence of new accounts
– Reported attacks
– Notification from IDS
Definite indicators of
incidents:
– Use of dormant accounts
– Changes to logs
– Presence of hacker tools
– Notifications by partner
or peer
– Notification by hacker
Predefined situations
that signal an
automatic incident:
– Loss of availability
– Loss of integrity
– Loss of confidentiality
– Violation of policy
– Violation of law
29. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident or Disaster
When Does an Incident Become a
Disaster?
– the organization is unable to mitigate the
impact of an incident during the incident
– the level of damage or destruction is so
severe the organization is unable to
quickly recover
– It is up to the organization to decide which
incidents are to be classified as disasters
and thus receive the appropriate level of
response
30. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Reaction
Incident reaction consists of actions that
guide the organization to stop the incident,
mitigate the impact of the incident, and
provide information for the recovery from
the incident
In reacting to the incident there are a
number of actions that must occur quickly
including:
– notification of key personnel
– assignment of tasks
– documentation of the incident
31. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Notification of Key Personnel
Most organizations maintain alert rosters
for emergencies. An alert roster contains
contact information for the individuals to be
notified in an incident
Two ways to activate an alert roster:
– A sequential roster is activated as a contact
person calls each and every person on the roster
– A hierarchical roster is activated as the first
person calls a few other people on the roster, who
in turn call a few other people, and so on
32. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
The Alert Message
The alert message is a scripted
description of the incident, with just
enough information so that everyone
knows what part of the IRP to
implement
Can be prepared rapidly by filling in
the blanks in a template included in
the IRP
33. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Documenting an Incident
Documenting the event is important:
– First, it is important to ensure that the event is
recorded for the organization’s records, to know
what happened, and how it happened, and what
actions were taken. The documentation should
record the who, what, when, where, why, and how
of the even
– Second, it is important to prove, should it ever be
questioned, that the organization did everything
possible to prevent the spread of the incident
– Finally, the recorded incident can also be used as
a simulation in future training sessions
34. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Containment Strategies
Before an incident can be contained, the
affected areas of the information and
information systems must be determined
The organization can stop the incident and
attempt to recover control through a
number of strategies including:
– severing the affected circuits
– disabling accounts
– reconfiguring a firewall
– The ultimate containment option, reserved for
only the most drastic of scenarios, involves a full
stop of all computers and network devices in the
organization
35. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Recovery
Once the incident has been contained, and
control of the systems regained, the next
stage is recovery
The first task is to identify the human
resources needed and launch them into
action
The full extent of the damage must be
assessed
The organization repairs vulnerabilities,
addresses any shortcomings in safeguards,
and restores the data and services of the
systems
36. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Damage Assessment
There are several sources of information:
– including system logs
– intrusion detection logs
– configuration logs and documents
– documentation from the incident response
– results of a detailed assessment of systems and
data storage
Computer evidence must be carefully
collected, documented, and maintained to be
acceptable in formal proceedings
Individuals assessing damage need special
training
37. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Recovery
In the recovery process:
– Identify the vulnerabilities that allowed
the incident to occur and spread and
resolve them
– Address the safeguards that failed to stop
or limit the incident, or were missing from
the system in the first place. Install,
replace or upgrade them
– Evaluate monitoring capabilities. Improve
their detection and reporting methods, or
simply install new monitoring capabilities
38. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Recovery
In the recovery process:
– Restore the data from backups
– Restore the services and processes in use
– Continuously monitor the system
– Restore the confidence of the members of
the organization’s communities of interest
– Conduct an after-action review
39. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Automated Response
New systems can respond to incidents
autonomously
Trap and trace uses a combination of
resources to detect intrusion then trace back
to source
Trapping may involve honeypots or
honeynets
Entrapment is luring an individual into
committing a crime to get a conviction
Enticement is legal and ethical, while
entrapment is not
40. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Disaster Recovery Planning
Disaster recovery planning (DRP) is planning the
preparation for and recovery from a disaster
The contingency planning team must decide which
actions constitute disasters and which constitute
incidents
When situations are classified as disasters plans
change as to how to respond - take action to secure
the most valuable assets to preserve value for the
longer term even at the risk of more disruption
DRP strives to reestablish operations at the
‘primary’ site
41. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
DRP Steps
There must be a clear establishment of
priorities
There must be a clear delegation of roles and
responsibilities
Someone must initiate the alert roster and
notify key personnel
Someone must be tasked with the
documentation of the disaster
If and only if it is possible, some attempts
must be made to mitigate the impact of the
disaster on the operations of the
organization
42. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Crisis Management
Crisis management is actions taken during and after
a disaster focusing on the people involved and
addressing the viability of the business
The crisis management team is responsible for
managing the event from an enterprise perspective
and covers:
– Supporting personnel and families during the crisis
– Determining impact on normal business operations and, if
necessary, making a disaster declaration
– Keeping the public informed
– Communicating with major customers, suppliers, partners,
regulatory agencies, industry organizations, the media, and
other interested parties
43. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Disaster Recovery Planning
Establish a command center to support
communications
Includes individuals from all functional
areas of the organization to facilitate
communications and cooperation
Some key areas of crisis management
include:
– Verifying personnel head count
– Checking the alert roster
– Checking emergency information cards
44. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
DRP Structure
Similar to the IRP, DRP is organized by
disaster, and provides procedures to execute
during and after a disaster
Provides details on the roles and
responsibilities for those involved in the
effort, and identifies the personnel and
agencies that must be notified
Just as the IRP must be tested, so must the
DRP, using the same testing mechanisms
Each organization must examine its
scenarios, developed during the initial
contingency planning, to determine how to
respond to the various disasters
45. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Continuity Planning
Business continuity planning
outlines reestablishment of critical
business operations during a disaster
that impacts operations
If a disaster has rendered the
business unusable for continued
operations, there must be a plan to
allow the business to continue to
function
46. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Continuity Strategies
There are a number of strategies for
planning for business continuity
The determining factor in selection between
these options is usually cost
In general there are three exclusive options:
– hot sites
– warm sites
– cold sites
And three shared functions:
– timeshare
– service bureaus
– mutual agreements
47. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Off-Site Disaster Data Storage
To get these types of sites up and running quickly,
the organization must have the ability to port data
into the new site’s systems
These include:
– Electronic vaulting - The bulk batch-transfer of data to an
off-site facility.
– Remote Journaling - The transfer of live transactions to an
off-site facility; only transactions are transferred not
archived data, and the transfer is real-time.
– Database shadowing - Not only processing duplicate real-
time data storage, but also duplicates the databases at the
remote site to multiple servers.
48. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Model for IR/DR/BC Plan
The single document set approach
supports concise planning and
encourages smaller organizations to
develop, test, and use IR/DR plans
The model presented is based on
analyses of disaster recovery and
incident response plans of dozens of
organizations
49. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
The Planning Document
1. Establish responsibility for managing
the document, typically the security
administrator
2. Appoint a secretary to document the
activities and results of the planning
session(s)
3. Independent incident response and
disaster recovery teams are formed,
with a common planning committee
50. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
The Planning Document
4. Outline the roles and
responsibilities for each team
member
5. Develop the alert roster and lists of
critical agencies
6. Identify and prioritize threats to the
organization’s information and
information systems
51. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
The Planning Process
There are six steps in the Contingency
Planning process:
1. Identifying the mission- or business-critical
functions
2. Identifying the resources that support the
critical functions
3. Anticipating potential contingencies or
disasters
4. Selecting contingency planning strategies
5. Implementing the contingency strategies
6. Testing and revising the strategy
52. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Using the Plan
During the incident
After the incident
Before the incident
53. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Plan
54. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Law Enforcement Involvement
When the incident at hand constitutes a violation of
law the organization may determine that involving
law enforcement is necessary
There are several questions, which must then be
answered:
– When should the organization get law enforcement
involved?
– What level of law enforcement agency should be involved:
local, state, or federal?
– What will happen when the law enforcement agency is
involved?
Some of these questions are best answered by the
organization’s legal department
55. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Local, State, or Federal Authorities
Selecting the level of law enforcement
depends on the level and type of crime
discovered:
– The Federal Bureau of Investigation deals with
many computer crimes that are categorized as
felonies
– The US Secret Service works with crimes
involving US currency, counterfeiting, credit
cards, identity theft, and other crimes
– The US Treasury Department has a bank fraud
investigation unit and the Securities and
Exchange Commission has investigation and
fraud control units as well
56. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
State Investigative Services
Each state has its own version of the FBI
(except Illinois! – interesting story why not)
These state agencies arrest individuals,
serves warrants, and generally enforce laws
on property that is owned by the state or any
state agency
In Illinois, computer crime is the
responsibility of the State of Illinois High
Tech Crime Bureau, part of the Attorney
General’s Office
57. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Local Law Enforcement
Local agencies enforce all local and state
laws and handle suspects and security crime
scenes for state and federal cases
Local law enforcement agencies seldom have
a computer crimes task force, but most
investigative (detective) units are capable of
processing crime scenes, and handling most
common criminal activities and the
apprehension and processing of suspects of
computer related crimes
58. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has
advantages:
– Agencies may be much better equipped at
processing evidence than private
organizations
– Unless the organization has staff trained
in forensics they may less effective in
convicting suspects
59. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has
advantages:
– Law enforcement agencies are also
prepared to handle the warrants and
subpoenas needed
– Law enforcement skilled at obtaining
statements from witnesses, completing
affidavits, and other information collection
60. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies
has disadvantages:
– On the downside, once a law
enforcement agency takes over a case,
the organization loses complete control
over the chain of events
– The organization may not hear about the
case for weeks or even months
61. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 61
ILLINOIS INSTITUTE OF TECHNOLOGY
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies
has disadvantages:
– Equipment vital to the organization’s
business may be tagged as evidence, to
be removed, stored, and preserved until
it can be examined for possible support
for the criminal case
– However, if the organization detects a
criminal act, it is a legal obligation to
involve the appropriate law enforcement
officials
62. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 62
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?
Editor's Notes
Learning Objectives:
Upon completion of this material you should be able to:
Know what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
Understand the elements that comprise a business impact analysis and the information that is collected for the attack profile.
Recognize the components of an incident response plan and the components of the planning process.
Define the disaster recovery plan and its parts.
Define the business continuity plan and its parts.
Grasp the reasons for and against involving law enforcement officials in incident responses and when it is required.
Learning Objectives:
Upon completion of this material you should be able to:
Know what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
Understand the elements that comprise a business impact analysis and the information that is collected for the attack profile.
Recognize the components of an incident response plan and the components of the planning process.
Define the disaster recovery plan and its parts.
Define the business continuity plan and its parts.
Grasp the reasons for and against involving law enforcement officials in incident responses and when it is required.
Introduction
So far you have:
Identified the following the problems facing the organization
Assessed a value for the organization’s information assets
Analyzed the threats in the organization’s environment
Identified potential vulnerabilities
Assessed the risks associated with current levels of the organization’s exposure
Prepared solid business reasons to support the risk strategy the organization should adopt for each information asset
Begun to develop a security blueprint for future actions
Outlined information security architecture or the necessary policies and technologies to guide the organization’s next steps.
The next step is to examine the topic of contingency planning within the information security context.
Continuity Strategy
Managers in the IT and information security communities are called on to provide strategic planning to assure the organization of continuous information systems availability.
Each must be ready to act when a successful attack occurs.
Plans for events of this type are referred to in a number of ways:
Business Continuity Plans (BCPs),
Disaster Recovery Plans (DRPs),
Incident Response Plans (IRPs), or
Contingency Plans.
In large, complex organizations, each of these named plans may represent separate but related planning functions, differing in scope, applicability, and design.
In a small organization, the security or systems administrator may have one simple plan, which consists of a straightforward set of media backup and recovery strategies, and a few service agreements from the company’s service providers.
Many organizations have a level of planning that is woefully deficient.
We can classify Incident Response, Disaster Recovery, and Business Continuity planning, as components of Contingency Planning.
Contingency Planning (CP) is the entire planning conducted by the organization to prepare for, react to and recover from events that threaten the security of information and information assets in the organization, and the subsequent restoration to normal modes of business operations.
Incident Response Planning (IRP) is the planning process associated with the identification, classification, response, and recovery from an incident.
Disaster Recovery Planning (DRP) is the planning process associated with the preparation for and recovery from a disaster, whether natural or man-made.
Business Continuity Planning (BCP) is the planning process associated with ensuring that critical business functions continue if a catastrophic incident or disaster occurs.
The primary functions of these three types of planning are:
IRP focuses on immediate response, but if the attack escalates or is disastrous the process changes to disaster recovery and BCP.
DRP typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP.
BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources.
Contingency Planning Team
Before any planning can begin, a team has to plan the effort and prepare the resulting documents
Champion - A high-level manager to support, promote, and endorse the findings of the project
Project Manager - Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Team Members - Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security
Before any planning can begin, a team has to plan the effort and prepare the resulting documents.
Champion. A high-level manager to support, promote, and endorse the findings of the project.
Project Manager. Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed.
Team Members. Should be the managers or their representatives from the various communities of interest: business, IT, and infosec
Business Impact Analysis
The first phase in the development of the CP process is the Business Impact Analysis or BIA.
A BIA is an investigation and assessment of the impact that various attacks can have on the organization, and takes up where the Risk Assessment process leaves off.
The BIA assumes that these controls have been bypassed, have failed, or are otherwise ineffective in stopping the attack, and that the attack was successful.
The question asked at this point is, if the attack succeeds, what do we do then?
Business Impact Analysis
The CP team conducts the BIA in the following stages:
Threat Attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification
Threat Attack Identification and Prioritization
Most organizations have already performed the tasks of identifying and prioritizing threats.
All that is required now is to update the threat list with the latest developments and add one additional piece of information, the attack profile.
An attack profile is a detailed description of the activities that occur during an attack, must be developed for every serious threat the organization faces and are used to determine the extent of damage that could result to a business unit if the attack were successful.
Business Unit Analysis
The second major task within the BIA is the analysis and prioritization of business functions within the organization.
The intent of this task is to identify the functional areas of the organization and prioritize them to determine which are most vital to the continued operations of the organization.
Efforts in function analysis focus on the result of a prioritized list of the various functions the organization performs.
Attack Success Scenario Development
Next the BIA team must create a series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with details on the method of attack, the indicators of attack, and the broad consequences.
Then attack success scenarios with more detail are added to the attack profile, including alternate outcomes, describing a best, worst, and most likely case that could result from each type of attack on this particular business functional area.
Potential Damage Assessment
From the attack success scenarios developed above, the BIA planning team must estimate the cost of the best, worst, and most likely cases.
These costs include the actions of the response team(s) described in subsequent sections as they act to quickly and effectively recover from any incident or disaster, and can also management representatives from all of the organization’s communities of interest of the importance of the planning and recovery efforts.
This final result is referred to as an attack scenario end case.
Subordinate Plan Classification
Once the potential damage has been assessed, and each end case has been evaluated, a subordinate plan must be developed or identified from among existing plans already in place.
These subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario.
An attack scenario end case is categorized as disastrous or not.
The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack.
Incident Response Planning
Incident response planning covers the identification of, classification of, and response to an incident.
The IRP is made up of activities that are to be performed when an incident has been identified.
An incident is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources.
Attacks are only classified as incidents if they have the following characteristics:
Are directed against information assets
Have a realistic chance of success
Could threaten the confidentiality, integrity, or availability of information resources.
Incident Response Planning
Incident response (IR) is the set of activities taken to plan for, detect, and correct the impact of an incident on information resources.
IR is more reactive, than proactive, with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident.
Planning for an incident requires a detailed understanding of the scenarios developed for the BIA.
Incident Planning
The pre-defined responses enable the organization to react quickly and effectively to the detected incident.
This assumes two things:
first, the organization has an IR team, and
second, the organization can detect the incident.
The IR team consists of those individuals who must be present to handle the systems and functional areas that can minimize the impact of an incident as it takes place.
Incident Planning
The designated IR teams act to verify the threat, determine the appropriate response, and coordinate the actions necessary to deal with the situation.
The military process of planned team responses can be used in an incident response.
The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident.
These plans must be properly organized, and stored to be available when, where and in a format supportive of the incident response.
Incident Planning
The designated IR teams act to verify the threat, determine the appropriate response, and coordinate the actions necessary to deal with the situation.
The military process of planned team responses can be used in an incident response.
The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident.
These plans must be properly organized, and stored to be available when, where and in a format supportive of the incident response.
Incident Response Plan
Format and Content.
The IR plan must be organized so that, the organization supports, rather than impedes quick and easy access to the information needed.
This can be accomplished through a number of measures, the simplest of which is to create a directory of incidents, with tabbed sections for each possible incident.
When an individual needs to respond to an incident, he or she simply opens the binder, flips to the appropriate section, and follows the clearly outlined procedures for an assigned role.
Incident Response Plan
Storage.
The information in the IR plan should be protected as sensitive information. If attackers know how a company responds to a particular incident, it could improve their chances of success in the attack.
On the other hand, the organization needs this information readily available, usually within reach of the information assets that must be manipulated during or immediately after the attack.
The bottom line is that individuals responding to the incident should not have to search frantically for needed information, especially under stress.
Incident Response Plan
Testing.
A plan untested is not a useful plan. The levels of testing strategies can vary:
Checklist.
Structured walk-through.
Simulation.
Parallel.
Full-interruption.
Incident Detection
Individuals sometimes bring an unusual occurrence to the attention of systems administrators, security administrators, or their bosses.
The most common occurrence is a complaint about technology support, often delivered to the help desk.
The mechanisms that could potentially detect an incident include intrusion detection systems, both host-based and network-based, virus detection software, systems administrators, and even the end user.
Incident Detection
Only by carefully training the user, the help desk, and all security personnel on the analysis and identification of attacks can the organization hope to quickly identify and classify an incident.
Once an attack is properly identified, the organization can effectively execute the corresponding procedures from the IR plan.
Incident classification is the process of examining a potential incident, or incident candidate, and determining whether or not the candidate constitutes an actual incident.
Incident Indicators
There are a number of occurrences that could signal the presence of an incident candidate.
Possible indicators of incidents:
1)Presence of unfamiliar files.
2)Presence or execution of unknown programs or processes.
3)Unusual consumption of computing resources.
4)Unusual system crashes.
Probable indicators of incidents:
1)Activities at unexpected times.
2)Presence of new accounts.
3)Reported attacks.
4)Notification from IDS.
Incident Indicators
Definite indicators of incidents.
1)Use of dormant accounts.
2)Changes to logs.
3)Presence of hacker tools.
4)Notifications by partner or peer.
5)Notification by hacker.
Predefined situations that signal an automatic incident:
1)Loss of availability.
2)Loss of integrity.
3)Loss of confidentiality.
4)Violation of policy.
5)Violation of law.
Incident Indicators
When Does an Incident Become a Disaster?
1) the organization is unable to mitigate the impact of an incident during the incident,
2) the level of damage or destruction is so severe the organization is unable to quickly recover. The difference may be subtle.
It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response.
Incident Reaction
Incident reaction consists of actions outlined in the IRP that guide the organization in attempting to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident.
In reacting to the incident there are a number of actions that must occur quickly.
These include notification of key personnel, assignment of tasks, and documentation of the incident.
Notification of Key Personnel
Most organizations maintain alert rosters for emergencies. An alert roster contains contact information for the individuals to be notified in an incident. Two ways to activate an alert roster:
A sequential roster is activated as a contact person calls each and every person on the roster.
A hierarchical roster is activated as the first person calls a few other people on the roster, who in turn call a few other people, and so on.
The alert message is a scripted description of the incident, just enough information so that everyone knows what part of the IRP to implement.
Documenting an Incident
Documenting the event is important.
First, it is important to ensure that the event is recorded for the organization’s records, to know what happened, and how it happened, and what actions were taken. The documentation should record the who, what, when, where, why and how of the event.
Second, it is important to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident.
The recorded incident can also be used as a simulation in future training sessions.
Incident Containment Strategies
One of the most critical components of incident reaction is to stop the incident or contain its scope or impact.
However, sometimes situations prevent the most direct measures associated with simply “cutting the wire.”
Before an incident can be contained, the affected areas of the information and information systems must be determined.
In general, incident containment strategies focus on two tasks: stopping the incident and recovering control of the systems.
Incident Containment Strategies
The organization can stop the incident and attempt to recover control through a number of strategies. If the Incident:
originates outside the organization, the simplest and most straightforward approach is to sever the affected circuits.
is using compromised accounts, the accounts can be disabled.
is coming in through a firewall, the firewall can be reconfigured to block that particular traffic.
is using a particular service or process, that process or service can be disabled temporarily.
is using the organization’s systems to propagate itself, you can take down that particular application or server.
The ultimate containment option, reserved for only the most drastic of scenarios, involves a full stop of all computers and network devices in the organization.
The bottom line is that containment consists of isolating the channels, processes, services, or computers and removing the losses from that source of the incident.
INCIDENT RECOVERY
Once the incident has been contained, and control of the systems regained, the next stage is recovery.
As with reaction to the incident, the first task is to identify the human resources needed for the recovery and launch them into action.
The full extent of the damage must be assessed.
The process of computer forensics entails determining how the incident occurred and what happened.
The organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores the data and services of the systems.
Damage Assessment
Incident damage assessment is the immediate determination of the scope of the breach of CIA of information and assets after an incident.
There are several sources of information on the type, scope, and extent of damage, including system logs, intrusion detection logs, configuration logs and documents, the documentation from the incident response, and the results of a detailed assessment of systems and data storage.
Based on this information, the IR team must begin to examine the current state of the information and systems and compare them to a known state.
Damage Assessment
Related to the task of incident damage assessment is the field of computer forensics.
Computer forensics is the process of collecting, analyzing, and preserving computer-related evidence. Evidence proves an action or intent.
Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal or informal proceedings.
Circumstances requires that individuals who look for the damage receive special training, should it be determined that the incident is part of a crime or may result in a civil action.
Recovery
The recovery process involves:
Identify the vulnerabilities that allowed the incident to occur and spread and resolve them.
Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them.
Evaluate monitoring capabilities. Improve their detection and reporting methods, or simply install new monitoring capabilities.
Restore the data from backups.
Restore the services and processes in use.
Continuously monitor the system.
Restore the confidence of the members of the organization’s communities of interest.
Conduct an after-action review.
Automated Response
While traditional systems were configured to detect incidences, and then notify the human administrator, new systems can respond to the incident threat autonomously.
These systems, referred to as trap and trace, use a combination of resources to detect an intrusion, and then to trace incidents back to their sources.
Unfortunately, some less scrupulous administrators might even be tempted to back hack or hack into a hacker’s system to find out as much as possible about the hacker.
The problem is that the hacker may actually move into and out of a number of organizations’ systems and by tracking the hacker, administrators may wander through other organizations’ systems.
Automated Response
The trap portion frequently involves the use of honeypots or honeynets.
Honeypots are computer servers configured to resemble production systems. If a hacker stumbles into the system, alarms are set off, and the administrator notified.
Honeynets, consist of networks or subnets of systems that operate similarly.
Enticement is the process of attracting attention to a system by placing tantalizing bits of information in key locations.
Entrapment is the action of luring an individual into committing a crime to get a conviction.
Enticement is legal and ethical, while entrapment is not.
Disaster Recovery Planning
Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster, whether natural or manmade.
The contingency planning team must decide which actions constitute disasters and which constitute incidents.
At the time that a decision is made and the situations is classified as a disaster, the organization may change how it is responding and take action to secure its most valuable assets to preserve value for the longer term even at the risk of more disruption in the immediate term.
Again, the key emphasis of a DRP is to reestablish operations at the ‘primary’ site, the location at which the organization performs its business. The goal is to make things ‘whole’ or ‘as they were’ before the disaster.
Disaster Recovery Planning
Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster, whether natural or manmade.
The contingency planning team must decide which actions constitute disasters and which constitute incidents.
At the time that a decision is made and the situations is classified as a disaster, the organization may change how it is responding and take action to secure its most valuable assets to preserve value for the longer term even at the risk of more disruption in the immediate term.
Again, the key emphasis of a DRP is to reestablish operations at the ‘primary’ site, the location at which the organization performs its business.
The goal is to make things ‘whole’ or ‘as they were’ before the disaster.
DISASTER RECOVERY PLANNING Steps
1) There must be a clear establishment of priorities.
2) There must be a clear delegation of roles and responsibilities.
3) Someone must initiate the alert roster and notify key personnel.
4) Someone must be tasked with the documentation of the disaster.
5) If and only if it is possible, some attempts must be made to mitigate the impact of the disaster on the operations of the organization.
Crisis Management
Crisis management includes the actions taken during and after a disaster, and focuses first and foremost on the people involved and addresses the viability of the business.
The crisis management team is responsible for managing the event from an enterprise perspective and covers:
Supporting personnel and their loved ones during the crisis
Determining the event&apos;s impact on normal business operations and, if necessary, making a disaster declaration
Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties.
Disaster Recovery Planning
The crisis management team should establish a base of operations or command center to support communications until the disaster has ended and includes individuals from all functional areas of the organization to facilitate communications and cooperation.
Some key areas of crisis management include:1)Verifying personnel head count. 2)Checking the alert roster. 3)Checking emergency information cards.
Crisis management must balance the needs of the employees with the needs of the business in providing personnel with support for personal and family issues during disasters.
DRP Structure
Similar in structure to the IRP, the DRP is organized by disaster, and provides procedures to execute during and after a disaster.
It also provides details on the roles and responsibilities of the various individuals involved in the disaster recovery effort, and identifies the personnel and agencies that must be notified.
Just as the IRP must be tested, so must the DRP, using the same testing mechanisms.
Reaction to a disaster can vary so widely, that it is impossible to describe the process with any accuracy.
As a result it is up to each organization to examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters.
Should the physical facilities be spared after the disaster, the disaster recovery team should begin the restoration of systems and of data to work toward full operational capability.
If the organization’s facilities do not survive, alternative actions must be taken until new facilities can be acquired.
Business Continuity Planning
Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations at the primary site.
If a disaster has rendered the current location of the business unusable for continued operations, there must be a plan to allow the business to continue to function.
Continuity Strategies
There are a number of strategies that an organization can choose from when planning for business continuity.
The determining factor in selection between these options is usually cost.
In general there are three exclusive options:
hot sites,
warm sites, and
cold sites,
and three shared functions:
timeshare,
service bureaus, and
mutual agreements.
Off-Site Disaster Data Storage
To get these types of sites up and running quickly, the organization must have the ability to port data into the new site’s systems.
There are a number of options for getting operations up and running quickly, and some of these options can be used for purposes other than restoration of continuity.
These include:
Electronic vaulting - The bulk batch-transfer of data to an off-site facility.
Remote Journaling - The transfer of live transactions to an off-site facility; only transactions are transferred not archived data, and the transfer is real-time.
Database shadowing - not only processing duplicate real-time data storage, but also duplicates the databases at the remote site to multiple servers.
Model For IR/DR/BC Plan
The single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR/DR plans.
The model presented is based on analyses of disaster recovery and incident response plans of dozens of organizations.
The Planning Document
Establish the responsibility for managing the document, typically the security administrator.
Appoint a secretary to document the activities and results of the planning session.
Independent incident response and disaster recovery teams are formed, sharing a common planning committee.
Outline the roles and responsibilities for each team member.
Develop the alert roster is developed, and lists of critical agencies.
Identify and prioritize threats to the organization’s information and information systems.
The Planning Process
There are six steps in the Contingency planning process .
1. Identifying the mission- or business-critical functions.
2. Identifying the resources that support the critical functions.
3. Anticipating potential contingencies or disasters.
4. Selecting contingency planning strategies.
5. Implementing the contingency strategies.
6. Testing and revising the strategy.
The Planning Document
1.During the incident. Develop and document the procedures that must be performed during the incident. Group procedures and assign to individuals. Each member of the planning committee begins to draft a set of function-specific procedures.
2.After the incident. Develop the procedures that must be performed immediately after the incident has ceased. Again, separate functional areas may develop different procedures.
3.Before the incident. Draft those tasks that must be performed to prepare for the incident. These are the details of the data backup schedules, the disaster recovery preparation, training schedules, testing plans, copies of service agreements, and business continuity plans if any.
The Planning Document
Finally the IR portion of the plan is assembled. Sections detailing the organization’s DRP and BCP efforts are placed after the incident response sections.
Critical information as outlined in these planning sections are recorded, including information on alternate sites, etc. as indicated in the “before the incident” section, applicable to the disaster recovery and business continuity efforts.
Multiple copies for each functional area are created, cataloged, and signed out to responsible individuals.
Using the Plan
During the incident
Develop and document the procedures that must be performed during the incident
Group procedures and assign to individuals
Each member of the planning committee begins to draft a set of function-specific procedures
After the incident
Develop the procedures that must be performed immediately after the incident has ceased
Again, separate functional areas may develop different procedures
3.Before the incident. Draft those tasks that must be performed to prepare for the incident. These are the details of the data backup schedules, the disaster recovery preparation, training schedules, testing plans, copies of service agreements, and business continuity plans if any.
Finally the IR portion of the plan is assembled. Sections detailing the organization’s DRP and BCP efforts are placed after the incident response sections.
Critical information as outlined in these planning sections are recorded, including information on alternate sites, etc. as indicated in the “before the incident” section, applicable to the disaster recovery and business continuity efforts.
Multiple copies for each functional area are created, cataloged, and signed out to responsible individuals.
Law Enforcement Involvement
There may come a time, when it has been determined that the incident at hand exceeds the violation of policy and constitutes a violation of law.
The organization may determine that involving law enforcement is necessary.
There are several questions, which must then be answered.
When should the organization get law enforcement involved?
What level of law enforcement agency should be involved: local, state or federal?
What will happen when the law enforcement agency is involved?
Some of these questions are best answered by the organization’s legal department.
Local, State, or Federal Authorities
Selecting the level of law enforcement to involve depends in part on the level and type of crime discovered.
The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies.
The US Secret Service works with crimes involving US currency, counterfeiting, credit cards, identity theft and other crimes.
The US Treasure Department has a bank fraud investigation unit and the Securities and Exchange Commission has investigation and fraud control units as well.
However, due to the heavy load of cases these agencies must handle, they typically give preference to those incidents that address the national critical infrastructure or that have significant economic impact.
State Investigative Services
Each state has its own version of the FBI (except Illinois! – interesting story why not)
These state agencies arrest individuals, serves warrants, and generally enforce laws on property that is owned by the state or any state agency
In Illinois, computer crime is the responsibility of the State of Illinois High Tech Crime Bureau, part of the Attorney General’s Office
Local Law Enforcement
Local agencies enforce all local and state laws and handle suspects and security crime scenes for state and federal cases.
Local law enforcement agency seldom have a computer crimes task force, but the investigative (detective) units are quite capable of processing crime scenes, and handling most common criminal activities, such as physical theft or trespassing, damage to property, and the apprehension and processing of suspects of computer related crimes.
Local Law Enforcement
Local agencies enforce all local and state laws and handle suspects and security crime scenes for state and federal cases.
Local law enforcement agency seldom have a computer crimes task force, but the investigative (detective) units are quite capable of processing crime scenes, and handling most common criminal activities, such as physical theft or trespassing, damage to property, and the apprehension and processing of suspects of computer related crimes.
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has both advantages and disadvantages. The agencies may be much better equipped at processing evidence than a particular organization.
Unless the security forces in the organization have been trained in processing evidence and computer forensics, they may do more harm than good in extracting the necessary information to legally convict a suspected criminal.
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has both advantages and disadvantages. Law enforcement agencies are also prepared to handle the warrants and subpoenas necessary to documenting a case.
They are also adept at obtaining statements from witnesses, affidavits, and other required documents.
Law enforcement personnel can be a security administrator’s greatest ally in the war on computer crime.
It is therefore important to get to know your local and state counterparts, before you have to make a call announcing a suspected crime.
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies has both advantages and disadvantages. On the downside, once a law enforcement agency takes over a case, the organization loses complete control over the chain of events, the collection of information and evidence, and the prosecution of suspects.
An individual the organization may wish only to censure and dismiss may face criminal charges whereby the intricate details of their crimes become matters of public record.
The organization may not hear about the case for weeks or even months.
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies has both advantages and disadvantages. Equipment vital to the organization’s business may be tagged evidence, to be removed, stored, and preserved until it can be examined for possible support for the criminal case.
However, if the organization detects a criminal act, it is a legal obligation to involve the appropriate law enforcement officials.