Document Sample
BCP Powered By Docstoc
					                       Chapter 1
Information Security Management

                COMP4690, HKBU     1
   Concept of Information Security Management
   Information Classification Process
   Security Policy Implementation
   The roles and responsibilities of Security
   Risk Management Assessment
   Security Awareness Training

                     COMP4690, HKBU          2
   Information Security is to protect an
    organizations’ valuable resources.
   It ensures that all resources are protected,
    and available to an organization, at all times,
    when needed. This leads to information
    classification, and security policy.
   However, security issues cannot be
    eliminated completely. This leads to the Risk
                       COMP4690, HKBU                 3
Purposes of Information
Security Management
   Three basic requirements
       Availability
           Assure that a computer system is accessible by
            authorized users whenever needed.
       Integrity
           To protect the system information from intentional or
            accidental unauthorized changes.
       Confidentiality
           Assure that unauthorized people cannot access the
            protected information.
                               COMP4690, HKBU                       4
Other Concepts in Security
   Identification
       The means in which users claim their identities to a system.
        Used for access control.
   Authentication
       The testing or reconciliation of evidence of a user’s identity.
   Accountability
       Audit trails and logs.
   Authorization
       The rights and permissions granted to an individual.
   Privacy
       The level of confidentiality and privacy protection.
                                 COMP4690, HKBU                       5
Information Classification
   Why do we need information classification?
       Not all data has the same value to an
       Should focus the protection and control on the
        information that need it the most.
       Can be used to comply with privacy laws, or to
        enable regulatory compliance.

                          COMP4690, HKBU                 6
Classification Terms
   In governmental data classification
       Unclassified: can be released to public
       Sensitive but unclassified: minor secret, no
        serious damage if disclosed
       Confidential: unauthorized disclosure could cause
        some damage
       Secret: unauthorized disclosure could cause
        serious damage
       Top secret: unauthorized disclosure could cause
        exceptionally grave damage to national security

                          COMP4690, HKBU                    7
Classification Terms
   In private sector
       Public: similar to unclassified
       Sensitive: requires a high level of classification
        than normal data
       Private: intended for company use only, such as
        salary levels
       Confidential: very sensitive data, unauthorized
        disclosure could seriously and negatively impact a

                          COMP4690, HKBU                 8
Classification Procedures
      The following steps are listed in priority order
    1.   Identify the administrator/custodian
    2.   Specify the criteria of how the information will be classified and
    3.   Classify the data by its owner, who is subject to review by a
    4.   Specify and document any exceptions to the classification
    5.   Specify the controls that will be applied to each classification
    6.   Specify the termination procedures for declassifying the
         information or for transferring custody of the information to
         another entity
    7.   Create an enterprise awareness program about the
         classification controls

                                 COMP4690, HKBU                               9
Information Classification
   Owner
       Information owner may be an executive or manager of an
        organization. He is responsible for the asset of information
        that must be protected. He makes the original
        determination to decide what level of classification the
        information requires. He delegates the responsibility of
        data protection duties to the custodian.
   Custodian
       Information custodian is delegated the responsibility of
        protecting the information by its owner. This role is
        commonly executed by IT systems personnel.
   User
       End user can be anyone (operator, employee, or external
        party) that routinely uses the information as part of their job.
                                COMP4690, HKBU                         10
Policies, Standards,
Guidelines, Procedures
   Security policies are the basis for a sound
    security implementation.
   Questions:
       What are policies, standards, guidelines, and
       Why do we use policies, standards, guidelines,
        and procedures?
       What are the common policy types?

                          COMP4690, HKBU                 11
   Polices are considered the first and highest
    level of documentation, from which the lower
    level elements of standards, procedures, and
    guidelines flow.
   Usually are general statements.

                      COMP4690, HKBU           12
Polices hierarchy
       Senior Management Statement of Policy

           General organizational Policies

                Functional Policies

               Mandatory Standards                Baselines

             Recommended Guidelines

                Detailed Procedures

                                 COMP4690, HKBU               13
   Senior Management Statement of Policy
       The first policy of any policy creation process
       A general, high-level statement which contains
           An acknowledgement of the importance of the
            computing resources to the business model
           A statement of support for information security
            throughout the enterprise
           A commitment to authorize and manage the definition
            of the lower level standards, procedures, and

                              COMP4690, HKBU                      14
Standards, Guidelines,
   These are the three elements of policy
    implementation, which contain the actual details of
    the policy.
   They should be separate documents from the
    general policies.
   Standards: specify the use of specific technologies
    in a uniform way. It is compulsory.
   Guidelines: similar to standards, but more flexible,
    not compulsory, just recommendations.
   Procedures: embody the detailed steps that are
    followed to perform a specific task. The lowest level
    in the policy chain.
                         COMP4690, HKBU                     15
Roles and Responsibilities
Role              Description
Senior Manager Has the ultimate responsibility for security

InfoSec Officer   Has the functional responsibility for security

Owner             Determines the data classification

Custodian         Preserves the information’s C.I.A.

User/Operator     Performs the stated policies

Auditor           Examines security

                                   COMP4690, HKBU                  16
Risk Analysis and Assessment
   Risk Management
       Identifying, analyzing and assessing, mitigating, or
        transferring risk
   Core problems:
       What could happen (threat event) ?
       If it happened, how bad could it be (threat impact) ?
       How often could it happen (threat frequency, annualized) ?
       How certain are the answers to the first three questions
        (recognition of uncertainty) ?

                               COMP4690, HKBU                    17
   Risk Analysis
       The process of analyzing a target environment and the
        relationships of its risk-related attributes. It should identify
        threat vulnerabilities, associate these vulnerabilities with
        affected assets, identify the potential for and nature of an
        undesirable result, and identify and evaluate risk-reducing
   Risk Assessment
       The assignment of value to assets, threat frequency,
        consequence, and other elements of chance. It is used to
        characterize both the process and the result of analyzing
        and assessing risk.

                                COMP4690, HKBU                             18
   After risk analysis and assessment, three
    more questions:
       What can be done (risk mitigation) ?
       How much will it cost (annualized) ?
       Is it cost-effective (cost/benefit analysis) ?
   It’s essential that the process of analyzing
    and assessing risk is well understood by all
    parties and executed on a timely basis.

                            COMP4690, HKBU               19
Terms and definitions
   Single Loss Expectancy or Exposure (SLE)
       The monetary loss for each occurrence of a threatened
       SLE = Asset Value x Exposure Factor
   Exposure Factor (EF)
       Represent a measure of the magnitude of loss or impact
        on the value of an asset. Expressed as a percent, ranging
        from 0 to100%, of asset value loss arising from a threat
       A threat event could be a tornado, theft, or computer virus

                              COMP4690, HKBU                          20
   Annualized Rate of Occurrence (ARO)
       The frequency with which a threat is expected to
        occur. E.g., a threat occurring 50 times in a given
        year has an ARO of 50, and a threat occurring 1
        time in 10 years has an ARO of 0.1.
   Annualized Loss Expectancy (ALE)
       ALE = SLE x ARO

                           COMP4690, HKBU                     21
Asset         Risk     Asset            Potential    Annualized   Annual
                       Value            Loss (SLE)   Frequency    Loss
                                                     (ARO)        Expectancy
Facility      Fire     $560,000         $230,000     .25          $57,500

Trade         Stolen   $43,500          $40,000      .75          $30,000
File Server   Failed   $11,500          $11,500      .5           $5,750

Data          Virus    $8,900           $6,500       .8           $5,200

Customer    Stolen     $323,500         $300,000     .65          $195,000
Credit Card
                                COMP4690, HKBU                               22
Central Tasks
   Establish Information Risk Management (IRM)
   Establish and Fund an IRM Team
   Establish IRM Methodology and Tools
   Identify and Measure Risk
   Project Sizing

                     COMP4690, HKBU          23
Risk analysis process
   Asset valuation process
       Determine the value of an asset
   Quantitative risk analysis
       Assign independently objective numeric values to the
        components of the risk assessment and to the assessment
        of potential losses
   Qualitative risk analysis
       Address intangible values of data loss
   Safeguard selection
       Cost/benefit analysis
       Value of safeguard = (ALE before) – (ALE after) – annual
        safeguard cost

                              COMP4690, HKBU                       24
Security Awareness and
   People are often the weakest link in a
    security chain.
   Employees must be aware of the need to
    secure information and to protect the
    information assets of an enterprise.
   Operators need training in the skills to fulfill
    their job functions securely.

                        COMP4690, HKBU                 25
                   Chapter 2
Business Continuity Planning
 Disaster Recovery Planning

            COMP4690, HKBU     26
   Business Continuity Planning (BCP)
       Make the plans and create the framework to ensure that
        the business can continue in an emergency. It includes:
         Scope and plan initiation
         Business impact analysis (BIA)
         Business continuity plan development

   Disaster Recovery Planning (DRP)
       Recover from an emergency with the minimum of impact to
        the organization. It includes:
         Disaster recovery planning processes
         Testing the disaster recovery plan
         Disaster recovery procedures

                              COMP4690, HKBU                      27
Business Continuity Planning
   Objectives
       To prevent interruptions to normal business activity
       To protect critical business processes from natural or man-
        made failures or disasters
       To minimize the effect of disturbances and to allow for
        resumption of business processes
       To reduce the risk of financial loss and enhance a
        company’s ability to recover from a disruptive event
       To minimize the cost associated with the disruptive event
        and mitigate the risk associated with it

                              COMP4690, HKBU                      28
Disruptive Events
   Natural events:
       Fires, explosions, hazardous material spills of
        environmental toxins
       Earthquakes, storms, floods, and fires due to acts of nature
       Power outages or other utility failures
   Man-made events:
       Bombings, sabotages, or other intentional attacks
       Strikes and job actions
       Employee or operator unavailability due to emergency
        evacuation or other issues
       Communications infrastructure failures

                              COMP4690, HKBU                       29
   Scope and Plan Initiation
       The first step to create a BCP
       Create the scope for the plan, and the other elements
        needed to define the parameters of the plan
       Examine the company’s operations and support services
       Scope activities:
         Create a detailed account of the work required

         List the resources to be used

         Define the management practices to be employed

                            COMP4690, HKBU                      30
BCP (I):
roles and responsibilities
Who                                 Does What
Executive management staff          Initiates the project, gives final approval,
                                    and gives ongoing support

Senior business unit management Identifies and prioritizes time-critical

BCP committee                       Directs the planning, implementation, and
                                    test processes

Functional business units           Participate in implementation and testing

                                  COMP4690, HKBU                                   31
   Business Impact Analysis (BIA)
       To create a document to be used to help understand what
        impact a disruptive event would have on the business
   Three primary goals
       Criticality prioritization: time-critical business process vs.
        Non-time-critical business process
       Downtime estimation: what is the longest period of time a
        critical process can remain interrupted before the company
        can never recover – maximum tolerable downtime (MTD)
       Resource requirements: the most time-sensitive processes
        may need the most resource allocation

                               COMP4690, HKBU                        32
BCP (II): BIA Steps
   Gathering assessment materials
       Which business units are critical to continuing an acceptable level of operations
       Organizational chart, functional interrelationships of the organization
   Performing vulnerability assessment
       Quantitative: financial assessment
           Incurring financial losses from loss of revenue, capital expenditure, or personal liability
           Additional operational expenses incurred due to the disruptive event
           Incurring financial losses from violation of contract agreements, violation of regulatory or
            compliance requirements
       Qualitative: operational assessment
           Loss of competitive advantage or market share
           Loss of public confidence or credibility, or public embarrassment
       Define the Critical support areas that must be present to sustain continuity of the
        business processes
           Telecommunications, data communications, information technology areas
           Physical infrastructure or plant facilities, transportation services
           Accounting, payroll, transaction processing, customer service, purchasing

                                             COMP4690, HKBU                                                33
BCP (II): BIA Steps
   Analyzing the information
     Documenting required processes, identifying interdependencies,
      and determining what an acceptable interruption period would be
     To describe what support the defined critical areas will require to
      preserve the revenue stream and maintain pre-defined processes
   Documentation and recommendation
     Full documentation of all the processes, procedures, analysis,
      and results, and the presentation of recommendations to the
      appropriate senior management.
     Contain the gathered material, list the identified critical support
      areas, summarize the quantitative and qualitative impact
      statements, and provide the recommended recovery priorities
      generated from the analysis

                               COMP4690, HKBU                          34
   Business Continuity Plan Development
     Use the information collected in BIA to create the recovery
       strategy plan to support the critical business functions.
   Defining the continuity strategy, should include the following
          Computing: to preserve the elements of hardware, software,
           communication lines, applications, and data
          Facilities: to address to use of the main buildings or campus and any
           remote facilities
          People: operators, management, and technical support personnel will
           have defined roles in implementing the continuity strategy
          Supplies and equipment: paper, forms, or specialized security
           equipment must be defined
   Documenting the continuity strategy

                                   COMP4690, HKBU                              35
   Plan Approval and Implementation
       Senior management approval
       Create an awareness of the pan enterprise-wide
           Specific training may be required for certain personnel
            to carry out their tasks
       Maintenance of the plan
           Use job descriptions that centralize responsibility for
           Create audit procedures that can report regularly on
            the state of the plan
           Ensure multiple versions of the plan do not exist
                                COMP4690, HKBU                        36
Disaster Recovery Planning
   Objective
       To provide an organized way to make decisions if a
        disruptive event occurs
       To reduce confusion and enhance the ability of the
        organization to deal with the crisis
       To protect an organization from major computer services
       To minimize the risk to the organization from delays in
        providing services
       To guarantee the reliability of standby systems through
        testing and simulation
       To minimize the decision-making required by personnel
        during a disaster

                             COMP4690, HKBU                       37
I. DRP Process
   This phase involves the development and creation
    of the recovery plans.
   Define the steps we will need to perform to protect
    the business in the event of an actual disaster.
   Two steps:
       Data processing continuity planning
         Planning for the disaster and creating the plans to cope with
       Data recovery plan maintenance
         Keeping the plans up-to-date and relevant

                               COMP4690, HKBU                        38
Processing Backup Services
   Processing backup services are very
    important to the disaster recovery plan
   Most common alternate processing types
       Mutual aid agreements
       Subscription services
       Multiple centers
       Service bureaus
       Other data center backup alternatives

                          COMP4690, HKBU        39
Mutual aid agreements
   An arrangement with another company that may have similar
    computing needs.
   Both parties agree to support each other in the case of a
    disruptive event. Assume each organization’s operations area
    will have the capacity to support the other’s in time of need.
   Advantages:
     Allow an organization to obtain a disaster processing site at very
        little or no cost.
   Disadvantages:
     Difficult to have extra unused capacity to enable full operational
        processing during the event.
     What happens if both organizations are affected by a large
   Should be considered only if there is a perfect partner, and there
    is no other alternative to disaster recovery.
                               COMP4690, HKBU                          40
Subscription services
   Rely on third-party, commercial services
   Three basic forms of subscription services
       Hot site
           Fully configured computer facility with electrical power and HVAC (heating,
            ventilation, air conditioning), and functioning servers and workstations.
           24/7 availability, exclusivity of use, immediately available after the disruptive
            event occurs
           The most expensive one, intensive administrative overhead
       Cold site
           A room with electrical power and HVAC, communications links may be ready
            or not.
           It is ready for equipment to be brought in during an emergency, but no
            computer hardware resides at the site.
       Warm site
           A cross between hot site and cold site. Computer facilities are ready with
            electrical power and HVAC. But the applications may not be installed or
            configured. Without full complement of workstations.
           Takes some time and effort to start production processing at the new site.

                                         COMP4690, HKBU                                         41
Multiple centers
   The processing is spread over several
    operations centers
   Could be owned and managed by the same
    organization or used in conjunction with some
    sort of reciprocal agreement.
   Has the same disadvantage as for mutual aid.

                      COMP4690, HKBU           42
Service Bureaus
   Contract with a service bureau to fully provide
    all alternate backup processing services
   Quick response and availability, possible
   Disadvantages:
       Expense
       Resource contention during a large emergency

                         COMP4690, HKBU                43
Transaction Redundancy
   Electronic vaulting
       The transfer of backup data to an off-site location
   Remote journaling
       The parallel processing of transactions to an
        alternate site. A communications line is used to
        transmit live data as it occurs.
   Database shadowing
       To create event more redundancy by duplicating
        the database sets to multiple servers.
                           COMP4690, HKBU                     44
Disaster Recovery Plan
   Disaster recovery plans often get out of date.
   Like BCP maintenance
   To build maintenance procedures into the
   To create audit procedures that can report
    regularly on the state of the plan

                      COMP4690, HKBU             45
II. Testing the DRP
   Regular disaster recovery drills and tests are
    a cornerstone of any disaster recovery plan.
   Reasons for testing
       Verify the accuracy of the recovery procedures
        and identify deficiencies
       Prepare and train the personnel to execute their
        emergency duties
       Verify the processing capability of the alternate
        backup site
                           COMP4690, HKBU                   46
Five Test Types
   Checklist
       Distribute copies of the plan to each business unit for review, to ensure the plan
        addresses all procedures and critical areas of the organization. This is a preliminary
        step to a real test.
   Structured walk-through
       Business unit management representatives meet to walk through the plan. To ensure
        that the plan accurately reflects the organization’ ability to recover successfully.
   Simulation
       All the operational and support personnel expected to perform during an actual
        emergency meet in a practice session. To test the ability of the personnel to respond to
        a simulated disaster.
   Parallel
       A full test of the recovery plan, utilizing all personnel. Critical systems are run at an
        alternate site.
   Full-interruption
       A disaster is replicated even to the point of ceasing normal production operations. The
        plan is totally implemented as if it were a real disaster.

                                           COMP4690, HKBU                                           47
III. Disaster recovery
   This part details
       what roles various personnel will take on
       what tasks must be implemented to recover and
        salvage the site
       how the company interfaces with external groups
       financial considerations.

                          COMP4690, HKBU                  48
Primary element
   The recovery team
     To implement the recovery procedures at the declaration of the
      disaster. To get the pre-defined critical business functions
      operating at the alternate backup processing site.
   The salvage team
     To return the primary site to normal processing environmental
      conditions. To identify sources of expertise, equipment, and
      supplies that can make the return to the site possible.
   The normal operations resume
     To return production processing from alternate site to the primary
      site with the minimum of disruption and risk
   Other recovery issues
     Interfacing with external groups; employee relations; fraud and
      crime; financial disbursement; media relations

                               COMP4690, HKBU                          49

Shared By: