INFORMATION ASSURANCE AND SECURITY 1 60

Chapter 5: Planning for Security

Overview
This chapter details the major components, scope, and target audience for each of the levels of security
policy. This chapter also explains data classification schemes, both military and private, as well as the
security education training and awareness (SETA) program. The chapter examines the planning process
that supports business continuity, disaster recovery, and incident response; it also describes the
organization’s role during incidents and specifies when the organization should involve outside law
enforcement agencies..

Learning Objectives
Upon completion of this material, you should be able to:
 Define management’s role in the development, maintenance, and enforcement of information
security policy, standards, practices, procedures, and guidelines
 Describe what an information security blueprint is, identify its major components, and explain how
it supports the information security program
 Discuss how an organization institutionalizes its policies, standards, and practices using education,
training, and awareness programs
 Explain what contingency planning is and how it relates to incident response planning, disaster
recovery planning, and business continuity plans

Information Security Planning and Governance

Strategic planning sets out the long-term direction to be taken by the whole organization and by each of its
component parts. Strategic planning should guide organizational efforts and focus resources toward
specific, clearly defined goals. After an organization develops a general strategy, it generates an overall
strategic plan by extending that general strategy into strategic plans for major divisions. Each level of each
division then translates those plan objectives into more specific objectives for the level below. To execute
this broad strategy and turn the general strategy into action, the executive team (sometimes called the C-
level of the organization, as in CEO, COO, CFO, CIO, and so on) must first define individual
responsibilities. The conversion of goals from one strategic level to the next lower level is perhaps more art
than science. It relies on an executive’s ability to know and understand the strategic goals of the entire
organization, to know and appreciate the strategic and tactical abilities of each unit within the organization,
and to negotiate with peers, superiors, and subordinates. This mix of skills helps to achieve the proper
balance between goals and capabilities.

Planning Levels
Once the organization’s overall strategic plan is translated into strategic plans for each major division or
operation, the next step is to translate these plans into tactical objectives that move toward reaching specific,
measurable, achievable, and time-bound accomplishments. The process of strategic planning seeks to
transform broad, general, sweeping statements into more specific and applied objectives. Strategic plans
are used to create tactical plans, which are in turn used to develop operational plans.
 INFORMATION ASSURANCE AND SECURITY 1 61

Tactical planning focuses on shorter-term undertakings that will be completed within one or two years. The
process of tactical planning breaks each strategic goal into a series of incremental objectives. Each objective
in a tactical plan should be specific and should have a delivery date within a year of the plan’s start.
Budgeting, resource allocation, and personnel are critical components of the tactical plan. Although these
components may be discussed in general terms at the strategic planning level, the actual resources must be
in place before the tactical plan can be translated into the operational plan. Tactical plans often include
project plans and resource acquisition planning documents (such as product specifications), project budgets,
project reviews, and monthly and annual reports.

Because tactical plans are often created for specific projects, some organizations call this process project
planning or intermediate planning. The chief information security officer (CISO) and the security managers
use the tactical plan to organize, prioritize, and acquire resources necessary for major projects and to provide
support for the overall strategic plan.

Managers and employees use operational plans, which are derived from the tactical plans, to organize the
ongoing, day-to-day performance of tasks. An operational plan includes the necessary tasks for all relevant
departments, as well as communication and reporting requirements, which might include weekly meetings,
progress reports, and other associated tasks. These plans must reflect the organizational structure, with each
subunit, department, or project team conducting its own operational planning and reporting. Frequent
communication and feedback from the teams to the project managers and/or team leaders, and then up to
the various management levels, will make the planning process as a whole more manageable and successful.

Planning and the CISO

The first priority of the CISO and the information security management team is the creation of a strategic
plan to accomplish the organization’s information security objectives. While each organization may have
its own format for the design and distribution of a strategic plan, the fundamental elements of planning
share characteristics across all types of enterprises. The plan is an evolving statement of how the CISO and
the various elements of the organization will implement the objectives of the information security charter
that is expressed in the enterprise information security policy (EISP).

Information Security Governance

Governance is “the set of responsibilities and practices exercised by the board and executive management
with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks
are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance
describes the entire process of governing, or controlling, the processes used by a group to accomplish some
objective.

Just like governments, corporations and other organizations have guiding documents – corporate charters
or partnership agreements – as well as appointed or elected leaders or officers, and planning and operating
procedures. These elements in combination provide corporate governance. Each operating unit within an
organization also has controlling customs, processes, committees, and practices. The information security
group’s leadership monitors and manages all of the organizational structures and processes that safeguard
information. Information security governance, then, is the application of the principles of corporate
governance—that is, executive management’s responsibility to provide strategic direction, ensure the
accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible
resource utilization—to the information security function.

The governance of information security is a strategic planning responsibility whose importance has grown
over recent years. Many consider good information security practices and sound information security
governance a component of U.S. homeland security. Unfortunately, information security is all too often
 INFORMATION ASSURANCE AND SECURITY 1 62

regarded as a technical issue when it is, in fact, a management issue. In order to secure information assets,
an organization’s management must integrate information security practices into the fabric of the
organization, expanding corporate governance policies and controls to encompass the objectives of the
information security process.

Information security objectives must be addressed at the highest levels of an organization’s management
team in order to be effective and sustainable. When security programs are designed and managed as a
technical specialty in the IT department, they are less likely to be effective. A broader view of information
security encompasses all of an organization’s information assets, including the knowledge managed by
those IT assets.

The value of the information assets of an organization must be protected regardless of how the data within
it are processed, stored, or transmitted, and with a thorough understanding of the risks to, and the benefits
of, the information assets. According to the Information Technology Governance Institute (ITGI),
information security governance includes all of the accountabilities and methods undertaken by the board
of directors and executive management to provide strategic direction, establishment of objectives,
measurement of progress toward those objectives, verification that risk management practices are
appropriate, and validation that the organization’s assets are used properly.

Information Security Governance Outcomes

The five goals of information security governance are:

 Strategic alignment of information security with business strategy to support organizational

objectives

 Risk management by executing appropriate measures to manage and mitigate threats to information
resources

 Resource management by utilizing information security knowledge and infrastructure efficiently

and effectively

 Performance measurement by measuring, monitoring, and reporting information security

governance metrics to ensure that organizational objectives are achieved

 Value delivery by optimizing information security investments in support of organizational

objectives

Information Security Policy, Standards, and Practices

Management from all communities of interest, including general staff, information technology, and
information security, must make policies the basis for all information security planning, design, and
deployment. Policies direct how issues should be addressed and technologies should be used. Policies do
not specify the proper operation of equipment or software – this information should be placed in the
standards, procedures, and practices of users’ manuals and systems documentation. In addition, policy
should never contradict law, because this can create a significant liability for the organization.

Quality security programs begin and end with policy. Information security is primarily a management
problem, not a technical one, and policy is a management tool that obliges personnel to function in a manner
 INFORMATION ASSURANCE AND SECURITY 1 63

that preserves the security of information assets. Security policies are the least expensive control to execute,
but the most difficult to implement properly. They have the lowest cost in that their creation and
dissemination requires only the time and effort of the management team. Even if the management team
hires an outside consultant to help develop policy, the costs are minimal compared to those of technical
controls. However, shaping policy is difficult because policy must:

 Never conflict with laws

 Stand up in court, if challenged
 Be properly administered through dissemination and documented acceptance

Definitions
A policy is a plan or course of action that conveys instructions from an organization’s senior management
to those who make decisions, take actions, and perform other duties. Policies are organizational laws in that
they dictate acceptable and unacceptable behavior within the organization. Like laws, policies define what
is right, what is wrong, what the penalties are for violating policy, and what the appeal process is.

Standards are more detailed statements of what must be done to comply with policy. They have the same
requirements for compliance as policies. Standards may be informal or part of an organizational culture, as
in de facto standards. Or standards may be published, scrutinized, and ratified by a group, as in formal or
de jure standards.

Policies are put in place to support the mission, vision, and strategic planning of an organization. The
mission of an organization is a written statement of an organization’s purpose. The vision of an organization
is a written statement about the organization’s goals. Strategic planning is the process of moving the
organization toward its vision.

The meaning of the term security policy depends on the context in which it is used. Governmental agencies
view security policy in terms of national security and national policies to deal with foreign states. In general,
a security policy is a set of rules that protect an organization’s assets. An information security policy
provides rules for the protection of the information assets of the organization.

Management must define three types of security policy, according to the National Institute of Standards
and Technology’s Special Publication 800-14:

1. Enterprise information security policies

2. Issue-specific security policies
3. Systems-specific security policies

For a policy to be effective and thus legally enforceable, it must meet the following criteria:

 Dissemination (distribution) — The organization must be able to demonstrate that the policy has
been made readily available for review by the employee. Common dissemination techniques
include hard copy and electronic distribution.

 Review (reading) — The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for illiterate, non-English reading, and reading-
impaired employees. Common techniques include recording the policy in English and other
languages.
 INFORMATION ASSURANCE AND SECURITY 1 64

 Comprehension (understanding) — The organization must be able to demonstrate that the

employee understood the requirements and content of the policy. Common techniques include
quizzes and other assessments.

 Compliance (agreement)—The organization must be able to demonstrate that the employee agrees
to comply with the policy, through act or affirmation. Common techniques include logon banners
which require a specific action (mouse click or keystroke) to acknowledge agreement, or a signed
document clearly indicating the employee has read, understood, and agreed to comply with the
policy.

 Uniform enforcement—The organization must be able to demonstrate that the policy has been
uniformly enforced, regardless of employee status or assignment.

Enterprise Information Security Policy

An enterprise information security policy (EISP) is also known as a general security policy,
organizational security policy, IT security policy, or information security policy. The EISP is based on and
directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope,
and tone for all security efforts. The EISP is an executive-level document, usually drafted by or in
cooperation with the chief information officer of the organization. This policy is usually two to ten pages
long and shapes the philosophy of security in the IT environment. The EISP usually needs to be modified
only when there is a change in the strategic direction of the organization.

The EISP guides the development, implementation, and management of the security program. It sets out
the requirements that must be met by the information security blueprint or framework. It defines the
purpose, scope, constraints, and applicability of the security program. It also assigns responsibilities for the
various areas of security, including systems administration, maintenance of the information security
policies, and the practices and responsibilities of the users. Finally, it addresses legal compliance.

EISP documents should include the following elements:

 An overview of the corporate philosophy on security

 Information on the structure of the information security organization and individuals who fulfill
the information security role
 Fully articulated responsibilities for security that are shared by all members of the organization
(employees, contractors, consultants, partners, and visitors)
 Fully articulated responsibilities for security that are unique to each role within the organization

The components of a good EISP are shown in Table 5.1.

 INFORMATION ASSURANCE AND SECURITY 1 65

Table 5.1: Components of the EISP

Issue-Specific Security Policy (ISSP)

As an organization executes various technologies and processes to support routine operations, it must
instruct employees on the proper use of these technologies and processes. In general, the issue-specific
security policy, or ISSP, (1) addresses specific areas of technology as listed below, (2) requires frequent
updates, and (3) contains a statement on the organization’s position on a specific issue. An ISSP may cover
the following topics, among others:

 E-mail
 Use of the Internet
 Specific minimum configurations of computers to defend against worms and viruses
 Prohibitions against hacking or testing organization security controls
 Home use of company-owned computer equipment
 Use of personal equipment on company networks
 Use of telecommunications technologies (fax and phone)
 Use of photocopy equipment

The components of ISSP are discussed below:

 INFORMATION ASSURANCE AND SECURITY 1 66

1. Statement of Policy
The policy should begin with a clear statement of purpose. Consider a policy that covers the issue of fair
and responsible use of the Internet. The introductory section of this policy should outline these topics: What
is the scope of this policy? Who is responsible and accountable for policy implementation? What
technologies and issues does it address?

2. Authorized Access and Usage of Equipment

This section of the policy statement addresses who can use the technology governed by the policy, and what
it can be used for. Remember that an organization’s information systems are the exclusive property of the
organization, and users have no particular rights of use. Each technology and process is provided for
business operations. Use for any other purpose constitutes misuse of equipment. This section defines “fair
and responsible use” of equipment and other organizational assets and should also address key legal issues,
such as protection of personal information and privacy.

3. Prohibited Use of Equipment

Unless a particular use is clearly prohibited, the organization cannot penalize its employees for misuse. The
following can be prohibited: personal use, disruptive use or misuse, criminal use, offensive or harassing
materials, and infringement of copyrighted, licensed, or other intellectual property.

4. Systems Management
The systems management section of the ISSP policy statement focuses on the users’ relationship to systems
management. Specific rules from management include regulating the use of e-mail, the storage of materials,
the authorized monitoring of employees, and the physical and electronic scrutiny of e-mail and other
electronic documents. It is important that all such responsibilities are designated as belonging to either the
systems administrator or the users; otherwise both parties may infer that the responsibility belongs to the
other party.

Violations of Policy
The people to whom the policy applies must understand the penalties and repercussions of violating the
policy. Violations of policy should carry appropriate, not draconian, penalties. This section of the policy
statement should contain not only the specifics of the penalties for each category of violation but also
instructions on how individuals in the organization can report observed or suspected violations. Many
people think that powerful individuals in the organization can discriminate, single out, or otherwise retaliate
against someone who reports violations. Allowing anonymous submissions is often the only way to
convince users to report the unauthorized activities of other, more influential employees.

Policy, Review and Modification

Because any document is only useful if it is up-to-date, each policy should contain procedures and a
timetable for periodic review. As the organization’s needs and technologies change, so must the policies
that govern their use. This section should specify a methodology for the review and modification of the
policy to ensure that users do not begin circumventing it as it grows obsolete.

Limitations of Liability
If an employee is caught conducting illegal activities with organizational equipment or assets, management
does not want the organization held liable. The policy should state that if employees violate a company
policy or any law using company technologies, the company will not protect them, and the company is not
liable for its actions. In fact, many organizations assist in the prosecution of employees who violate laws
 INFORMATION ASSURANCE AND SECURITY 1 67

when their actions violate policies. It is inferred that such violations occur without knowledge or
authorization by the organization.

Table 5.2: Components of an ISSP

Systems-Specific Policy (SysSP)

While issue-specific policies are formalized as written documents readily identifiable as policy, system-
specific security policies (SysSPs) sometimes have a different look. SysSPs often function as standards or
procedures to be used when configuring or maintaining systems. For example, a SysSP might describe the
configuration and operation of a network firewall. This document could include a statement of managerial
intent; guidance to network engineers on the selection, configuration, and operation of firewalls; and an
access control list that defines levels of access for each authorized user. SysSPs can be separated into two
general groups, managerial guidance and technical specifications, or they can be combined into a single
policy document.
 INFORMATION ASSURANCE AND SECURITY 1 68

1. Managerial Guidance SysSPs

A managerial guidance SysSP document is created by management to guide the implementation and
configuration of technology as well as to address the behavior of people in the organization in ways that
support the security of information.

2. Technical Specification SysSPs

While a manager can work with a systems administrator to create managerial policy as described in the
preceding section, the system administrator may in turn need to create a policy to implement the managerial
policy. Each type of equipment requires its own set of policies, which are used to translate the management
intent for the technical control into an enforceable technical approach.

Policy Management
Policies are living documents that must be managed. It is unacceptable to create such an important set of
documents and then shelve it. These documents must be properly disseminated (distributed, read,
understood, agreed to, and uniformly applied) and managed. How they are managed should be specified in
the policy management section of the issue-specific policy described earlier. Good management practices
for policy development and maintenance make for a more resilient organization. For example, all policies,
including security policies, undergo tremendous stress when corporate mergers and divestitures occur; in
such situations, employees are faced with uncertainty and many distractions. System vulnerabilities can
arise if, for instance, incongruent security policies are implemented in different parts of a new, merged
organization. When two companies merge but retain separate policies, the difficulty of implementing
security controls increases. Likewise, when one company with unified policies splits in two, each new
company may require different policies.

To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for
making recommendations for reviews, and a policy issuance and revision date.

1. Responsible Individual
Just as information systems and information security projects must have champions and managers, so must
policies. The policy champion and manager is called the policy administrator. Typically the policy
administrator is a midlevel staff member and is responsible for the creation, revision, distribution, and
storage of the policy. Note that the policy administrator does not necessarily have to be proficient in the
relevant technology.

2. Schedule of Reviews
Policies can only retain their effectiveness in a changing environment if they are periodically reviewed for
currency and accuracy and modified accordingly. Policies that are not kept current can become liabilities,
as outdated rules are enforced (or not) and new requirements are ignored. In order to demonstrate due
diligence, an organization must actively seek to meet the requirements of the market in which it operates.
This applies to both public (government, academic, and nonprofit) and private (commercial and for-profit)
organizations. A properly organized schedule of reviews should be defined and published as part of the
document. Typically a policy should be reviewed at least annually to ensure that it is still an effective
control.

3. Review Procedures and Practices

To facilitate policy reviews, the policy manager should implement a mechanism by which individuals can
comfortably make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop
box. If the policy is controversial, anonymous submission of recommendations may be the best way to
 INFORMATION ASSURANCE AND SECURITY 1 69

encourage staff opinions. Many employees are intimidated by management and hesitate to voice honest
opinions about a policy unless they can do so anonymously. Once the policy has come up for review, all
comments should be examined and management-approved improvements should be implemented. In
reality, most policies are drafted by a single responsible individual and are then reviewed by a higher-level
manager. But even this method does not preclude the collection and review of employee input.

4. Policy and Revision Date

The simple action of dating the policy is often omitted. When policies are drafted and published without
dates, confusion can arise. If policies are not reviewed and kept current, or if members of the organization
are following undated versions, disastrous results and legal headaches can ensue. Such problems are
particularly common in a high-turnover environment. It is, therefore, important that the policy contain the
date of origin, along with the date(s) of any revisions. Some policies may also need a sunset clause
indicating their expiration date, particularly those that govern information use in short-term business
associations. Establishing a policy end date prevents a temporary policy from mistakenly becoming
permanent, and it also enables an organization to gain experience with a given policy before adopting it
permanently.

5. Automated Policy Management

Recent years have seen the emergence of a new category of software for the management of information
security policies. This type of software was developed in response to needs articulated by information
security practitioners. While many software products can meet the need for a specific technical control,
there is now software to meet the need for automating some of the busywork of policy management.
Automation can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals,
publishing policy once it is written and approved, and tracking when individuals have read the policy. Using
techniques from computer-based training and testing, organizations can train staff members and also
improve the organization’s awareness program.

The Information Security Blueprint

Security blueprint is the basis for the design, selection, and implementation of all security program
elements including policy implementation, ongoing policy management, risk management programs,
education and training programs, technological controls, and maintenance of the security program. The
security blueprint, built on top of the organization’s information security policies, is a scalable, upgradeable,
comprehensive plan to meet the organization’s current and future information security needs. It is a detailed
version of the security framework, which is an outline of the overall information security strategy for the
organization and a roadmap for planned changes to the information security environment of the
organization. The blueprint specifies the tasks and the order in which they are to be accomplished.

The ISO 27000 Series

One of the most widely referenced security models is the Information Technology—Code of Practice for
Information Security Management, which was originally published as British Standard BS7799. In 2000,
this code of practice was adopted as an international standard framework for information security by the
International Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC) as ISO/IEC 17799. The document was revised in 2005 (becoming ISO 17799:2005), and it was then
renamed to ISO 27002 in 2007, to align it with the document ISO 27001.

The stated purpose of ISO/IEC 27002 is to “give recommendations for information security management
for use by those who are responsible for initiating, implementing, or maintaining security in their
 INFORMATION ASSURANCE AND SECURITY 1 70

organization. It is intended to provide a common basis for developing organizational security standards and
effective security management practice and to provide confidence in inter-organizational dealings.” Where
ISO/IEC 27002 is focused on a broad overview of the various areas of security, providing information on
127 controls over ten broad areas, ISO/IEC 27001 provides information on how to implement ISO/IEC
27002 and how to set up an information security management system (ISMS).

NIST Security Models

Other approaches are described in the many documents available from the Computer Security Resource
Center of the National Institute for Standards and Technology (http://csrc.nist.gov). Because the NIST
documents are publicly available at no charge and have been available for some time, they have been
broadly reviewed by government and industry professionals, and are among the references cited by the
federal government when it decided not to select the ISO/IEC 17799 standards. The following NIST
documents can assist in the design of a security framework:

 SP 800-12: An Introduction to Computer Security: The NIST Handbook

 SP 800-14: Generally Accepted Security Principles and Practices for Securing Information
Technology Systems
 SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information Systems
 SP 800-26: Security Self-Assessment Guide for Information Technology Systems (removed from
active list but still available in archives)
 SP 800-30: Risk Management Guide for Information Technology Systems

IETF Security Architecture

The Security Area Working Group acts as an advisory board for the protocols and areas developed and
promoted by the Internet Society and the Internet Engineering Task Force (IETF), and while the group
endorses no specific information security architecture, one of its requests for comment (RFC), RFC 2196:
Site Security Handbook, provides a good functional discussion of important security issues. RFC 2196: Site
Security Handbook covers five basic areas of security with detailed discussions on development and
implementation. There are also chapters on such important topics as security policies, security technical
architecture, security services, and security incident handling.

Baselining and Best Business Practices

Baselining and best practices don’t provide a complete methodology for the design and implementation of
all the practices needed by an organization; however, it is possible to piece together the desired outcome of
the security process, and therefore to work backwards toward an effective design. The Federal Agency
Security Practices (FASP) site, is a popular place to look up best practices. FASP is designed to provide
best practices for public agencies, but these practices can be adapted easily to private institutions. The
documents found at this site include specific examples of key policies and planning documents,
implementation strategies for key technologies, and position descriptions for key security personnel.

Security Education, Training, and Awareness Program

Once your organization has defined the polices that will guide its security program and selected an overall
security model by creating or adapting a security framework and a corresponding detailed implementation
blueprint, it is time to implement a security education, training, and awareness (SETA) program. The SETA
program is the responsibility of the CISO and is a control measure designed to reduce the incidences of
accidental security breaches by employees. Employee errors are among the top threats to information assets,
so it is well worth expending the organization’s resources to develop programs to combat this threat. SETA
 INFORMATION ASSURANCE AND SECURITY 1 71

programs are designed to supplement the general education and training programs that many organizations
use to educate staff on information security. For example, if an organization detects that many employees
are opening questionable e-mail attachments, those employees must be retrained. As a matter of good
practice, systems development life cycles must include user training during the implementation phase.

The SETA program consists of three elements: security education, security training, and security awareness.
An organization may not be capable of or willing to undertake all three of these elements, and may
outsource elements to local educational institutions. The purpose of SETA is to enhance security by doing
the following:

 Improving awareness of the need to protect system resources

 Developing skills and knowledge so computer users can perform their jobs more securely
 Building in-depth knowledge, as needed, to design, implement, or operate security programs for
organizations and systems

Security Education
Everyone in an organization needs to be trained and made aware of information security, but not every
member of the organization needs a formal degree or certificate in information security. When management
agrees that formal education is appropriate, an employee can investigate available courses from local
institutions of higher learning or continuing education. A number of universities have formal coursework
in information security.

Security Training
Security training provides detailed information and hands-on instruction to employees to prepare them to
perform their duties securely. Management of information security can develop customized in-house
training or outsource the training program.

Security Awareness
One of the least frequently implemented, but most beneficial, programs is the security awareness program.
A security awareness program is designed to keep information security at the forefront of users’ minds.
These programs don’t have to be complicated or expensive. Good programs can include newsletters,
security posters, videos, bulletin boards, flyers, and trinkets. Trinkets can include security slogans printed
on mouse pads, coffee cups, T-shirts, pens, or any object frequently used during the workday that reminds
employees of security. In addition, a good security awareness program requires a dedicated individual
willing to invest the time and effort into promoting the program, and a champion willing to provide the
needed financial support.

The security newsletter is the most cost-effective method of disseminating security information and news
to the employee. Newsletters can be distributed via hard copy, e-mail, or intranet. Newsletter topics can
include new threats to the organization’s information assets, the schedule for upcoming security classes,
and the addition of new security personnel. The goal is to keep the idea of information security in users’
minds and to stimulate users to care about security. If a security awareness program is not actively
implemented, employees may begin to neglect security matters and the risk of employee accidents and
failures is likely to increase.
 INFORMATION ASSURANCE AND SECURITY 1 72

Continuity Strategies

A key role for all managers is contingency planning. Managers in the IT and information security
communities are usually called on to provide strategic planning to assure the continuous availability of
information systems. Unfortunately for managers, however, the probability that some form of attack will
occur—from inside or outside, intentional or accidental, human or nonhuman, annoying or catastrophic—
is very high. Thus, managers from each community of interest must be ready to act when a successful attack
occurs.

There are various types of contingency plans for events of this type:
 Incident response plans
 Disaster recovery plans
 Business continuity plans.

A contingency plan is prepared by the organization to anticipate, react to, and recover from events that
threaten the security of information and information assets in the organization and, subsequently, to restore
the organization to normal modes of business operations.

An incident is any clearly identified attack on the organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability. An incident response (IR) plan addresses the
identification, classification, response, and recovery from an incident.

A disaster recovery (DR) plan addresses the preparation for and recovery from a disaster, whether natural
or man-made.

A business continuity (BC) plan ensures that critical business functions continue if a catastrophic incident
or disaster occurs.

The primary functions of these three types of planning are as follows:

 The IR plan focuses on immediate response, but if the attack escalates or is disastrous (e.g., fire,
flood, earthquake, or total blackout) the process moves on to disaster recovery and the BC plan.

 The DR plan typically focuses on restoring systems at the original site after disasters occur, and as
such is closely associated with the BC plan.

 The BC plan occurs concurrently with the DR plan when the damage is major or ongoing, requiring
more than simple restoration of information and information resources. The BC plan establishes
critical business functions at an alternate site.

Before any planning can begin, an assigned person or a planning team has to get the process started. In the
usual case, a contingency planning management team (CPMT) is assembled for that purpose. A roster for
this team may consist of the following members:

 Champion: As with any strategic function, the contingency planning project must have a high-
level manager to support, promote, and endorse the findings of the project. This could be the CIO,
or ideally the CEO.

 Project manager: A champion provides the strategic vision and the linkage to the power structure
of the organization, but someone has to manage the project. A project manager, possibly a midlevel
 INFORMATION ASSURANCE AND SECURITY 1 73

manager or even the CISO, must lead the project and make sure a sound project planning process
is used, a complete and useful project plan is developed, and project resources are prudently
managed to reach the goals of the project.

 Team members: The team members should be managers or their representatives from the various
communities of interest: business, information technology, and information security.
Representative business managers, familiar with the operations of their respective functional areas,
should supply details on their activities and provide insight into the criticality of their functions to
the overall sustainability of the business. Information technology managers on the project team
should be familiar with the systems that could be at risk and with the IR, DR, and BC plans that are
needed to provide technical content within the planning process. Information security managers
must oversee the security planning of the project and provide information on the threats,
vulnerabilities, attacks, and recovery requirements needed in the planning process.

Business Impact Analysis

The first phase in the development of the contingency planning process is the business impact analysis
(BIA). A BIA is an investigation and assessment of the impact that various attacks can have on the
organization. BIA takes up where the risk assessment process leaves off. It begins with the prioritized list
of threats and vulnerabilities identified in the risk management process from Chapter 4 and adds information
about the criticality of the systems involved and a detailed assessment of the threats and vulnerabilities to
which they are subjects. The BIA is a crucial component of the initial planning stages, as it provides detailed
scenarios of the potential impact each attack could have on the organization. The BIA therefore helps to
determine what the organization must do to respond to the attack, minimize the damage from the attack,
recover from the effects, and return to normal operations. The fundamental distinction between a BIA and
the risk management processes discussed in Chapter 4 is that the risk management approach identifies the
threats, vulnerabilities, and attacks to determine what controls can protect the information, while the BIA
assumes that an attack has succeeded despite these controls, and attempts to answer the question, what do
you do now.

Figure 5.1: Major Steps in Contingency Planning

 INFORMATION ASSURANCE AND SECURITY 1 74

The contingency planning team conducts the BIA in the following stages, which are shown in Figure 5.1:

1. Threat attack identification and prioritization

2. Business unit analysis
3. Attack success scenario development
4. Potential damage assessment
5. Subordinate plan classification

Incident Response Planning

Incident response planning includes the identification of, classification of, and response to an incident. The
IR plan is made up of activities that are to be performed when an incident has been identified. Before
developing such a plan, you should understand the philosophical approach to incident response planning.

What is an incident? What is incident response? As stated earlier, an incident is an attack against an
information asset that poses a clear threat to the confidentiality, integrity, or availability of information
resources. If an action that threatens information occurs and is completed, the action is classified as an
incident. All of the threats identified in earlier chapters could result in attacks that would be classified as
information security incidents. For purposes of this discussion, however, attacks are classified as incidents
if they have the following characteristics:

 They are directed against information assets.

 They have a realistic chance of success.
 They could threaten the confidentiality, integrity, or availability of information resources.

Incident response (IR) is therefore the set of activities taken to plan for, detect, and correct the impact of
an incident on information assets. Prevention is purposefully omitted, as this activity is more a function of
information security in general than of incident response. In other words, IR is more reactive than proactive,
with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident.

IR consists of the following four phases:

1. Planning
2. Detection
3. Reaction
4. Recovery

Disaster Recovery Planning

An event can be categorized as a disaster when (1) the organization is unable to mitigate the impact of an
incident during the incident, and (2) the level of damage or destruction is so severe that the organization is
unable to recover quickly. The difference between an incident and a disaster may be subtle; the contingency
planning team must make the distinction between disasters and incidents, and it may not be possible to
make this distinction until an attack occurs. Often an event that is initially classified as an incident is later
determined to be a disaster. When this happens, the organization must change how it is responding and take
action to secure its most valuable assets to preserve value for the longer term even at the risk of more
disruption in the short term.

Disaster recovery (DR) planning is the process of preparing an organization to handle and recover from a
disaster, whether natural or man-made. The key emphasis of a DR plan is to reestablish operations at the
primary site, the location at which the organization performs its business. The goal is to make things whole,
or as they were before the disaster.
 INFORMATION ASSURANCE AND SECURITY 1 75

Business Continuity Planning

Business continuity planning prepares an organization to reestablish critical business operations during a
disaster that affects operations at the primary site. If a disaster has rendered the current location unusable,
there must be a plan to allow the business to continue to function. Not every business needs such a plan or
such facilities. Small companies or fiscally sound organizations may have the latitude to cease operations
until the physical facilities can be restored. Manufacturing and retail organizations may not have this option,
because they depend on physical commerce and may not be able to relocate operations.

Crisis Management
Disasters are, of course, larger in scale and less manageable than incidents, but the planning processes are
the same and in many cases are conducted simultaneously. What may truly distinguish an incident from a
disaster are the actions of the response teams. An incident response team typically rushes to duty stations
or to the office from home. The first act is to reach for the IR plan. A disaster recovery team may not have
the luxury of flipping through a binder to see what must be done. Disaster recovery personnel must know
their roles without any supporting documentation. This is a function of preparation, training, and rehearsal.
You probably all remember the frequent fire, tornado, or hurricane drills—and even the occasional nuclear
blast drills—from your public school days. Just because you move from school to the business world
doesn’t lessen the threat of a fire or other disaster.

The actions taken during and after a disaster are referred to as crisis management. Crisis management
differs dramatically from incident response, as it focuses first and foremost on the people involved. The
disaster recovery team works closely with the crisis management team.
 INFORMATION ASSURANCE AND SECURITY 1 76

Assessment

1. How can a security framework assist in the design and implementation of a security infrastructure?
What is information security governance? Who in the organization should plan for it?
2. Where can a security administrator find information on established security frameworks?
3. What is the ISO 27000 series of standards? Which individual standards make up the series?
4. What benefit can a private, for-profit agency derive from best practices designed for federal
agencies?
5. What are the differences between a policy, a standard, and a practice? What are the three types of
security policies? Where would each be used? What type of policy would be needed to guide use
of the Web? E-mail? Office equipment for personal use?
6. What is contingency planning? How is it different from routine management planning?
7. What are the components of contingency planning?
8. When is the IR plan used?
9. When is the DR plan used?
10. When is the BC plan used? How do you determine when to use the IR, DR, and BC plans?

Exercise
Using a graphics program, design several security awareness posters on the following themes: updating
antivirus signatures, protecting sensitive information, watching out for e-mail viruses, prohibiting the
personal use of company equipment, changing and protecting passwords, avoiding social engineering, and
protecting software copyrights. What other themes can you come up with?

References
1. Whitman, Michael, Principles of Information Security, 6th Ed., 2018
2. What is vulnerability? - IFRC. (2021). Ifrc.org. https://www.ifrc.org/en/what-we-do/disaster-
management/about-disasters/what-is-a-disaster/what-is-vulnerability/
3. Cost Benefit Analysis: An Expert Guide | Smartsheet. (2019). Smartsheet.
https://www.smartsheet.com/expert-guide-cost-benefit-analysis
4. https://www.isms.online/author/mark-darby. (2019, December 6). ISO 27001 Help from
ISMS.online. ISMS.Online. https://www.isms.online/iso-27001/information-security-risk-
management-
explained/#:~:text=Information%20security%20risk%20management%20(ISRM,desired%20busi
ness%20outcomes%20are%20achieved.