406

Certified Information System

Auditor Training

407
 BEFORE STARTING
408

IMPORTANT NOTICE BEFORE START

This Slides prepared in accordance to CISA Review Manual to act as a study
reference while you are following our Course
This Slides include extra information other than what discussed in the course
Feel free to search using “CTRL+F” in the slides to navigate to the relevant topic
you want to review
We cannot guarantee 100% percent that the slide order will match what you
follow during the course, so if you think this might be a distracting for you, please
consider other resources
If you followed these slides along with the videos and took notes, you will be
amazing
For any information or suggestion, please leave a rating and feedback, reach us
for support

409
 CISA CERTIFICATION
Certified Information System Auditor - CISA
CISA is a certificate by ISACA by ISACA - Information Systems Audit and Control Association®
Information system Auditing, not just IT!
This training is based on Review manual of ISACA
Pass the exam, 150 questions in 4 Hours,
Exam cost is 760 US $ for ISACA non-members
Membership is an annual fees you pay
Submit application post the exam, attest it and pay processing fees
If you meet the criteria's you will be certified
410

CISA Knowledge domains

Domain 2 : Domain 3 : IS
Domain 1 : IS
Governance and Acquisition,
Auditing Process
Management of IT Development and
(21%)
(17%) Implementation (12%)

Domain 4 : IS
Domain 5 : Protection
Operations and
of Information Assets
Business Resilience
(27%)
(23%)

411
 Certified
Information
System Auditor
DOMAIN 4

412

Information Systems
Operations and Business
Resilience
DOMAIN 4

413
About Domain 4
Domain 4 represents 23% of the questions on the CISA exam
(approximately 30 questions).
Content
1. Information System operations
2. Information System maintenance
3. Service management
4. Business continuity

414

Information Systems
management

415
INFORMATION SYSTEM
MANAGEMENT
Responsible for ongoing support for an organizations computer and IS
environment
plays a critical role in ensuring that computer operations processing
requirements are met, end users are satisfied, and information is processed
securely
Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives
Management is the responsibility of the executive management under the
leadership of the chief executive officer (CEO).
IS management has the overall responsibility for all operations within the IT
department

416

IS MANAGEMENT OBJECTIVES
The key function for IS operation is to ensure:-
✓Computer processing requirements are met
✓End users are satisfied
✓Information is processed securely
✓Outside parties (third parties, cloud computing) meet the company’s
processing requirements

417
IS GOVERNANCE
Ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved;
Setting direction through prioritization and decision making; and monitoring
performance and compliance against agreed-on direction and objectives.
Overall governance is the responsibility of the board of directors under the
leadership of the chairperson.
Specific governance responsibilities may be delegated to special organizational
structures at an appropriate level, particularly in larger, complex enterprises.

418

Service management frameworks

IT Infrastructure Library (ITIL):
◦ a reference body of knowledge for service delivery good practices
◦ a comprehensive framework detailed over five volumes – Service strategy, Service
design, Service transition, services operations, Continual service improvement
◦ The main objective of ITIL is to improve service quality to the business.

ISO 20000-1:2011 Information technology – Service management

◦ Requires service providers to implement the plan-do-check-act (PDCA) methodology
◦ The main objective is to improve service quality, achievement of the standard certifies
organizations as having passed auditable practices and processes in ITSM.

419
 Service level agreement

420

service level agreement

SLA is a contractual relationship between the IT and end user or customer.
SLA service level definition need to be defined.
Expectations defined in SLA should be comprehensive.
An SLA defines the nature, expectations, escalations, and other relevant
information for the services being offered.
The SLA should be documented in non-technical terms and serve as the basis for
measuring and monitoring services.
SLA should consider accuracy, completeness, timelines, security.
Service level need to be measured on defined intervals.

421
Operational level agreement
OLA is an agreement between the internal support groups of an institution that
supports SLA
The OLA clearly depicts the performance and relationship of the internal service
groups.
The main objective of OLA is to ensure that all the support groups provide the
intended Service Level Agreement

422

Service Level Agreement

measuring Tools
Exception reports
Availability reports
System and application logs
Operator problem reports
Operator work schedules

423
 Asset management

424

IT Asset Management
Assets could be systems, data or networking components, software licenses or source code
Assets should be monitored and controlled
You cannot protect what you do not know
Asset inventory should be available and clearly define
✓ Asset Owner (ultimate accountability)
✓ Asset Custodian (responsible for operation, security, data entry)
✓Asset identification and purpose
✓Location
✓Security classification from Risk PoV
✓Asset criticality level from Business PoV
✓Network information such as IP, Rack number and shelf where the device is mounted.

425
 itam
Inventory Management: ITAM involves creating an inventory of all IT assets within an
organization, including hardware, software, licenses, and related data.
Asset Tracking: ITAM involves tracking the movement and location of IT assets
throughout their lifecycle, including when they are acquired, deployed, maintained,
and retired.
License Management: ITAM involves managing software licenses to ensure
compliance with licensing agreements and avoid potential legal and financial risks.
Maintenance and Support: ITAM involves managing maintenance and support
contracts for IT assets to ensure they are up-to-date and functioning correctly.
Security Management: ITAM involves managing the security of IT assets, including
protecting them from cyber threats, ensuring compliance with security policies, and
monitoring usage patterns to identify potential security risks.

426

Euc or shadow it

427
 End User Computing
End user computing or shadow IT is the ability of end-user to design and implement their own
information system utilizing computer software products
Example is to use the Microsoft Access to build their own DB on device belong to company
End user computing should be governed by documented EUC/IT AUP policy.
EUC lead to following issues

Approved
Improperly Lack of No backed Not properly software list
No patch
configured information up on monitored to not
management
in term of control and regular identify consistent
enforced
security inventory interval threats with what
really exist

428

Shadow it risks
Security Risks: The use of unapproved technology solutions can increase the risk
of security breaches and data loss, as they may not be subject to the same
security controls and policies as approved solutions.
Compliance Risks: Shadow IT can also create compliance risks, as the use of
unapproved solutions may not comply with regulatory requirements or internal
policies.
Integration Challenges: Shadow IT can create challenges for IT departments in
integrating and managing disparate systems and applications, leading to
inefficiencies and potential data silos.
Cost Implications: Shadow IT can result in redundant technology solutions and
unnecessary expenses, as well as increased support and maintenance costs.

429
 Controlling shadow it
Establishing IT Policies: Organizations can establish clear policies and procedures for
the procurement and use of technology solutions, including guidelines for approving
and supporting new solutions.
Educating Employees: Organizations can educate employees on the risks and
implications of shadow IT, and encourage them to work with IT to identify and address
their technology needs.
Monitoring and Auditing: Organizations can monitor and audit their technology
environment to identify and address instances of shadow IT.
Providing Approved Alternatives: Organizations can provide approved technology
solutions that meet employees' needs, reducing the likelihood of them turning to
unapproved solutions.

430

AUTOMATION AND JOB

SCHEDULING

431
 Job Scheduling
In large environments, automation is not an option
Job scheduling or scheduled tasks can be utilized to perform repetitive and routine
tasks, the feature which is included in OS and Applications
In Linux, scheduling can be achieved using Cron
By auto scheduling, we can reduce the probability of error, this contribute to creating
more secure environment
Audit trails should be kept for scheduled tasks
Authorization should be considered for scheduled tasks
Processing priority for scheduled tasks need to be known
Scheduled tasks should be documented, and reviewed periodically
A mechanism should be in place in order to get notified with failed tasks

432

Example of scheduled tasks

433
Robotic process automation - rpa
Robotic Process Automation (RPA) is a technology that allows organizations to
automate repetitive and rule-based tasks using software robots or bots.
RPA bots mimic human actions and interact with applications, databases, and
other systems to perform tasks such as data entry, data processing, and report
generation.
RPA adoption involve Bot development, Bot deployment, Bot Management, Bot
Integration
RPA led to improved efficiency, scalability, cost saving and improved
compliance by avoiding the risk of human error.

434

Rpa workflow example

435
 Devops

436

What is devops
DevOps is a cultural shift
The term "DevOps" combines the words "development" and "operations."
Set of practices that automate the software delivery process and bring together
development, testing, deployment, and operations teams into a single, cohesive
workflow.
DevOps aims to break down the traditional silos between these teams and foster a
culture of collaboration, communication, and continuous improvement.
Key principles are
◦ Automation
◦ Continues Integration and Delivery
◦ Collaboration
◦ Infrastructure as a code
◦ Monitoring and feedback
437
 Devops tools

Version control tools Continuous Integration and Configuration management Containerization tools
•Git Continuous Deployment tools •Docker
(CI/CD) tools •Ansible
•Subversion •Kubernetes
•CVS •Jenkins •Puppet •OpenShift
•CircleCI •Chef
•Travis CI •SaltStack

Infrastructure as Code (IaC) Monitoring and logging tools Collaboration and Testing tools
tools •Prometheus communication tools •Selenium
•Terraform •Grafana •Jira •JUnit
•CloudFormation •ELK stack (Elasticsearch •Trello •NUnit
•Azure Resource Manager •Logstash •Slack •Robot Framework

438

devsecops

439
 What is devops
integrates security practices and principles into the DevOps process. The term
"DevSecOps" combines the words "development," "security," and "operations.“
aims to ensure that security is built into the software development process from the
start, rather than being added as an afterthought.
By integrating security into the DevOps process, organizations can increase the speed
and quality of software delivery while also reducing the risk of security vulnerabilities
and breaches.
Key principles are
◦ Security as a code
◦ Shift left
◦ Continues security testing
◦ Collaboration and communication
◦ Automation
440

Devsec ops tools

Static Application Security Dynamic Application Container Security tools Infrastructure Security tools
Testing (SAST) tools Security Testing (DAST) •Aqua Security •HashiCorp Vault
•SonarQube tools
•Twistlock •CyberArk
•Checkmarx •OWASP ZAP •Sysdig Secure •AWS Secrets Manager
•Fortify Static Code •Burp Suite •Anchore
Analyzer •Qualys Web Application
Scanning
Vulnerability Scanning tools: Security Information and Compliance and Governance Identity and Access
•Tenable.io Event Management (SIEM) tools Management (IAM) tool
tools •Chef Compliance •Okta
•Qualys
•Rapid7 InsightVM •Splunk •Puppet Remediate •Ping Identity
•Elastic Stack •Auth0
•QRadar

441
 INCIDENT MANAGEMENT

442

INCIDENT MANAGEMENT
An Incident is an event that could lead to loss of, or disruption to, an organization’s
operations, services or functions.
Incident management is a term describing the activities of an organization to identify,
analyze, and correct hazards to prevent a future re-occurrence.
Incident management is reactive and its objective is to respond to and resolve issues
restoring normal service (as defined by the SLA) as quickly as possible.
Prioritization of incident should be based on urgency and impact
Incident management focuses on providing continuity of service through the removal
or reduction of the adverse effect of disruptions to IT services.
Part of Risk Management, It is a corrective control

443
 Types of incidents
On term of priority, incident could be
◦ Negligible — causing no perceptible damage
◦ Minor — producing no negative financial or material impact
◦ Major — causing a negative material impact on business processes; possible effects on other systems,
departments or outside stakeholders
◦ Crisis — resulting in serious material impact on the continued functioning of the enterprise and its
stakeholders

In term of nature of incident, incident could be

◦ Cyberattack
◦ Theft of Information
◦ Workplace accident
◦ Safety related
◦ Infection
444

Incident sources
Malicious code
attacks

Unauthorized
Hoaxes/social
access to IT or
engineering
information sources

Unauthorized use
Surveillance and
of services or
espionage
physical threats

Unauthorized
changes to systems,
DoS/DDoS attacks
network devices or
information 445
 Team formation
Incident management team and incident response team should be formed with clear roles
and responsibilities
Incident Management team (IMT), Incident Response team (IRT)
IMT team play more strategic role in developing IRP and process, while IMT deal with actual
incident
IRT can be Centralized, Distributed, Coordinating or outsourced
The IRT team could include people with no technical roles “HR, PR, Legal”
The IRT members need to have baseline of knowledge regarding security principals and key
concepts
IRT benefit from personal and communication skills such as reporting, communication,
leadership and problem solving and time management
Training plans should be developed and make sure knowledge is shared as turnover is an
enemy for IRT skills.
446

Incident response plan

Incident response plan should be prepared and signed and approved from the highest
level of management
Incident response plan should support and integrate with Business, involvement of
management to identify critical processes and prepare the response procedures for
these is a way to prove the alignment.
In IRP, contact information, communication plan and escalation guidelines as well as
clear scope should be documented and maintained.
Procedures should be made available to all relevant stakeholders
IRP should be tested regularly to verify the assumptions and timelines
IRP testing start by Checklist review, structured walkthrough and Simulation

447
Incident management workflow

Preparation Identification Containment Eradication Recovery Assessment

•Charter •Monitoring •Network Isolation •AV Scanning •Recover lost data from •Review the activities
•Policies and procedures •Automated Alerts •Shutdown •Remove the root cause backup performed
•Technology •User Feedback •Close premise •Evidence Collection •Business Continuity •RCA
•Training •Triage is very important •Copy digital evidence •Learned lessons to be
•Awareness bit by bit utilized to enhance
•Chain of Custody controls or process

The process of sorting, categorizing, prioritizing and assigning incoming

reports/events is known as triage

448

Digital Forensic investigation

Evidences should be collected in a way that preserve the integrity and the chain
of custody.
Forensic Investigation support the problem management, aim of problem
management is to detect the root cause and prevent the reoccurrence
Any analyzes for the evidences should be documented, tracked and recorded
When evidence protection responsibility pass between people, it should be
officially documented to preserve the chain of custody.
Some containment/eradication methods may destroy the evidence “when you
shutdown a system, RAM content will be flushed out”
Investigators do not analyze the seized hard drive from crime scene, instead they
“CLONE” it in a bit-by-bit manner and do the analyzes on the cloned evidence

449
Write protection tools

450

Incident response training

The human factor is the greatest threat to an organization. Therefore, an
ongoing awareness campaign is needed to reduce susceptibility to activities
that may increase the risk of a security breach, such as phishing attacks or
malicious websites.
Training leads to more understanding for roles and responsibilities
A skills assessment is useful to determine whether the required expertise is
available in the organization for the IRT.

451
 INCIDENT RESPONSE PLAN TESTING
Testing help in identifying gaps and validate timelines, and evaluate the overall
performance and confirm the currency of the information and assumptions
Testing should be performed on regular intervals “ at least annualy”
Having plan is different that ensuring plan is working

452

INCIDENT RESPONSE PLAN TESTING

Checklist review
◦ Recovery checklists are reviewed to ensure they are current.

Structured walkthrough
◦ Team members physically implement that plans on paper and review each step.

Simulation test
◦ The IRT role-plays a prepared disaster scenarios without activating the recovery site.

Operational tests are more like simulation, but when it is unannounced, this is a different
story ..
◦ Unannounced can be disruptive, costly, risky but it is the best way to reveal how much the IRP
team is ready, the highest level of management should approve such testing method

453
Problem Management
The objective of problem management is to prevent the recurrence of an
incident by identifying the root cause of the incident and taking appropriate
preventive action.
The elements of problem management are investigation, in-depth analysis, root
cause analysis, and addressing the issues identified during the root cause
analysis.
To prevent the reoccurrence of an incident, it is important to conduct a root
cause analysis and address the issues.
Problem management is a proactive process

454

Help desk AND it support

455
 Help desk
The responsibility of the technical support function is to provide specialist
knowledge of production systems to identify and assist in system
change/development and problem resolution.
The basic function of the help desk is to be the first, single and central point of
contact for users and to follow the incident management process
The help desk personnel must ensure that all hardware and software incidents
that arise are fully documented and escalated based on the priorities
established by management

456

Ticketing system
An IT ticketing system is a software application used by IT departments to manage and
track customer or user-reported issues and requests.
When a user or customer reports an issue or requests assistance, the IT department creates
a ticket in the system.
The ticket contains information about the issue, including its severity, priority, and any
relevant details. The ticket is then assigned to a technician or support staff member who is
responsible for resolving the issue.
The IT ticketing system allows the IT department to track the progress of each ticket from
creation to resolution. It can also provide metrics and reports on the number of tickets
created, the time taken to resolve each ticket, and other key performance indicators.
A source for manual reporting
Can be integrated with other tools to automatically create tickets
Triage is done by Help Desk analyst
457
 WHAT IS SOC?

458

Security operation centers

A Security Operations Center (SOC) is a centralized facility that houses a team of
security professionals who are responsible for monitoring, detecting, analyzing, and
responding to security incidents and threats in an organization's IT environment.
The SOC team uses a combination of technology, processes, and procedures to
proactively identify and respond to security incidents. They monitor and analyze data
from various sources, such as network and system logs, intrusion detection and
prevention systems, firewalls, and other security tools, to identify potential security
threats.
Once a security incident is detected, the SOC team investigates and analyzes the
incident to determine its nature, scope, and impact. They then take appropriate
action to contain and mitigate the incident, such as blocking network traffic, isolating
affected systems, or applying security patches.

459
 SOC ANALYST
SOC Technology Engineer is a specialized role within a security operations team that
focuses on the technology and tools used to monitor and defend against security
threats. This can include designing and implementing security information and event
management (SIEM) systems, configuring intrusion detection and prevention systems
(IDS/IPS), managing firewalls, and developing automated processes for incident
response.
SOC L1 (Level 1) analysts are typically entry-level security professionals who are
responsible for monitoring and triaging security alerts generated by security tools such
as intrusion detection systems, firewalls, and anti-virus software. They investigate and
escalate alerts that require further analysis to more experienced analysts or Level 2
analysts.

460

Soc analyst l2
SOC L2 (Level 2) analysts are more experienced security professionals who are
responsible for investigating and analyzing security incidents that have been
escalated by the L1 team. They use their expertise to determine the nature and
extent of a security incident, assess its potential impact, and provide
recommendations for remediation.
SOC L3 (Level 3) analysts are the most experienced members of the SOC team,
responsible for handling the most complex and critical security incidents. They
possess in-depth knowledge of advanced threat detection and response
techniques and are capable of performing advanced analysis and reverse
engineering to identify and mitigate sophisticated attacks.

461
 INCIDENT RESPONSE SECURITY
TOOLS

462

siem
SIEM stands for Security Information and Event Management. It is a software solution
that provides real-time monitoring, correlation, and analysis of security events and
alerts generated from a variety of sources in an organization's IT environment.
SIEM systems collect and analyze log data from various sources, such as firewalls,
intrusion detection and prevention systems, endpoint security solutions, and other
security tools.
Logs that SIEM is receiving can be in Terabytes, SIEM index it and evaluate it based on
existing use-cases configured by SIEM admins or
The system correlates events from these sources to identify potential security threats
and alerts security analysts to investigate and respond to these threats.
SIEM systems use advanced analytics and machine learning algorithms to detect
anomalies and identify patterns of behavior that may indicate a security incident.

463
 SIEM COMPONENTS
Data sources
◦ A SIEM system collects data from various sources, including network devices, servers, firewalls,
intrusion detection and prevention systems, and other security tools. The data can include
logs, system events, network traffic, and other security-related data.

Data normalization
◦ To make sense of the different types of data collected from various sources, a SIEM system
normalizes the data by converting it into a standard format. This makes it easier to analyze the
data and detect security threats.

Correlation engine
◦ The correlation engine is a key component of a SIEM system that analyzes the collected data
and detects patterns or anomalies that could indicate a security threat. The engine uses rules
or algorithms to correlate events and generate alerts.

464

SIEM COMPONENTS
Alert management:
◦ A SIEM system generates alerts based on the results of the correlation engine. The alerts are
prioritized based on severity and sent to the security team for further investigation. The system
can also automate responses to certain types of alerts.

Dashboard and reporting:

◦ A SIEM system provides a dashboard that displays real-time information about security threats
and events. The dashboard can be customized to show different types of information, such
as threat trends, top sources of alerts, and affected systems. The system can also generate
reports for compliance and auditing purposes.

Forensics and incident response:

◦ A SIEM system provides tools for investigating security incidents and conducting forensic
analysis. The system can store and analyze historical data to help identify the source and
extent of a security breach.

465
 466

NOTABLE SIEM VENDORS

467
 fim
FIM stands for File Integrity Monitoring. It is a security control that ensures the integrity
and security of critical system files and directories by monitoring them for unauthorized
changes or modifications.
FIM solutions work by creating a baseline of the critical files and directories on a system
and then monitoring them for any changes. The baseline is typically created by taking
a snapshot of the files and directories and their associated metadata, such as their size,
date, and time stamps.
Any changes to these files or directories are then compared to the baseline to
determine whether they are authorized or unauthorized.
FIM solutions can monitor files and directories on a wide range of systems, including
servers, workstations, and network devices. They can also be configured to monitor
specific file types, such as configuration files, system files, and application files.

468

FIM ALERT

469
 470

edr
EDR stands for Endpoint Detection and Response.
It is a security solution that provides real-time monitoring and response capabilities for
endpoints such as desktops, laptops, servers, and mobile devices.
EDR solutions work by collecting data from endpoint agents and analyzing it for
indicators of compromise (IoCs) and suspicious behavior. The data collected includes
information about processes running on the endpoint, network connections, system
logs, and other endpoint-related data.
They can detect a wide range of threats, including malware, ransomware, phishing
attacks, and zero-day exploits.
EDR solutions provide a range of response capabilities, such as isolating the endpoint
from the network, quarantining files, and terminating malicious processes. They also
provide detailed forensic data to support incident investigation and response.

471
 472

Edr vendors

473
NDR
NDR stands for Network Detection and Response.
It is a security solution that provides real-time monitoring and analysis of network
traffic to detect and respond to potential security threats.
NDR solutions analyze network traffic data, including flow data, packet data,
and protocol data, to identify potential threats such as malware infections,
network intrusions, and data exfiltration attempts.
NDR solutions can also provide automated response capabilities, such as
blocking malicious network traffic or isolating infected endpoints. They can also
provide detailed forensic data to support incident investigation and response.

474

Ndr architecture

475
 XDR
XDR stands for Extended Detection and Response.
provides advanced threat detection and response capabilities across multiple security
domains, including endpoints, networks, cloud environments, and applications.
work by collecting and analyzing data across multiple security tools and domains to
identify and correlate security events. This includes data from endpoint detection and
response (EDR), network detection and response (NDR), and cloud security tools.
provide a single, integrated view of security events across multiple domains. This allows
security analysts to quickly identify and respond to security threats, regardless of where
they originate.
XDR can also provide automated response capabilities, such as isolating infected
endpoints, blocking malicious network traffic, and quarantining files.

476

Xdr architecture

477
 478

soar
SOAR stands for Security Orchestration, Automation, and Response.
It's a term used to describe a set of technologies and practices that enable security
teams to streamline and automate their incident response processes.
SOAR solutions typically provide the following capabilities:
◦ Orchestration: SOAR platforms enable security teams to coordinate and automate their
incident response workflows across different tools and systems.
◦ Automation: SOAR platforms automate repetitive and manual tasks, such as gathering
information about an incident, analyzing data, and containing threats.
◦ Response: SOAR platforms enable security teams to respond to incidents faster and more
effectively by providing them with real-time insights into threats and automating actions to
mitigate them.

479
 How soar actually work?
Integration with security tools:
◦ SOAR integrates with a wide variety of security tools and systems, such as SIEMs, threat
intelligence feeds, endpoint detection and response (EDR) tools, and firewalls. This enables
SOAR to collect and analyze data from across an organization's security infrastructure.

Orchestration of incident response workflows:

◦ SOAR provides pre-built workflows and playbooks that enable security teams to orchestrate
their incident response processes across different tools and systems. Workflows can be
customized to fit an organization's specific needs.

Automation of repetitive tasks:

◦ SOAR automates repetitive and manual tasks, such as data enrichment, triage, and
containment. This frees up security analysts to focus on more high-level tasks.

480

How soar actually work?

Collaboration and communication:
◦ SOAR provides a unified platform for collaboration and communication among security
teams. Analysts can work together on incidents, share information, and communicate in real-
time.

◦ Reporting and analytics:

◦ SOAR provides reporting and analytics capabilities that enable organizations to
track their incident response performance over time.

481
 Vulnerability scanners
Vulnerability scanners are tools that are used to identify security vulnerabilities in
software, operating systems, and other IT infrastructure components. These tools are
designed to scan systems and applications for known vulnerabilities, misconfigurations,
and other security issues.
Vulnerability scanners typically work by performing automated scans of the target
system or application, looking for common known vulnerabilities and misconfigurations.
This can include checks for unpatched software, weak passwords, open ports, missing
security updates, and other vulnerabilities that could be exploited by attackers.
Vulnerability scanners can be used by security teams to proactively identify and
remediate vulnerabilities before they can be exploited by attackers.
it's important to note that vulnerability scanners are not foolproof and can produce
false positives or miss certain vulnerabilities, so it's important to use them in conjunction
with other security measures such as penetration testing and manual security
assessments.
482

Vulnerability scanners
Vulnerability scanning can be launched against wide variety of systems, network
devices and end points.
The vulnerability assessment tool should be always up to date
The best vulnerability scanning way is the authenticated scan, which in it, you
provide administrative credentials for targeted device to perform login before
scan, this provide better results
Vulnerability scanning tools can also assess the system configurations against
hardening baseline such as CIS benchmark for example, which in that case help
security administrators getting the assurance that systems are hardened
properly.
Example Tenable/Nessus and Qualys

483
484

485
Threat intelligence
Threat intelligence is information that is used to identify and mitigate security
threats.
Threat intelligence can come from a variety of sources, both internal and
external to an organization, and can include information about known threats,
emerging threats, and potential vulnerabilities.
There are many types of threat intel including Open-Source and Commercial
solution, and threat intel can use internal SIEM as source of information or
collaboration with other organization (special-interest groups)
Threat intelligence focuses on specific indicators of compromise (IOCs) or
tactics, techniques, and procedures (TTPs) used by threat actors.
Based on IOCs, SOC can identify the type of malware, and based on TTPs SOC
can identify the threat actor

486

487
 Mitre framework

488

Data backup

489
 backup
Data backup refers to the process of creating a copy of your important data and
storing it in a safe location as a precautionary measure against data loss.
It is a corrective/recovery control
it helps to prevent data loss due to various reasons, such as hardware failure, cyber-
attacks, natural disasters, or human errors.
It is important to establish a regular backup schedule based on the frequency of data
changes and the criticality of the data. For instance, a business might need to backup
data daily, while an individual might backup data weekly or monthly.
There are several backup methods, including local backup, remote backup, and
hybrid backup. Local backup involves storing backup data on a local device such as
an external hard drive, while remote backup involves storing data on remote servers
via the internet. Hybrid backup involves using both local and cloud backup methods.
490

Backup testing & media

Regularly testing the backup data is essential to ensure that the backup process is
working correctly, and the backup data is recoverable in case of a data loss event.
Having a recovery plan in place is crucial for efficiently recovering data in case of a
data loss event. The plan should include steps to follow, who to contact, and the tools
needed to recover data.
Regularly review the data backup jobs to make sure it is working
Backup media cost and lifespan and coexistent with new backup solution and
retention period assessment
Backup storage location and security
Backup schedule should avoid peak hours due to impact of backup process

491
 Backup types
Full Backup Differential Backup Incremental Backup

• Copies all files and folders • Check when the last full • Check when the last backup
• More time is needed to take backup was taken “of any kind” was taken
the backup • Take all new data since the • Take all new data since the
• More resources are needed to last full backup (Rely on the last backup (Rely on the
store the backup differential backup flag) incremental backup flag)
• Can be used for full • Differential backup flag is a • After taking the backup, the
restoration flag set to a folder that was incremental backup flag will
changed since the last backup be resisted
• Backup software reset the • Fastest, and small data size
differential backup flag once required “depend on the
the backup is completed delta”
• Require the latest full backup
to do a full restoration

492

Creating backup strategy

Identify critical data
Determine the Recover Point objective (RPO)
◦ what is RPO
◦ RPO stands for Recovery Point Objective. It is a metric used in business continuity planning and disaster recovery to determi ne the maximum amount of data that an
organization can afford to lose in case of a data loss event.

Determine the backup frequency

Choose backup types
◦ Full at the beginning of each month
◦ Incremental every day or N of Hours
◦ Differential every weekend
◦ Delete all incremental backups of last week
◦ Delete old differential
◦ Repeat
◦ Full at the beginning of the next month
◦ The steps are influenced by local situation

Select the backup location

Test backups
Update backup strategy
493
 Storage types

494

Storage medias
Hard Disk Drive (HDD)
◦ HDDs are the most common type of storage media for desktop and laptop computers. They
typically have read speeds of 100-200 MB/s and write speeds of 50-120 MB/s, although higher-
speed drives are available.

Solid-State Drive (SSD)

◦ SSDs are becoming more popular as prices have come down in recent years. They typically have
read speeds of 500-3500 MB/s and write speeds of 200-3000 MB/s, depending on the type and
quality of the drive.

USB Flash Drive

◦ USB flash drives are commonly used for portable data storage. They typically have read speeds of
10-200 MB/s and write speeds of 5-100 MB/s, depending on the quality and capacity of the drive.

External Hard Drive

◦ External hard drives are commonly used for backup and storage of large amounts of data. They
typically have read speeds of 100-200 MB/s and write speeds of 50-120 MB/s, although higher-
speed drives are available.

495
 MEDIA TYPES

496

Storage solutions
Network Attached Storage (NAS)
◦ NAS devices are used for centralized storage and backup in small to medium-sized businesses.
They typically have read speeds of 100-1000 MB/s and write speeds of 50-500 MB/s,
depending on the number and type of drives used.

◦ Storage Area Network (SAN)

◦ It is a specialized network architecture that is designed to provide high-speed access to
block-level storage devices, such as disk arrays, tape libraries, and other storage systems.
◦ Endpoints are connected to storage via the Fiber Channel protocol
◦ Storage devices in SAN can provide storage for thousands of Endpoints
◦ Each Endpoint accesses its dedicated (LUN – Logical unit number) which is a virtual storage
partition, it will appear at the endpoint level as a normal drive partition
◦ SAN Storage provides more advanced features than DAS and NAS

497
San vs nas

498

Storage redundancy

499
 Redundant array of inexpensive
disks
Redundant Array of Inexpensive Disks (RAID) is a technology that allows multiple
hard disk drives to be combined into a single logical unit for data storage and
protection. RAID provides improved performance, fault tolerance, and data
redundancy for mission-critical applications.
A RAID controller is a hardware device that manages the configuration and
operation of a Redundant Array of Independent Disks (RAID) system.
The RAID controller is responsible for managing the disk array, including disk
striping, mirroring, parity calculations, and data recovery in case of a disk failure.

500

Raid types
RAID 0
◦ RAID 0 provides improved performance by striping data across multiple disks.
◦ allows for faster data access and transfer.
◦ there is no redundancy, which means that if one disk fails, all data is lost.
RAID 1
◦ RAID 1 provides data redundancy by mirroring data across two disks.
◦ if one disk fails, the other disk can still be used to access the data
◦ reduced storage capacity, as half of the available storage is used for redundancy.
◦ Only 1 Disk can fail
RAID 5
◦ RAID 5 uses disk striping with parity to provide both improved performance and data redundancy.
◦ Data is striped across multiple disks, and parity information is stored on each disk.
◦ If one disk fails, the parity information can be used to rebuild the lost data.
◦ RAID 5 requires a minimum of three disks
◦ Only 1 disk can fail
◦ provides increased storage capacity compared to RAID 1.

501
Raid 0, 1, 5

502

Raid types
RAID 6 (DP)
◦ RAID 6 is similar to RAID 5, but it uses two sets of parity information instead of one.
◦ This provides an additional level of data redundancy, as two disks can fail without losing any
data.
◦ RAID 6 requires a minimum of four disks
◦ provides increased data protection compared to RAID 5
◦ Can absorb up to 2 drives failure
RAID 10 (1+0)
◦ RAID 10 combines disk striping and mirroring to provide both improved performance and
data redundancy.
◦ Data is striped across multiple disks, and each disk is mirrored to provide redundancy.
◦ RAID 10 requires a minimum of four disks
◦ provides improved performance compared to RAID 5 and RAID 6.
◦ Can absorb up to half of disks in even number implementation (4,6,8,12,16,20)

503
RAID 6, 10

504

Databases overview

505
 What is Databases?
Central repository for data, accessible by application servers and web servers.
Closely related to the Structured query language, which is a 4th generation
programming language that is used to query the data from the databases
DB Can be a SQL or a No-SQL (Non-Relational SQL or Not-only SQL) Database
SQL is used for financial applications and business intelligence applications
No-SQL is used for Big-data, real-time applications such as chat, IoT applications
SQL DBs are very common, and it is relational Databases
Relational database model
◦ Data and relationships between data organized in tables
◦ Tables consist of rows, in each row, some columns exist
◦ Rows are also known as tuples and columns are also known as domains or attributes
◦ Each row is unique, the column value is of the same type, and order of rows is not important
506

Other Database structures

Hierarchical database model
◦ Parent-to-child relationship, tree-like structure
◦ 1 to many (1:N) mapping between records
◦ Represented by logical trees

Network database model

◦ Represented by a set
◦ Set is formed by owner+ member+name
◦ Member can be an owner in another set
◦ Set can be 1:1 or 1:many
◦ Complex and rarely used, do not support high-level queries

507
 Benefits of relational db
Easier to understand and implement
Easier to convert from other data structure
Support projection and join operations
Easy to create new relations
Access control management is better
Integration with applications
Modification and updates are seamless
Normalization

508

Relational Database
Customer_ID Customer_Account Agent_ID
1224 4556 23
1225 4558 25

Customer_ID Last_Name First_Name Phone Account_Balance Agent_I D La st_ Na me Fi rst_ Name Phone
1224 Vira Dyn e 678-9987 1223.95 23 S t ur m David 334-5678
1225 Davies Tricia 556-3342 234.25 25 Long K yl e 556-3421

SELECT * FROM Customers;

DELETE * FROM Customers;
DROP TABLE Customers;
INSERT INTO Customers (Customer_ID, Last_Name, First_Name, Phone, Account_Balance) VALUES (‘1226’,
‘ALEX’, ‘DAVE’, ‘000-111-222’, ‘1000,00’)
UPDATE Customers SET Last_Name = ‘EVAN’ WHERE Customer_ID= 1226;

509
Sql commands types
SQL is a language that is domain specific
There are two types of SQL commands
DDL stands for Data Definition Language. DDL commands are used to define the
structure of the database and the objects in it. Some examples of DDL
commands include CREATE, ALTER, and DROP.
DML stands for Data Manipulation Language. DML commands are used to
manipulate the data stored in the database. Some examples of DML commands
include SELECT, INSERT, UPDATE, and DELETE.

510

Primary and foreign key

511
 Primary Key and Foreign Key
Primary key is the unique identifier for each record in the
table.
Primary key is used to join and combine data from two or
more tables.
Foreign key is a key in a table that refer to the primary key
in other table
Foreign key provides the assurance of referential integrity.
Any changes to the primary key must be applied to
associated foreign keys
Referential integrity refers to the integrity and correctness
of data in different tables

512

Data Integrity Testing

Relational integrity tests
Data validation routines performed at the data element and record-based
levels.
Referential integrity tests
Define existence relationships between entities in different tables of a database
that needs to be maintained by the DBMS.

513
 Candidate and alternate key
In database management systems, a key is a field or set of fields that uniquely identifies
a record in a table. A table can have multiple keys, and among them, one key is
designated as the primary key. In addition to the primary key, a table can have
alternate keys and candidate keys.
An alternate key is a key that is unique but not designated as the primary key. For
example, in a table of employees, the employee ID field might be the primary key, but
the employee email field might also be unique and could serve as an alternate key.
A candidate key is a key that is unique and could serve as the primary key, but is not
currently designated as such. In other words, a candidate key is an alternate key that
could be promoted to primary key status. For example, in a table of customers, both
the customer ID and the customer email might be unique and could serve as the
primary key, but one is designated as the primary key and the other is a candidate
key.
Only 1 primary key should exists
514

Db management system

515
 Database management system
A DBMS provides the facility to create and maintain a well-organized database
DBMS Aids in organizing, controlling and using the data needed by application
programs.
DBMS Primary functions include:
◦ Reduced data redundancy
◦ Decreased access time
◦ Basic security over sensitive data
◦ User management and authorization
◦ Data integrity

516

Data Normalization
The process of reducing duplicate data and thus reducing data redundancy in
known as normalization.
Redundancy may lead to more processing and query time, so it is bad.
Renormalizing data is the opposite of normalization
If normalization is not configured in DBMS, justification need to exist.
Deduplication
The technique is not only used in DB, but also in storage platforms “SAN”
Normalization can also refer to standardization

517
 Metadata in databases

518

Metadata & data dictionaries

Metadata is data that describes the structure, organization, and contents of a
database. In other words, metadata provides information about the data stored in a
database, such as data types, field names, relationships between tables, and
constraints.
Data Dictionary contains an index and descriptions of all the data stored in a
database. The dictionary describes the locations of the data and the access method
◦ Documentation and ease of use
◦ Standardizing programming
◦ Common validation criteria

519
Database metadata types
◦ Conceptual schema -> high-level structure and relationships of data in
DB
◦ External schema -> describes the views and access paths that are
available to users and applications accessing a database.
◦ Internal schema -> low-level, refers to the information that describes the
physical storage of the data in a database

520

Database security

521
 A.C.I.D
ACID is an acronym that stands for
Atomicity, Consistency, Isolation, and
Durability.
It is a set of properties that guarantee
reliable and consistent transaction
processing in database systems.

522

Database Transaction
Management
A transaction is a collection of operations that performs a single logical function
in a database application.
Transaction-management component ensures that the database remains in a
consistent (correct) state despite system failures
Concurrency-control manager controls the interaction among the concurrent
transactions, to ensure the consistency of the database

523
Db Security key controls
DB Logs should be forwarded to a remote server with restricted access
Default credentials have to be changed (Username/Password)
Access control and Authorization and Role-Based Access Control (RBAC)
Encryption for data in transit and at rest and for DB backup
Patch Management and implement the latest security updates
Database backup and recovery
Database activity monitoring to monitor the usage pattern and detect abnormal
activities
From the application side, ensure database connection strings are secured and
apply credentials rotation whenever applicable.

524

Database administrator
DBA is responsible for database administration and maintenance
DBA should not be an administrator on the DB server
DBA should not be able to install additional software on the DB server
DBA should not have an end-user role or entry or approver
DBA should not be responsible for DB Security monitoring
DBA should always use the unique account to access DB, and access through
authorized DBMS only
DB Access should be using strong authentication (multifactor authentication)
Most organizations adopt the Privileged access management server which
provides the ability to perform session recording

525
 Database resiliency

526

DATABASE RESILLENCY
What is database resiliency?
Electronic vaulting
◦ Transfer data from the primary database to a secondary, offsite location for safekeeping and
disaster recovery purposes.

Remote journaling
◦ Create a journal, or log, of all database transactions at a remote location.
◦ This journal is then used to recover the database in the event of a failure or disaster.

Remote mirroring (Syncronization)

◦ Create a mirrored copy of a database at a remote location.
◦ This mirrored copy is then used to provide redundancy and high availability in the event of a
failure or disaster.

527
 Types of data synchronization
Synchronous mirroring
◦ Changes made to the primary database are immediately replicated to the remote copy
before the transaction is committed.
◦ Require very low latency

Asynchronous mirroring
◦ Changes made to the primary database are replicated to the remote copy later with delay
after the transaction is committed.
◦ Can be used if sync option is not available, and latency is high, can be based on the number
of transactions committed to ensure efficient bandwidth use.
◦ If we got 1000 transactions in 1 minute, we will transmit

Snapshot mirroring
◦ Periodic sync to a remote location, for example, every 1 hour
◦ Could lead to more data losses, if within 1 hour we got 1000 transactions it will be transmitted
528

Clark Wilson security model

529
 Clark Wilson security model
• The Clark-Wilson model is a security model that is
used to ensure the integrity and Confidentiality
• Subject + Program/transaction + Object
• Require intermediate program or restricted interface
between Subject and Object
• A practical example is DBMS
• Key Principals
• Well-formed transactions
• Separation of duties
• Least privilege
• Auditing
• Integrity verification
530

Clark Wilson security model

Constrained data item (CDI)
◦ Any data item whose integrity is protected
Unconstrained data item (UDI)
◦ Any data item that is not controlled/protected
Integrity verification procedure (IVP)
◦ A procedure that scans data items and confirms their
integrity
Transformation procedures (TPs)
◦ The only procedures allowed to modify a CDI

531
Clark Wilson model in practice
A practical example of the Clark-Wilson model in action could be a financial system
that allows authorized users to enter and modify transactions, while at the same time
ensuring that the data is protected from unauthorized modification or access.
The data entry clerk would be responsible for entering transaction data into the
system but would not have the ability to approve or modify transactions.
The transaction approver would be responsible for approving or rejecting
transactions but would not have the ability to enter or modify transaction data.
The system administrator would have the ability to create and delete user accounts
but would not have access to the transaction data itself.
An auditor would be responsible for monitoring and tracking all system activities,
including user access and modifications to transaction data.
In addition to that, all transactions should be well-formed, audited and a mechanism
in place to ensure data integrity.

532

Endpoint security

533
endpoints
Laptops, desktops, mobile devices
Endpoints are often used by employees to access corporate networks,
communicate with customers and partners, and store sensitive information.
The most vulnerable entry points for cyber attackers to gain unauthorized access
to an organization's network and sensitive data.
Very large in number
Can be remote
Trusted by default … (well in most cases)

534

Why endpoint security is a big

concern?
Increased Attack Surface
◦ making it easier for cyber attackers to find vulnerabilities and gain access to sensitive
data.
Remote Workforce
◦ With employees accessing the corporate network from outside the office, the risk of
cyber-attacks has increased significantly.
◦ Over VPN connections, malware can reach corporate network
Advanced Threats
◦ Threat actors use advanced threats that mainly target end-users such as malicious
office files, they deliver it through social engineering
Consequences are bad
◦ Data breach .. Reputation damage, lawsuits

535
 Security practices for end-user
devices
Patch Management and installation of OS & Application patches regularly
Use approved Operating systems only
Use the approved corporate-owned device to access the corporate network
Install only approved software and restrict the ability of end-users to install software by
themselves
Encryption, especially for the hard drive at the storage level, can protect data if the device
got lost
Enforce users to use strong passwords and change passwords regularly
Send Endpoint logs to an external location
Centrally manage the endpoint devices (Active directory domain)
Install Endpoint protection platform and device control
Digital watermark through group policy
Restrict Internet Access (Business needs)
536

Security practices for end-users

Establish a clear desk policy
Establish the acceptable use policy
User awareness training
Securely wipe data from hard drives
User Mobile device management for Mobile devices
Lock the workstations with a pad
Make sure all of the assets are registered in the inventory system and do regular reviews
for the assets

537
 Clear desk policy
A clear desk policy is a set of rules and guidelines that require employees to keep their
workspaces clean, organized, and free of confidential or sensitive information when
they are not present.
The policy aims to reduce the risk of sensitive information being lost, stolen, or accessed
by unauthorized individuals.
A clear desk policy typically includes the following requirements:
✓No confidential information should be left on desks or in open view.
✓All documents and files should be stored securely when not in use.
✓Computer screens should be locked or turned off when employees are away from their desks.
✓All removable media, such as USB drives, CDs, or DVDs, should be stored securely.
✓Desks and workspaces should be cleared at the end of each workday.
✓No food or drinks should be left on desks.

538

Acceptable use policy

An acceptable use policy (AUP) is a set of rules and guidelines that define what
is and is not acceptable behavior for employees when using an organization's
computer systems, networks, and other IT resources.
The purpose of an AUP is to ensure that employees use these resources
responsibly and in a way that protects the organization from security risks and
legal liabilities.
Components of AUP Policy
◦ Scope
◦ Acceptable use and non-acceptable use
◦ Consequences
◦ Acknowledgement

539
 Endpoint security software

540

End user security controls

Antivirus or Antimalware – AV Agent (Signature-based)
Endpoint Detection and Response – EDR Agent (Detection / Behavioral / Response)
Host-based Firewall or micro-segmentation software
Data loss prevention software agent – DLP Agent
Application whitelisting
Device Control Software
Patch management and application deployment software agent
Data classification software agent
Digital rights management agent – DRM Agent
Encryption software agent
Network Access Control Agent – NAC Agent

541
Endpoint Protection platform
software
Every additional agent for Software will impact the system performance (footprint
effect)
Endpoint Security A Single Software that can combine many features such as
Antivirus
Integration with Sandbox (close environment to test suspicious files)
Host-based IPS & Firewall
Device control
Application whitelisting
Web control

542

Endpoint protection design

example

543
Endpoint protection console

544

An overview of secure it
network components

545
 Cloud Email Cloud-
Business
Partners Extranet Internet Based File
Secure
Access Sharing
Service Edge
Other
Branches Intranet

VPN
App Zone DB Zone
NIPS Firewall Gateway
Backup Zone Least privilege Edge Device URL APP Backup DB
using FILTER
Backup Servers ACLs/Firewall
Rules User zone
IT Services
EPP Central Wireless MAC HIPS
Server Security FILTER
LAN Updates
LOG MAC Or use URL Filter
USER
AGGREGATION Filter/Ente NAC DESKTOP Encryption
rprise Device
VLANS /LAPTOP
GPO Active Directory wpa2 Control
EPP
DNS,DHCP,NTP
546

Introduction to
it networks

547
 Computer network
Computer network is group of devices connected with others through any type
of medium (Wired or Wireless)
The purpose of network connection is to share common resource or to
exchange information (File sharing, Business-to-Business, Emails, E-learning)
The first computer network was the ARPAnet, it started to work on October 1969,
it was between two US research institutes, and marking the born of internet.
ARPAnet transformed to use TCP/IP in 1983.
TCP/IP is the current type of modern networks.
In TCP/IP networks, IP address is the logical address for devices

548

Client-Server Architecture

Network components

549
Types of networks
Local Area Network - LAN
Campus Area Network – CAN or Metropolitan Area Network - MAN
Wide Area Network – WAN
Virtual Private Network – VPN
Intranet – Local network of company branches connected through WAN or VPN
Extranet – network with partners and other businesses connected through WAN
or VPN or Internet
Internet – Global network with customers and other entities

550

Lan, can, wan

Network Type Speed Range

LAN Very High Small
CAN High As far as you can reach
WAN Limited As far the Service provider can reach

551
 Network topologies

552

Network topologies
Bus topology
Ring Topology
Star Topology
Partial Mesh Topology
Full Mesh Topology
Not all these topologies are related to LAN only, but also
WAN connection topologies can adopt this model

553
 554

Comparing network topologies

Network
Delay Reliability Complexity Security Cost
Topology
BUS V. High Very Low Very low Very low Very Low

RING High Low Very low Low Very Low

STAR Low High High Average High
MESH Very Low V. High V. High V. High V. High

555
OSI Model

556

TCP/IP Model

557
Physical Layer (Layer 1) - 558 -

OSI Reference
Physical layer concerns the physical interface between devices Model

and the rules by which bits are passed between devices. Application

◦ Mechanical, Electrical, Functional, Procedural

Presentation
◦ Physical layer has two responsibilities sending and receiving bits.
Session
Examples of Cabling:
◦ Twisted Pair Transport

◦ Coaxial Cable
Network
◦ Fiber Optical
Data-Link

Physical

Network
Twisted Pair Cabling
◦ Inexpensive and very easy to install
OSI Reference
Model

Application

◦ Consists of two copper wires twisted together which reduces electrical

interference. Can be shielded or unshielded. Presentation

◦ Shielded is more expensive but has less crosstalk and more resistant to EMI.
Session
◦ Can be used for analog or digital transmissions.
◦ Can be used up to 100 Mbps Transport

Six levels: Network

◦ Category 1: Analog and digital voice

◦ Category 2: ISDN and medium-speed data up to 4 Mbps Data-Link

◦ Category 3: High-speed data and LAN traffic up to 10 Mbps

Physical

◦ Category 4: LAN traffic up to 16 Mbps

◦ Category 5: 100-Mbps UTP LAN technologies
◦ Category 5e: Enhanced performance spec. for CAT5
◦ Category 6: Gigabit Ethernet (1000-Mbps) and 10-Gigabit Ethernet

559
Network Cabling OSI Reference
Model

Coaxial Cable Application

◦ Provides a good combination of high bandwidth and excellent noise
immunity but is more expensive. Presentation

◦ Two transmission methods are Baseband and Broadband.

◦ Baseband carries only a single channel. Session
◦ Broadband carries multiple channels, i.e. video, voice and data.
Transport

Fiber Optics Network

◦ Fiber optic cable carries signals as light waves creating higher transmission
speeds and greater distances. Data-Link

◦ Very difficult to tap and is the most resistant to interference.

◦ Usually reserved for connections between backbone and devices in large Physical

networks.

560

Network Cabling - 561 -

Max
Media Type Bandwidth Advantages Disadvantages
Distance
Less susceptible to EMI Difficult to work with and
Thicknet Coax 500 meters 10 Mbps
than other copper media. expensive.

Less expensive than Limited bandwidth, limited

Thinnet Coax 185 meters 10 Mbps Thicknet or fiber; easy to application, damage to cable
install. can bring down the network.

Reduced cross talk. More Difficult to work with and

Shield Twisted more expensive than UTP.
100 meters 10 Mbps resistant to EMI than UTP
Pair (STP)
and thinnet.

Least expensive of all Limited bandwidth, used

CAT 3 UTP 100 meters 10 Mbps
media. primarily for voice.

Susceptible to interference
Easy to use and widely
CAT 5 UTP 100 meters 100 Mbps can only cover a limited
available.
distance.

100 Mbps – Support multiple

Fiber – 100Gbps transmissions, covers Expensive and difficult to
2 kilometers
Multimode great distances, difficult to terminate.
tap.
RF Network – Microwave
Microwaves are electromagnetic waves:
◦ Frequencies: 300MHz – 300GHz
◦ Includes: ultra high frequency (UHF), super high frequency (SHF), and extremely high frequency (EHF).
◦ Wave lengths: 1 mm to 1 meter
Usually used for:
◦ Wide area communications: Satcom, TV broadcasts, etc.
◦ Metropolitan area communications: IEEE 802.16 (WiMAX), cellular communications
◦ Local area communications: IEEE 802.11 a/b/g, etc.
◦ Personal area communications: Bluetooth
Line of sight (LOS) communication technology
◦ Signal relay over long distance: land, sea, space.
◦ Operating constrains: Ice, snow, heavy rain, and dust storm, solar flare, strong electro-
magnetic interference (EMI), high altitude electro-magnetic pulse (HEMP), etc.

562

RF Network – IEEE 802.11

IEEE 802.11a
◦ Operates in “open” 5 GHz band
◦ Uses a 52-subcarrier orthogonal frequency-division multiplexing (OFDM)
◦ Maximum data raw of 54 Mbps
◦ Usually used as line-of-sight (LOS) RF communication, because of poor multi-path
capability (5 GHz band)
IEEE 802.11b/g
◦ Operates in “open” but heavily used 2.4 GHz band. (e.g. coreless phones, Bluetooth,
microwave oven, etc.)
◦ Better multi-path capability (i.e. reflection)
◦ 802.11b: 11 Mbps and 802.11g: 54 Mbps
◦ 802.11b uses Direct-sequence spread spectrum (DSSS, a variation of CDMA)
◦ 802.11g uses OFDM, so it’s just as fast as 802.11a

Reference: http://en.wikipedia.org/wiki/Wi-Fi 563

RFBluetooth
Network
is a RF network– Bluetooth
communications protocol design primarily for low
power consumption
◦ Operates in the open 2.4GHz band
◦ Uses frequency-hopping spread spectrum (FHSS)
◦ Bluetooth operating range are based on three power classes:

Class Maximum Power mW (dBm) Range (approximate)

Class 1 100 mW (20 dBm) ~ 100 meters
Class 2 2.5 mW (4 dBm) ~ 10 meters
Class 3 1 mW (0 dBm) ~ 1 meter

◦ Data rate varies:

◦ Bluetooth 1.2: 1Mbit/sec.
◦ Bluetooth 2.0 + EDR: 3 Mbit/sec.
◦ Usually used for personal area network (PAN) devices:
◦ Hands-free headset for cell phones, mouse, keyboard, and printers
◦ Game consoles: Nintendo Wii, Sony PlayStation 3

Reference: http://en.wikipedia.org/wiki/Bluetooth 564

OSI Reference

Data-link layer defines the protocol that computers must follow in order to Model

access the network for transmitting and receiving messages. Application

◦ Protocols that control LAN transmission are:

◦ MAC (Media Access Control) Presentation

◦ LLC (Logical Link Control)

Session

Transport

Network

Data-Link

Physical

565
Media Access Control (MAC) - 566 -

OSI Reference

Data-Link layer addressing or a physical hardware address (MAC) is an unique Model

address that is burned into each NIC card by the manufacturer Application

◦ The hardware address is a 48-bit address expressed as 6 bytes. The first 3 bytes are the
vendor code and the second 3 bytes are the serial numbers made up by the manufacturer Presentation

◦ MAC sub-layer is responsible for media access. It controls how the workstations
communicate over the network. Session

◦ There are generally three types of media access.

Transport
◦ Carrier Sense Multiple Access (CSMA)
◦ Token Passing
Network
◦ Polling
Data-Link

Physical
24 Bits (3 Bytes) 24 Bits (3 Bytes)
Vendor Code Serial Number
Example: 00-0F-1F Example: C1-21-B8

MAC Address of a NIC: 00-0F-1F-C1-21-B8

Logical Link Control (LLC)

OSI Reference
Model

Application

The Logical Link Control (LLC) runs between the and MAC sub-layer
Presentation

Enables the network layer and physical layers to act independently. Network Session

layer uses IP addresses and physical layer uses MAC addresses

Transport

Network

Data-Link

Physical

567
Media Access Methods
OSI Reference

Three types of media access methods are used by packets to access the Model

physical network medium: Application

Carrier Sense Multiple Access (CSMA) Presentation

◦ Carrier Sense: When an internetworking device connected to a network. It first
checks to make sure the network interface has a carrier on which to send its Session
data
◦ Multiple Access: All internetworking devices on the network are free to use the Transport

network whenever they like so long as no one else is transmitting

◦ With Collision Avoidance (CSMA/CA) Network

◦ With Collision Detection (CSMA/CD)

Data-Link

Polling
Physical

Token Passing

568

CSMA/CD OSI Reference

Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Model

◦ Requires that all devices on the LAN listen before they transmit. This contention Application

method is often known as Ethernet

◦ If two devices transmit at the same time, a collision occurs Presentation

◦ After the collision, devices on the LAN will wait a random amount of time before
retransmitting data Session

Transport

Network

Data-Link

Physical

569
CSMA/CA
Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
OSI Reference
Model

◦ CSMA/CA is a network contention protocol that listens to a network in order to Application

avoid collisions
◦ Contributes to network traffic because, before any real data is transmitted, it Presentation

has to broadcast a signal onto the network in order to listen for collision
scenarios and to tell other devices not to broadcast Session

◦ Example of CSMA/CA is IEEE 802.11b RF Network

Transport

Network

Data-Link

Physical

570

WAN Devices
Modem
◦ A device that interprets digital and analog signals, enabling data
to be transmitted over voice-grade telephone lines
Channel Service Unit/Digital Service Unit (CSU/DSU)
◦ A digital-interface device used to connect a router to a digital
circuit like a T1. The CSU/DSU also provides signal timing for these
two devices
Multiplexer (MUX)
◦ MUX allows more than one signal to be sent out simultaneously
over a physical circuit
WAN Switch
◦ An internetworking device used in carrier networks. This device
typically operates at the data-link layer
Access Server
◦ A concentration point for dial-in and dial-out connections.
571
WAN
Gateway Devices
◦ Allow different types of network to communicate
◦ Three main types of gateways are: address, protocol, and application
◦ Example: Gateway between RF and IP, Infrared and IP, etc.

Multi-Service Switch
◦ Layer 2/3 Devices that provide interoperability between data-link and network layers
◦ Example:
◦ WAN: MPLS (Multi-protocol Label Switching)
◦ LAN: RSM (Route/Switch Module)

Routers
◦ Devices that operate at the network layer of the OSI model
◦ A LAN or WAN devices determines the best path to send network traffic based on costs and
other network information
◦ A router also has to share information with other routers. (Static or dynamic routing.)

572

LAN Devices
Repeaters (Layer 1)
◦ Repeats electrical/radio signals to extend the length of the network

Hubs (Layer 1)
◦ Hubs are a central point of connection for cable segments in a physical star topology

Bridges (Layer 2)
◦ Bridges are intermediate systems, or switches, that forward MAC frames to destinations based on
MAC addresses

Switches (Layer 2 + Layer 3)

◦ Essentially a multi-port bridges that function at the data link layer. Each port of the switch makes a
decision to forward data packets to the attached network based on MAC addresses that maps to
IP Addresses (i.e. ARP Table)
◦ Each port on a switch is a separate collision domain reducing traffic on the network

573
 Virtual Local Area Network
(VLAN)
VLANS
◦ VLAN allows ports on a switch to be grouped into single broadcast domain. This allows devices to be
logically configured as if they are on the same network without regard to their physical location

Why Use a VLAN?

◦ Performance – In networks where traffic consists of a high percentage of broadcasts and multicasts,
VLAN's can reduce the need to send such traffic to unnecessary destinations
◦ Formation of Virtual Workgroups – contain broadcasts and multicasts within the workgroup
◦ Simplified Administration – 70% of network costs are a result of adds, moves, and changes of users in
the network
◦ Reduced Costs and Improve Security – Reduces and limits broadcasts

574

Virtual Local Area Network

(VLAN)
VLAN membership can be classified by port, MAC address, and protocol type
◦ Membership by Port – The main disadvantage of this method is that it does not allow
for user mobility. If a user moves to a different location away from the assigned VLAN,
the network manager must reconfigure the VLAN
◦ Membership by MAC Address – The main problem with this method is that VLAN
membership must be assigned initially. In networks with thousands of users, this is no
easy task
◦ Membership by Protocol Type – The network IP subnet address can be used to classify
VLAN membership users can move their workstations without reconfiguring their
network addresses. The only problem is that it generally takes longer to forward packets
using Layer 3 information than using MAC addresses
◦ VLAN membership can also be based on application or service, or any combination

Reference: IEEE STD 802.1Q, Virtual Bridged Local Area575

Networks, 2006.
Network layer is responsible for the addressing and delivery of packets
◦ Knows the address of the neighboring nodes in the network OSI Reference TCP/IP Protocol
Model Architecture
◦ Packages output with the correct network address information
◦ Selects routes
Application

◦ Recognizes and forwards to the transport layer incoming messages for Presentation
Application
Layer
local host domains
◦ Example: Internet Protocol (IP) and Netware Session

Host-to-Host
Transport Transport
Layer

Network Internet Layer

Network
Data-Link Access Layer

Physical

576

TCP/IP
DoD created TCP/IP to provide robust communication during
wartime OSI Reference TCP/IP Protocol
Model Architecture

TCP/IP protocol suite is the standard for computer

communications in today's networked world
Application

Application

Internet Layer is the OSI that contains:

Presentation
Layer

◦ Addressing information Session

◦ Control information that enables packets to be routed Host-to-Host

Transport Transport
◦ ICMP– Provides control and messaging capabilities Layer

◦ ARP– Determines MAC Address for known IP Address Network Internet Layer

◦ Reverse ARP – Determines IP address from known MAC Address Network

Data-Link Access Layer

Physical

577
 Structure of an IP - 578 -

It is all about the “structured” encapsulation of data…

Bits

0 4 8 12 16 20 24 28 31

1
Version IHL Type of Service Total Length

2
Identification Flags Fragmentation Offset

Time to Live Protocol Header Checksum

Words
3

Header
4
Source Address

5
Destination Address

6
Options Padding

Data begins here...

Application Layer

Data

Transport Layer

Header Data

Internet Layer

Header Header Data

Network Access Layer

Header Header Header Data

Send Receive

IP Addressing (IPv4)
Internet Protocol Addresses (IPv4)
◦ 32-bit IP Addresses are logical addresses and not physical OSI Reference TCP/IP Protocol
Model Architecture
◦ Includes a network ID and a host ID
◦ Every host must have an unique IP address
Application

◦ IP addresses are assigned by a central authority Presentation

Application
Layer

Session

Class A (0) 1.0.0.0 – 127.255.255.255 Transport

Host-to-Host
Transport
Layer

Class B (10) 128.0.0.0 – 191.255.255.255 Network Internet Layer

Class C (110) 192.0.0.0 – 223.255.255.255

Network
Data-Link Access Layer

Class D (1110) 224.0.0.0 – 239.255.255.255 (Multicast) Physical

Class E (11110) 240.0.0.0 – 254.255.255.255 (Experimental)

579
IP Addressing (IPv4)
OSI Reference TCP/IP Protocol
Model Architecture

Application

Application
Presentation
Layer

Session

Host-to-Host
Transport Transport
Layer

Network Internet Layer

Network
Data-Link Access Layer

Physical

580

IPNetwork
Addressing (IPv4)
Address Translation (NAT) is a method of connecting
multiple computers to the Internet (or any other IP network) OSI Reference TCP/IP Protocol

using one IP address. (RFC 3022) Model Architecture

◦ The increased use of NAT comes from several factors: Application

◦ Shortage of IP addresses
Application
Presentation
◦ Security needs Layer

◦ Ease and flexibility of network administration Session

◦ RFC 1918 reserves the following private IP addresses for NAT Host-to-Host
◦ Class A: 10.0.0.0 – 10.255.255.255 Transport Transport
Layer

◦ Class B: 172.16.0.0 – 172.31.255.255

Network Internet Layer
◦ Class C: 192.168.0.0 – 192.168.255.255
Network
Data-Link Access Layer

Physical

Reference: RFC 1918, Address Allocation for Private Internets 581

Internet Protocol Version 6 (IPv6)
Internet Protocol Version 6 (IPv6) is the "next generation" protocol designed by the IETF to
replace the current version Internet Protocol, IP Version 4 (IPv4)
◦ Larger IP Addressing Space. IPv6 is 128-bit, designed primarily to address shortage of IPv4
addresses
◦ Auto configuration. With IPv6, a "stateless host auto configuration" mechanism is mandatory. This is
much simpler than IPv4 DHCP
◦ Security. With IPv6, IPsec support is mandatory
◦ QoS flow label. IPv6 was designed to support for traffic engineering like diffserv. or intserv. (RSVP)
◦ Multicast. Multicast is mandatory in IPv6. IPv4 uses IGMP

582

Internet Protocol Version 6 (IPv6) - 583 -

Priority: Enable a source to identify the desired delivery priority of the datagram
Flow Label: Used by a source to label those products for which it requests special handling by the
IPv6 router
Payload Length: Length of payload (in octets)
Next Header: Identifies the type of header immediately following the IPv6 header
Hop Limit: An 8-bit integer decremented by one by each node that forwards the datagram
Source & Destination Addresses: 128-bit IP addresses

Bits

0 4 8 12 16 20 24 28 31
1 Version Priority Flow Label

2 Payload Length Next Header Hop Length

Source Address
Words

3-7

Destination Address

8 - 12
Internet Protocol Version 6 (IPv6) –
Addressing - 584 -

• RFC 4291 specifies the IPv6 addressing architecture

Address Type Binary Prefix IPv6 Notation
Unspecified 00…0 (128 bits) ::/128
Loopback 00…1 (128 bits) ::1/128
Multicast 11111111 FF00::/8
Link-Local Unicast 1111111010 FF80::/10
Global Unicast (everything else)

◦ The general format for IPv6 global unicast addresses:

+------------------------+-----------+----------------------------+
| n bits | m bits | 128-n-m bits |
+------------------------+-----------+----------------------------+
| global routing prefix | subnet ID | interface ID |
+------------------------+-----------+----------------------------+
where the global routing prefix is a (typically hierarchically-structured) value assigned to
a site (a cluster of subnets/links), the subnet ID is an identifier of a link within the site.

IP Transmission Methods (in IPv4) - 585 -

Unicast: Packet is sent from a single source

to a single destination Unicast

Broadcast: The packet is copied and sent to Broadcast

all of the nodes on the network `
`
Hub

Multicast: Source packet is copied and

then sent to a group of destinations on a
`

network

Multicast
IP Transmission Methods (in IPv6) - 586 -

Unicast: Packet is sent from a single

source to a single destination
Unicast

Reference: S. Hagen, IPv6 Essentials, 2nd. Edition, 2006.

Multicast: A multicast address identifies a
group of IPv6 interfaces. Source packet is
copied and then sent to a group of
destinations on a network Multicast

Anycast: An anycast address is assigned

to multiple interfaces. Source packet is
delivered to the nearest interface.

Anycast

Internet Control Message Protocol (ICMP) - 587 -

ICMP (Internet Control Message Protocol)

Used to exchange control messages between gateways and hosts
regarding the low-level operations of the Internet
◦ Ping
◦ Traceroute

ICMP is encapsulated within the IP packet

Bits

0 4 8 12 16 20 24 28 31
1 Type Code Checksum

2 Unused
Words

3
Internet Header + 64 bits of original datagram
4
 Internet Group Management Protocol
(IGMP)
IGMP (Internet Group Management Protocol)
Created because IPv4 only supports unicast and broadcast
When a message is sent to a particular multicast group, all computers in that
group will get a copy of the message
It is used by hosts to report multicast group members to neighboring multicast
routers

588

Routing vs. Routed Protocols - 589 -

Routing Protocols
◦ Interior Routing Protocols
◦ Routing Information Protocol (RIP) OSI Reference
Model
TCP/IP Protocol
Architecture

◦ Interior Gateway Routing Protocol (IGRP) (proprietary to Cisco Systems)

◦ Open Shortest Path First (OSPF) Protocol Application

◦ Integrated IS-IS (ISO 10589 Intermediate system to intermediate system) Application

Presentation
◦ Extended Interior Gateway Routing Protocol (EIGRP) (proprietary to Cisco Systems)
Layer

◦ Exterior Routing Protocols Session

◦ Border Gateway Protocol (BGP) Host-to-Host

Transport Transport

Routed Protocols
Layer

◦ Protocols that are encapsulated within the routing protocols and being
Network Internet Layer

routed by the routing protocols Data-Link

Network
Access Layer

◦ Example: HTTP, FTP, Telnet, SNMP, etc.

Physical
Static Routing
Routing can be either static or dynamic
Static routing is performed using a preconfigured routing table OSI Reference
Model
TCP/IP Protocol
Architecture

which remains in effect indefinitely, unless it is changed manually

by the user
Application

◦ This is the most basic form of routing, and it usually requires that all Presentation
Application
Layer

machines have statically configured addresses. If there is a change,

the user must manually alter the routing tables on one or more Session

machines to reflect the change in network topology or addressing Host-to-Host

Transport Transport
◦ Static routing does not scale well. Calculation of static routing grows Layer

exponentially to the number of static routes in the route table Network Internet Layer

Network
Data-Link Access Layer

Physical

590

Dynamic Routing
Dynamic routing uses special routing information protocols to automatically
update the routing table with routes known by peer routers
◦ These protocols are grouped according to whether they are Interior Gateway
Protocols (IGP’s) or Exterior Gateway Protocols (EGP’s)
◦ IGP’s are used to distribute routing information inside of an Autonomous System
(AS). An AS is a set of routers inside the domain administered by one authority.
Examples of interior gateway protocols are OSPF and RIP
◦ EGP’s are used for inter-AS routing, so that each AS may be aware of how to reach
others throughout the Internet. Examples of exterior gateway protocols are EGP
and BGP

591
– TCP vs. UDP - 592 -

Transmission Control Protocol (TCP)

◦ Provide reliable data transmission
OSI Reference TCP/IP Protocol

◦ Connection-oriented with flow control Model Architecture

◦ Maintains status and state: Stateful Application

User Datagram Protocol (UDP) Presentation

Application
Layer

◦ Provide best effort data transmission Session

◦ Connection-less without flow control

Host-to-Host

◦ Does not maintain status and state Transport Transport

Layer

◦ Does not offer error correction, nor retransmission

Application Layer TCP UDP Network Internet Layer

stream message
Network
Data-Link Access Layer

Transport Layer
segment packet Physical

Internet Layer

datagram datagram

Network Access Layer

frame frame

Transmission Control Protocol (TCP) - 593 -

TCP is a connection-oriented transmission that maintains status and state information of

each user data stream flowing into and out of the TCP module
◦ Connection-oriented data management
◦ Reliable stream-oriented data transfer
◦ Segments are resent if a segment is unrecognizable or is not received
◦ Connection-oriented protocols are sometimes described as stateful because they can keep track
of a conversation

Bits

0 4 8 12 16 20 24 28 31
1 Source Port Destination Port

2 Sequence Number
Words

3 Acknowledgment Number

4 Offset Reserved Control Bits Window

5 Checksum Urgent Pointer

6 Options Padding

Data Begins Here...

User Datagram Protocol (UDP) - 594 -

UDP is a connectionless transmissions do not require the receiver to acknowledge

receipt of a packet, instead the sending device assumes that the packet arrived
◦ Much faster. Less overhead than TCP
◦ Less reliable. UDP does not offer error correction, retransmission or protection from lost,
duplicated, or re-ordered packets
◦ Connectionless protocols are usually described as stateless because each end has no protocol-
defined way to remember where they are in a "conversation" of message exchanges

Bits

0 4 8 12 16 20 24 28 31
Source Port Destination Port

Length Checksum

Data Begins Here...

TCP/UDP ExamplesUser Datagram Protocol

Higher communication protocols
Transmission Control Protocol that use UDP
Higher communication protocols that RPC (Remote Procedural Call)
use TCP
XDR (eXternal Data
FTP (File Transfer Protocol) Representation)
Telnet NFS (Network File System)
SMTP (Simple Mail Transfer Protocol) TFTP (Trivial FTP)
SSH (Security Shell) SNMP (Simple Network
Management Protocol)
SSL (Secure Socket Layer)
DNS (Domain Name System)
HTTP (Hyper Text Transfer Protocol)

595
 Session Layer (Layer 5)
Session Layer provides services to establish a session-connection between two
presentation entities and support orderly data exchange interactions, and to
release the connection in an orderly manner.
Connections: duplex, half-duplex mode
Session-connection synchronization
◦ Network File System (NFS)
◦ Remote Procedure Call (RPC)
◦ Network Basic Input/Output System (NetBIOS) names
◦ Structured Query Language (SQL)

596

Presentation Layer (Layer 6)

Presentation Layer ensures that the communications passing through are in the
appropriate form for the recipient. Programs in the presentation layer address
three aspects of presentation:
Syntactical compatibility. Data coding and conversion send from the
application layer of one system will be readable by the application layer of
another system
Encapsulation of data into message "envelopes" for transmission through the
network. (i.e. EBCDIC binary → ASCII.)
◦ ASCII (American Standard Code for Information Interchange)
◦ EBCDIC (Extended Binary Coded Decimal Interchange Code)
◦ Tagged Image File Format (TIFF)
◦ Joint Photographic Experts Group (JPEG)
◦ Motion Picture Experts Group (MPEG)

597
Application Layer (Layer 7)
Application Layer provides services for application program that ensure that communication is
possible.
Makes sure that necessary communication resources exist
Ensures agreement at both ends about error recovery procedures, data integrity, and privacy
Determines protocol and data syntax rules at the application level
◦ File Transfers Protocol (FTP)
◦ Trivial File Transfer Protocol (TFTP)
◦ Simple Mail Transfer Protocol (SMTP)
◦ Simple Network Management Protocol (SNMP)
◦ Telnet
◦ Hypertext Transfer Protocol (HTTP)

598

Summary - 599 -

OSI Layers Protocols

Application FTP, TFTP, SNMP, SMTP, Telnet, HTTP
Presentation ASCII, EBCDIC, TIFF, JPEG, MPEG, MIDI
Session TCP: SQL, NetBIOS; UDP: NFS, RPC
Transport TCP, UDP, SSL, SPX
IP: Address, Routing, Broadcast methods; ICMP;
Network
IGMP
Data Link Data-Link Protocols: LAN, WAN
Physical Network Cables, RF, Infrared, Optical Fiber, etc.
 Business Continuity
Planning OVERVIEW

600

What is disaster?
Disruption of normal operation and processing
Is an incident that became big problem
Require recovery efforts to restore the operational status of information resources.
Reasons for disasters:-
◦ Natural calamities
◦ Pandemics, epidemics, or other infectious outbreaks
◦ Utility disruptions
◦ Actions by humans, whether intentionally harmful or through error
◦ Hardware or software malfunctions
◦ Incidents causing damage to image, reputation, or brand

601
 Dealing with disasters

BIA (Business Impact BCP (Business

Assessment/Analysis) Continuity Plan)

DRP (Disaster
Recovery Plan)

602

Business impact assessment

A process to determine the impact of losing any organizational resource
Similar to risk assessment in concept, identify and assess and evaluate
BIA will be considered the first step toward developing BCP
Goals of BIA
◦ Identify critical business functions
◦ Determine the impact of disruptions
◦ Quantify the impact
◦ Establish the Recovery time objective (RTO) by determining the acceptable downtime by business
◦ Identify dependencies
◦ Identify the Resource allocation priority
◦ Support decision making
◦ Make BCP based on informed decision

603
 DISASTER RECOVERY PLAN

604

Disaster recovery plan

A Disaster Recovery Plan (DRP) is a documented, systematic approach to recovering and
restoring an organization's critical IT infrastructure and operations following a disaster or
disruptive event.
The goal of a DRP is to minimize the impact of a disaster on an organization's ability to function
by providing a clear roadmap for responding, recovering, and resuming operations.
DRP scope is specific, for example (SYSTEM DRP) or (Network DRP)
The DRP should outline the procedures to be followed in the immediate aftermath of a disaster.
It should identify the roles and responsibilities of the disaster response team, communication
protocols, and the steps to be taken to mitigate further damage.
The DRP is a part of the BCP.
DRP plan should be approved by top management, and communicated and periodically
reviewed.

605
 Drp components

COMMUNICATION
PLAN AND PRE-
DISASTER
BACKUP AND TESTING AND DRAFTED PRESS
RESPONSE TRAINING AND
SCOPE AND GOAL RECOVERY MAINTENANCE RELEASE AND APPROVAL
PROCEDURES / AWARENESS
PROCEDURES PROCEDURES CUSTOMER
PLAN ACTIVATION
NOTIFICATION
MESSAGES

606

BUSINESS CONTINUITY
PLAN

607
 Business Continuity Plan
A Business Continuity Plan (BCP) is a comprehensive document that outlines the procedures and
processes that an organization will follow to ensure the continuity of its critical business functions
and operations in the event of a disruption.
The goal of a BCP is to minimize the impact of a disruption on an organization's ability to function
and to help it recover quickly.
Incorporate different DRPs together.
A corporate-wide document

Continuity of Disaster Business Crisis

Incident Evacuation
operations recovery plan resumption communicatio
response plan plan
plan (COOP) (DRP) plan (BRP) ns plan

608

drp & bcp CONSIDERATIONS

Ultimate goal is the human safety
Identify and incorporate any legal requirements such as notification for data
owners or reporting to authorities (in the case of GDPR it should be no later than
72 hours for example)
In DRP, we may require third-party support, such engagement should be
evaluated in terms of compliance with applicable regulations.
Authorization to execute should be assigned already to a senior role.
Plan should be tested periodically.
Information Security should not be impacted
Management support and approval
Training

609
 Additional aspects regarding
bcp/drp
Members from across the organization should participate in creating the BCP to ensure
all systems, processes and operations are accounted for in the plan.
List of the BCP team members, including multiple contact methods and backup
members
Notification systems and call trees for alerting personnel that the BCP is being enacted
Contact numbers for critical members of the supply chain (vendors, customers,
possible external emergency providers, third-party partners)
Plans should be tested at predefined intervals as well as when significant changes
happen within the business environment.
Executive management should approve the execution
Full copies of the plan to be printed in hard copy and distributed, and kept at offsite
location

610

Rto & rpo

611
Recovery point objective
The RPO is the maximum allowable amount of data loss that an organization can
tolerate after a disruptive event.
It represents the point in time to which data must be restored in order to resume
operations.
For example, if an organization has an RPO of one hour, then it means that data
must be restored to the state it was in one hour before the event occurred.
Influence the Backup Strategy of the Organization

612

Recovery time objective

The RTO is the maximum allowable downtime that an organization can tolerate
after a disruptive event.
It represents the amount of time that it takes to restore operations to an
acceptable level.
For example, if an organization has an RTO of four hours, then it means that
operations must be restored to an acceptable level within four hours of the
event occurring.
It influence the Recovery strategy of the organization

613
 Aiw, sdo, mto
Acceptable Interruption Windows (AIW)
◦ a measure of the allowable time that an organization can tolerate for a business
function to be unavailable after a disruptive event.
◦ RTO should be less than the AIW
◦ No operation at all

Service delivery objective (SDO)

◦ defines the level of services that must be reached during the alternate processing
period.
◦ SDO is the target of RTO!

Maximum tolerable outages (MTO)

◦ The amount of time the organization can support processing in the alternate mode,
after which new problems can arise.

614

SDO = ALLOW RTO = 35

RPO = 15 AIW = 60
5 USERS ONLY Minutes MTO=12 Hours
MINUTES Minutes
TO WORK

FULL
SD RESTOR
BACKUP AT BACKUP AT BACKUP AT O E

10:00 10:15 10:30

RTO : 35 Minutes
10:20 10:55

DATA CAN BE RESTORED LOST AIW = 60 Minutes MTO = 12 Hours

615
 RECOVERY SITES

616

RECOVERY SITE?
Recovery sites are alternate locations where an organization can resume critical
business operations in the event of a disaster or disruptive event.
Recovery site should be far from the business location to ensure it will not be
impacted with the same incident.
RTO is the key factor to select the type of recovery site
RTO is based on business criticality, organizations compare the recover cost
against the losses they might encounter, to be objective in this assessment, it is
important to know that Recovery cost include fixed cost and variable cost and
cost of disruption as well.
There are several types of recovery sites that organizations can use, depending
on their needs and budget.

617
Types of Recovery Capacity
Cloud-based
Mirror site Hot site Warm site Cold site Mobile site
site
• contains the • equipped • Equipped • has the • modular • uses cloud-
same with both with some necessary datacenter, based
information as hardware and hardware and electrical and can be sent to infrastructure,
the original system required physical area of such as virtual
Configured software to be utilities. components disaster, and servers and
for high used in the • In case of of a computer restore data to storage
availability event of a disaster, need facility. it and resume • can be quickly
• Data is disaster. to acquire • No computing operation. and easily
synchronized • Latest data is additional devices. provisioned
in real time or not available, hardware • Slowest.
near-real time it need to be • Require data • Cheapest.
• Very costly to restored from restoration
implement backup after then.
and maintain solution.
• Fastest
recovery

618

A reciprocal agreement
A reciprocal agreement is an agreement between two or more parties that
involves mutual benefits or obligations.
In the context of disaster recovery, a reciprocal agreement refers to an
agreement between two or more organizations or jurisdictions to provide mutual
assistance in the event of a disaster or emergency.
For example, a reciprocal agreement between two cities may specify that in the
event of a major disaster, one city will provide emergency personnel and
equipment to the other city to help with the response and recovery effort. In turn,
the other city may agree to provide similar assistance to the first city if it
experiences a disaster.
The entities establishing the reciprocal agreement should be working in the same
field, and their location are far from each others to ensure the agreement will be
effective.

619
 BCP TESTING AND
EVALUATION

620

Why testing is important?

Identify gap

Ensure effectiveness

Build confidence

Meet regulatory requirements

Continuous improvement

621
 Testing drp
Document review / Checklist
• (Key participants review requirements)
review

Structured Walk through • (Visit the plan aspects)

Simulation test • (Role-play)

Parallel test • (Bring the alternate site, while primary still operational)

Cut-over test Full interruption -

• (Most effective, but risky)
Abrupt test

622

Considerations during testing

Evaluate prior test results and check previous findings to validate if it was fixed
Evaluate the alternative processing contract
Evaluate insurance coverage
Evaluate offsite storage facilities, including security controls
Evaluate BCP execution team through interview to assess their knowledge

623
continues optimization
Business Impact
Assessment

Monitoring and Strategy

updating development

Develop BCP and

Testing DRP and COOP and
BRP

Training and
awareness

624