TOPIC 2

Introduction

This chapter focuses on planning for the unexpected

event, when the use of technology is disrupted, and
business operations come close to a standstill

Procedures are required that will permit the

organization to continue essential functions if
information technology support is interrupted

Over 40% of businesses that don't have a disaster

plan go out of business after a major loss

Slide 2
What Is Contingency Planning?

The overall planning for unexpected events is

called contingency planning (CP)

It is how organizational planners position their

organizations to prepare for, detect, react to, and
recover from events that threaten the security of
information resources and assets

The main goal is the restoration to normal modes

of operation with minimum cost and disruption to
normal business activities after an unexpected
event

Slide 3
 Business impact
analysis (BIA)

Incident response
Components plan (IR plan)
of
Contingency
Disaster recovery
Planning plan (DR plan)

Business continuity
plan (BC plan)

Slide 4
Components of Contingency Planning

Slide 5
Contingency Planning Life Cycle

Slide 6
Business Impact
Analysis (BIA)

Slide 7
Business Impact Analysis (BIA) (1)

Provides the CP team with information about systems and

the threats they face

First phase in the CP process

A crucial component of the initial planning stages

Provides detailed scenarios of the impact each potential

attack can have

Slide 8
 BIA provides information about
systems and threats and provides
detailed scenarios for each potential
attack
Business
Impact Analysis BIA is not risk management, which
focuses on identifying threats,
(BIA) (1) vulnerabilities, and attacks to
determine controls

BIA assumes controls have been

bypassed or are ineffective, and
attack was successful

Slide 9
Business Impact Analysis (BIA) (1)

The CP team conducts the BIA in the following stages:

Determine mission/business processes and recovery

criticality

Identify resource requirements

Identify recovery priorities for system resources

Slide 10
Determine Mission/Business Processes and Recovery
Criticality (a)

Analysis and The weighted table analysis can

prioritization of be used to value assets and rate
business processes threats
within the organization

BIA questionnaire to for

identifying and collecting
information about business
functions

Slide 11
Identify Recovery Resource Requirements (b)

Determine what resources would be

required in order to recover those
processes and the assets associated
with them

For e.g., supporting customer data,

production data, and other
organizational information requires
extensive quantities of information
processing, storage, and transmission

Slide 12
Slide 13
Identify System Resource Recovery
Priorities (c)
¨ Prioritizing the resources associated with the
mission/ business processes, which provides a
better understanding of what must be recovered
first, even within the most critical processes

Slide 14
Contingency Planning Life Cycle

Slide 15
Incident Response
Plan (IRP)

Slide 16
Incident Response Planning (2)

Incident response (IR) - an organization's set of

planning and preparation efforts for detecting,
reacting to, and recovering from an incident

Incident response plan (IR plan) - the

documented product of incident response
planning; a plan that shows the organization's
intended efforts in the event of an incident

Incident response planning (IRP) - the actions

taken by senior management to develop and
implement the IR policy, plan, and computer
security incident response team
Slide 17
Incident Response Planning (2)

According to NIST
SP 800- 61, Rev. 2,
Mission Strategies and goals
the IR plan should
include :

How the IR will

Organizational communicate with the
Senior management
approach to incident rest of the
approval organization and with
response
other organizations

Metrics for measuring Roadmap for How the program

incident response
capability and its
maturing incident fits into the overall
effectiveness response capability organization

Slide 18
Incident Response Planning (a)

During this planning process, the IR procedures,

commonly referred to as standard operating
procedures (SOPs), take shape.

For every incident scenario, the CP team creates

three sets of incident-handling procedures

Slide 19
During the Incident (i)

Planners develop and document the

procedures that must be performed during
the incident

These procedures are grouped and

assigned to various roles

The planning committee drafts a set of

function-specific procedures

Slide 20
After the Incident (ii)

Once the procedures for

handling an incident are
drafted, planners develop Separate functional areas
and document the may develop different
procedures that must be procedures
performed immediately after
the incident has ceased

Slide 21
 Planners draft a third set of
procedures, those tasks that must
be performed in advance of the
incident

Before the These procedures include:

Incident (iii)
Details of data backup schedules
Disaster recovery preparation
Training schedules
Testing plans
Copies of service agreements
Business continuity plans
Slide 22
Slide 23
 Detection- Recognition that an incident is
under way

Incident
Response Reaction- Responding to the incident in a
predetermined fashion to contain and
Actions (b) mitigate its potential damage

Recovery- Returning all systems and

data to their state before the incident

Slide 24
Incident Detection (i)

The challenge is determining whether an event is routine

system use or an actual incident

Incident classification is the process of examining a possible

incident and determining whether it constitutes an actual
incident

Initial reports from end users, intrusion detection systems,

host- and network-based virus detection software, and
systems administrators are all ways to track and detect
incident candidates

Careful training allows everyone to relay vital information to

the IR team

Slide 25
Incident Indicators: Possible Indicators

Presence of unfamiliar files

Presence or execution of unknown programs or

processes

Unusual consumption of computing resources

Unusual system crashes

Slide 26
Incident Indicators: Probable Indicators

Activities at unexpected times

Presence of new accounts

Reported attacks

Notification from IDPS

Slide 27
Incident Indicators: Definite Indicators

• Clearly signal that an incident is in progress or has

occurred

Use of
Changes to Presence of
dormant
logs hacker tools
accounts

Notifications
Notification by
by partner or
hacker
peer

Slide 28
Potential Incident Results

Violation Loss of
of law availability

Violation Loss of
of policy integrity

Loss of
confidentiality

Slide 29
Incident Reaction (ii)

Once an actual incident has been confirmed

and properly classified, the IR team moves
from the detection phase to the reaction
phase

In the incident response phase, several

action steps taken by the IR team and others
must occur quickly and may occur
concurrently

These steps include notification of key

personnel, the assignment of tasks, and
documentation of the incident

Slide 30
Notification of Key Personnel

As soon as an incident is declared, the right people must be

immediately notified in the right order

An alert roster is a document containing contact information on the

individuals to be notified in the event of an actual incident either
sequentially or hierarchically

The alert message is a scripted description of the incident

Other key personnel must also be notified of the incident only after
the incident has been confirmed, but before media or other
external sources learn of it

Slide 31
Documenting an Incident

As soon as an incident has been confirmed and the

notification process is underway, the team should begin
documentation

It should record the who, what, when, where, why, and

how of each action taken while the incident is occurring

Slide 32
Incident Containment Strategies

The essential task of IR is to stop the incident or

contain its impact

Incident containment strategies focus on two tasks:

Recovering control of
Stopping the incident
the systems

Slide 33
Disconnect Disconnect the affected network

Disable Disable compromised user accounts

Reconfigure firewalls to block the

Reconfigure
problem traffic

Temporarily disable the compromised

Disable
process or service

Take down the conduit application or

Take down
server

Stop Stop all computers and network devices

Slide 34
Incident Escalation

¨ An incident may increase in scope or severity to

the point that the IRP cannot adequately contain
the incident
¨ Each organization will have to determine, during
the business impact analysis, the point at which
the incident becomes a disaster
¨ The organization must also document when to
involve outside response

Slide 35
 Once the incident has been contained, and system
control regained, incident recovery can begin

The IR team must assess the full extent of the damage

in order to determine what must be done to restore the
systems

Incident
Recovery (iii) The immediate determination of the scope of the
breach of confidentiality, integrity, and availability of
information and information assets is called incident
damage assessment

Those who document the damage must be trained to

collect and preserve evidence, in case the incident is
part of a crime or results in a civil action
Slide 36
Incident Recovery

Identify and Identify and resolve the vulnerabilities that allowed the
resolve incident to occur and spread

Address the safeguards that failed to stop or limit the

Address incident, or were missing from the system in the first
place, and install, replace, or upgrade them

Evaluate monitoring capabilities (if present) to improve

Evaluate detection and reporting methods, or install new monitoring
capabilities

Slide 37
Incident Recovery

Restore Restore the data from backups as needed

Restore the services and processes in use where compromised (and

Restore interrupted) services and processes must be examined, cleaned, and then
restored

Monitor Continuously monitor the system

Restore Restore the confidence of the members of the organization’s communities of

interest

Slide 38
Disaster Recovery
Plan (DRP)

Slide 39
Disaster Recovery Plan (2)

Disaster recovery planning (DRP) is the preparation for

and recovery from a disaster, whether natural or man
made

In general, an incident is a disaster when:

• The organization is unable to contain or control the

impact of an incident
• The level of damage or destruction from an incident is
so severe the organization is unable to quickly recover
The key role of a DRP is defining how to reestablish
operations at the location where the organization is usually
located
Slide 40
Disaster Classification (a)

A DRP can classify disasters in several ways

The most common method is to separate natural

disasters from man-made disasters

Another way of classifying disasters is by speed

of development
• Rapid onset disasters
• Slow onset disasters

Slide 41
Rapid Onset Disasters (i)

Rapid Onset Disasters: Disasters that strike

quickly, occur suddenly with little warning, taking
people's lives and destroying the means of
production

: Slow Onset DisastersBuild up gradually over

time before they can degrade the operations of
the organization to withstand their effect

Slide 42
Planning for Recovery (b)

Clear delegation of roles and responsibilities

Execution of the alert roster and notification of key personnel

Clear establishment of priorities

Documentation of the disaster

Action steps to mitigate the impact

Alternative implementations for the various systems

components
Slide 43
Responding to the Disaster (c)

Actual events often If physical facilities

To be prepared, DRP
outstrip even the are intact, begin
should be flexible
best of plans restoration there

When disaster
If organization’s
threatens the
facilities are
organization at the
unusable, take
primary site, DRP
alternative actions
becomes BCP

Slide 44
Business Continuity
Planning (BCP)

Slide 45
Business Continuity Planning (3)

BCP ensures critical business functions can continue in

a disaster

BCP most properly managed by CEO of organization

BCP is activated and executed concurrently with the

DRP when needed

While BCP reestablishes critical functions at alternate

site, DRP focuses on reestablishment at the primary site

BCP relies on identification of critical business functions

and the resources to support them
Slide 46
Continuity Strategies (a)

Three exclusive-use Three shared-use

options: options:
Hot sites Timeshare
Warm sites Service bureaus
Cold sites Mutual agreements

Slide 47
Exclusive Use Options (i)

Fully configured
Hot sites computer facility with
all services

Like hot site, but

software applications
Warm sites
not kept fully
prepared

Only simple services

Cold sites and facilities kept in
readiness

Slide 48
Shared Use Options (ii)

Service Mutual
Timeshares
bureaus agreements
• Like an • Agency that • Contract
exclusive use provides between two
site but physical organizations
leased facilities to assist

Slide 49
Slide 50
Slide 51
Business Resumption Planning

¨ Because the DRP and BCP are closely related,

most organizations prepare them concurrently,
and may combine them into a single document,
the business resumption plan (BRP)
¨ Although a single planning team can develop
the BRP, execution requires separate teams

Slide 52