Lecture Security+ Certification: Chapter 12 - Trung tâm Athena

Chapter 12 - Policies and disaster recovery. The main contents of this chapter include all of the following: Policies and procedures, privilege management, education and documentation, communication, disaster recovery, business continuity.

Chapter 12 Policies and

Objective in this chapter

 Policies and Procedures

 Policies, procedures, documentation, and disaster

recovery are some of the most important parts of a Security Analyst’s job.

 Privilege management allows you to control access through various methods, and is a primary feature of good security

 Education and documentation are two extremely

important topics as part of security

 Business continuity and disaster recovery is a

fundamental part of any security infrastructure

 Policies, procedures, documentation, and disaster

recovery are some of the most important parts of a Security Analyst’s job.

 Privilege management allows you to control access through various methods, and is a primary feature of good security

 Education and documentation are two extremely

important topics as part of security

 Business continuity and disaster recovery is a

fundamental part of any security infrastructure

Policies and Procedures

 Address concerns and identify risks

 Consist of a series of steps that inform someone how to perform a task and/or deal with a problem

 Creating policies and procedures requires answering questions:

• Who and Where?

• What?

• When?

• Why?

• How?

 Address concerns and identify risks

 Consist of a series of steps that inform someone how to perform a task and/or deal with a problem

 Creating policies and procedures requires answering questions:

• Who and Where?

• What?

• When?

• Why?

• How?

Policies and Procedures (cont.)

 Security Policies

• Restricted Access Policies

• Workstation Security Policies

• Physical Security Policies

 Acceptable use policies

• Password changes and Restrictions

• Using passwords as part of a multifaceted Security System

 Security Policies

• Restricted Access Policies

• Workstation Security Policies

• Physical Security Policies

 Acceptable use policies

• Password changes and Restrictions

• Using passwords as part of a multifaceted Security System

Policies and Procedures (cont.)

 SLA (Service Level Agreements)

 Disposal/ Destruction

 HR Policy

 Incident Response Policy

 SLA (Service Level Agreements)

 Disposal/ Destruction

 HR Policy

 Incident Response Policy

Privilege Management

 User/ Group/ Role Management

 Single Sign-on

 Centralized versus decentralized

 Auditing: process of monitoring and examining items to determine if problems exist.

 Centralized versus decentralized

 Auditing: process of monitoring and examining items to determine if problems exist.

• Privilege

• Usage

• Escalation

 MAC/DAC/ RBAC

Education and Documentation

Disaster Recovery Overview:

 What is Disaster Recovery (DR)?

 Part of Business Continuity Planning

 Procedure for restoring system(s)

 Security during/after disaster

 Minimize business losses

 Rapidly resume business operations

Lower stress for IT staff

 Part of Business Continuity Planning

 Procedure for restoring system(s)

 Security during/after disaster

 Minimize business losses

 Rapidly resume business operations

Lower stress for IT staff

How important is it?

 Priority different for each site

 Importance may change

 Cost dependant

 Resource dependant

 Risk Analysis dependant

 Business Impact Analysis dependant

 Priority different for each site

 Importance may change

 Cost dependant

 Resource dependant

 Risk Analysis dependant

 Business Impact Analysis dependant

Risk Analysis:

How likely will a disaster occur?

 Physical & Electronic security

 High or low profile organization or systems

 Physical & Electronic security

 High or low profile organization or systems

Risk Analysis (cont.)

• Country at War

• Nearby country at war

 Terrorism

• In or near high profile target

• National security impact

• In or near high profile target

• National security impact

• Infrastructure impact

Business Impact Analysis:

What will happen if a disaster does occur?

Business Impact Analysis (cont.)

 Cost projections:

• Cost per minute, hour or day

• Cost to client

• Extra personnel or consultants

• Spare equipment or hot/cold site costs

 Cost projections:

• Cost per minute, hour or day

• Cost to client

• Extra personnel or consultants

• Spare equipment or hot/cold site costs

•Public Image

Creating DR plan (cont.)

 Defined risks

• What assets are at risk? How?

• Restore assets

 Defined Business Impact

• What business is disrupted? How?

 Defined Business Impact

• What business is disrupted? How?

• Restore operations

 Post-Mortem Analysis

 Revise DR plan

Disaster Recovery:

Critical Points

 Importance varies – evaluate your site!

 Analyze your own risks

 Remember your clients!

 Balance between needs and resources

 Nobody is prepared for what really happens

 Everyone needs a DR plan in writing!

 Importance varies – evaluate your site!

 Analyze your own risks

 Remember your clients!

 Balance between needs and resources

 Nobody is prepared for what really happens

 Everyone needs a DR plan in writing!

Budgeting and Resources

 What is available budget?

 What personnel are assigned?

 What equipment is available?

 What space is available?

 What vendors are in your area?

 What is available budget?

 What personnel are assigned?

 What equipment is available?

 What space is available?

 What vendors are in your area?

• Alternate Sites (Hot site, Warm site, Cold site)

 Disaster recovery plan

• Alternate Sites (Hot site, Warm site, Cold site)

 Disaster recovery plan

Backups

Business Continuity

 Disaster recovery plan

 Business Recovery plan: how business func will resume

 Business Resumption plan: how critical sys …

 Contingency plan: what actions can be performed

 Disaster recovery plan

 Business Recovery plan: how business func will resume

 Business Resumption plan: how critical sys …

 Contingency plan: what actions can be performed

BUSINESS CONTINUANCE AND DISASTER RECOVERY

Lessons from 11 September

The Importance of Business Continuance

IT Aspects of Business Continuance and

Disaster Recovery

Non-IT Issues in Disaster Recovery

Lessons from 11 September

The Importance of Business Continuance

IT Aspects of Business Continuance and

Disaster Recovery

Non-IT Issues in Disaster Recovery

Day the World ChangedTUESDAY 11 SEPTEMBER 2001

 Heart of the United States

 Beyond Expectation

 Emotional, personal and

physical devastation wasbeyond belief

 Remarkable human / national

spirit

 Heart of the United States

 Beyond Expectation

 Emotional, personal and

physical devastation wasbeyond belief

 Remarkable human / national

spirit

 People and Information

• virtually everything else was replaceable or creatable

re- Email was vital

 Communications were difficult

 Crisis Management became critical

• command post and friends

Lesson from 11 Sept - 1

A TIME OF CRISIS

 People and Information

• virtually everything else was replaceable or creatable

re- Email was vital

 Communications were difficult

 Crisis Management became critical

• command post and friends

 Alternate workplaces

 IT issues were significant

• tapes inaccessible, poor backup, slow recovery

• DR staff were not dispersed in some cases

• lack of automation

• government info linkage ?

 Paper records lost

Lesson from 11 Sept - 2

A TIME OF CRISIS

 Alternate workplaces

 IT issues were significant

• tapes inaccessible, poor backup, slow recovery

• DR staff were not dispersed in some cases

• lack of automation

• government info linkage ?

 Paper records lost

 NY Economic impact = US$83B

 57,000 job loss by 2003

 30 % of Office Space lost in NY

 25 %: outage of over 8 hours (since 1997)

Quick FactsDISASTERS

 57,000 job loss by 2003

 30 % of Office Space lost in NY

 25 %: outage of over 8 hours (since 1997)

OutagesTHE ENEMY OF BUSINESS CONTINUANCE

Unplanned Outages

13%

Planned

87%

Definitions - BC and DRACHIEVING 24 x 7 (X 365) AVAILABILITY

Outages are Far ReachingBROAD RANGE OF EFFECTS

Lost revenue

Business interruption

 E-commerce down

 Applications down

 Lost billings records

 Lost business information

 Used against you

 Customers cannot access data

 Suppliers cannot complete service

 Higher phone volume

 Lost orders

 Customer care calls disconnected

Competitiveness Litigation

 Used against you

 Customers cannot access data

 Suppliers cannot complete service

 Higher phone volume

Who Owns BC ?BUSINESS OWNERSHIP / IT FACILITATION

By 2002, 30% of Global 2000’s IT organisations (where no plan

 Typically BC is integrated into IT planning

 Typically DR is ad-hoc and not integrated

• DR is often a “company secret”

Facilitation of BC and DRINTEGRATING DR INTO IT

 Typically BC is integrated into IT planning

 Typically DR is ad-hoc and not integrated

• DR is often a “company secret”

 Where are my staff ?

 Could you get your systems back running ?

 Do you have an alternate location ?

 Does a formal DR plan exist ? Tested ?

 Would it be quick enough (RTO) ?

 How much data would you lose (DRO) ?

 Does it fulfil legal / statutory / contractual reqts ?

 Does it have a business owner ? IT owner ?

Loss of Main Data CentreBRIEF ASSESSMENT – BUSINESS SURVIVAL ?

 Where are my staff ?

 Could you get your systems back running ?

 Do you have an alternate location ?

 Does a formal DR plan exist ? Tested ?

 Would it be quick enough (RTO) ?

 How much data would you lose (DRO) ?

 Does it fulfil legal / statutory / contractual reqts ?

 Does it have a business owner ? IT owner ?

 Personnel – Roles / Accountability

 Vital Records – electronic and hardcopy

 Personnel – Roles / Accountability

 Vital Records – electronic and hardcopy

 Second business location

 Sites must not be affected by the same disaster

• power, networks, weather, utilities

 Easy access to both

 Sites must not be affected by the same disaster

• power, networks, weather, utilities

 Easy access to both

• staff access

• telco costs

• synchronous techniques

Nearly All Mission CriticalLOT OF DATA DEPENDENCIES

 Up to date personnel contact lists / calling trees

• multiple forms (home/office/mobile/pager/email)

• paper and electronic form

• potential use of outside service

• ensure HR systems are part of the DR plan

 Keep staff informed

• contact phone point (ex-PABX), internet presence

 Train personnel to react appropriately

• pressure for long work hours

Personnel and StaffYOUR MOST VALUABLE ASSET

 Up to date personnel contact lists / calling trees

• multiple forms (home/office/mobile/pager/email)

• paper and electronic form

• potential use of outside service

• ensure HR systems are part of the DR plan

 Keep staff informed

• contact phone point (ex-PABX), internet presence

 Train personnel to react appropriately

• pressure for long work hours

 Cover outages / failures of external suppliers

• infrastructure suppliers

• major service providers

 Check service providers BC plans

 Healthy relationships with service

providers was critical on Sept 11

Contingency Planning

FOR WHEN THINGS GO WRONG

 Cover outages / failures of external suppliers

• infrastructure suppliers

• major service providers

 Check service providers BC plans

 Healthy relationships with service

providers was critical on Sept 11

 September 11

• decision makers for declaring IT disaster determined

pre- Crisis Mgmt is not just for IT disasters

 Communication is critical (“Command Post”)

• internal personnel / family / friends

• public relations (company spokespeople)

• major clients / shareholders / suppliers

• maintain a “visible” business

• alternate physical mail site

Crisis ManagementORGANISED EMERGENCY DECISION MAKING

 September 11

• decision makers for declaring IT disaster determined

pre- Crisis Mgmt is not just for IT disasters

 Communication is critical (“Command Post”)

• internal personnel / family / friends

• public relations (company spokespeople)

• major clients / shareholders / suppliers

• maintain a “visible” business

• alternate physical mail site

 Importance of electronic copies of key files

• copies of contracts

• copies of critical company documents

 Ensure PC business data is backed up

Paper and PC DataAVOIDING LOSS

 Importance of electronic copies of key files

• copies of contracts

• copies of critical company documents

 Ensure PC business data is backed up

WOULD YOUR BUSINESS SURVIVE ?

Ask Yourself: