• Note: these are slides that were part of a CISSP
prep course that I partly developed and taught while I was with Ernst and Young.
• While these slides are dated – August 1999 - the
core information is still relevant. • Contact me w/ any questions or comments – • Ben Rothke, CISSP brothke@hotmail.com
CBK REVIEW - August 1999 E 1
Introduction • The Problem - Reasons for BCP • Principles of BCP • Doing BCP – The steps – What is included – The stages of an incident
CBK REVIEW - August 1999 E 2
Definitions A contingency plan is: “A plan for emergency response, backup operations, and post- disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…” (National Computer Security Center 1988)
The goal is to assist the organization/business to continue
functioning even though normal operations are disrupted
Includes steps to take
– Before a disruption – During a disruption – After a disruption
CBK REVIEW - August 1999 E 4
Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes – “Proactive” rather than “Reactive” – Take the correct actions when needed – Allow for experienced personnel to be absent
CBK REVIEW - August 1999 E 5
Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Saves time, mistakes, stress and $$ – Keep the money coming in – Short and long term loss of business – Have necessary materials, equipment, information on hand – Planning can take up to 3 years
CBK REVIEW - August 1999 E 6
Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers – Public image – Loss of life
CBK REVIEW - August 1999 E 7
Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders • Management criminally liable
CBK REVIEW - August 1999 E 8
Reasons for BCP • It is better to plan activities ahead of time rather than to react when the time comes “Proactive” rather than “Reactive” • Maintain business operations – Keep the money coming in – Short and long term loss of business • Effect on customers • Legal requirements – ‘77 Foreign Corrupt Practices Act/protection of stockholders – Federal Financial Institutions Examination Council (FFIEC) – FCPA SAS30 Audit Standards – Defense Investigative Service – Legal and Regulatory sanctions, civil suits
CBK REVIEW - August 1999 E 9
Definitions • Due Care – minimum and customary practice of responsible protection of assets that reflects a community or societal norm • Due Diligence – prudent management and execution of due care
CBK REVIEW - August 1999 E 10
The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure
CBK REVIEW - August 1999 E 11
Recent Disasters • Bombings – ‘92 London financial district – ‘93 World Trade Center, NY – ‘93 London financial district – ‘95 Oklahoma City • Earthquakes – ‘89 San Francisco – ‘94 Los Angeles – ‘95 Kobe, JP • Fires – ‘95 Malden Mills, Lawrence, MA – ‘96 Credit Lyonnais, FR – ‘97 Iron Mountain Record Center, Brunswick, NJ
CBK REVIEW - August 1999 E 12
Recent Disasters • Power – ‘92 AT&T – ‘96 Orrville, OH – ‘99 East coast heat/drought brownouts • Floods – ‘97 Midwest floods • Storms – ‘92 Hurricane Andrew – ‘93 Northeast Blizzard – ‘96 Hurricanes Bertha, Fran – ‘98 Florida tornados • Hardware/Software – Year 2000
CBK REVIEW - August 1999 E 13
The Problem • Utility failures • Intruders • Fire/Smoke • Water • Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) • Heat/Humidity • Electromagnetic emanations • Hostile activity • Technology failure • Failure to keep operating Fortune 1000 study – Average loss $78K, up to $500K – 65% failing over 1 week never reopen – Loss of market share common
CBK REVIEW - August 1999 E 14
Threats • From Data Pro reports – Errors & omissions 50% – Fire, water, electrical 25% – Dishonest employees 10% – Disgruntled employees 10% – Outsider threats 5%
CBK REVIEW - August 1999 E 15
The Controls • Least Privilege – Information security • Redundancy – Backed up data – Alternate equipment – Alternate communications – Alternate facilities – Alternate personnel – Alternate procedures
CBK REVIEW - August 1999 E 16
The Steps in a BCP - Initiation • Project initiation – Executive commitment and support MOST CRITICAL – Business case to obtain support – Sell the need for DRP (price vs benefit) – Build and maintain awareness – On-going testing & maintenance – Top down approach – Project planning, staffing • Local support/responsibility
CBK REVIEW - August 1999 E 17
The Steps in a BCP - 1 • Impact Assessment (Impact Analysis/Vulnerability Assessment/Current State Assessment/Risk Assessment )
Purpose – Identify risks – Identify business requirements for continuity – Quantify impact of potential threats – Balance impact and countermeasure cost – Establish recovery priorities
CBK REVIEW - August 1999 E 18
Benefits • Relates security objectives to organization mission • Quantifies how much to spend on security measures • Provides long term planning guidance – Site selection – Building design – HW configuration – SW – Internal controls – Criteria for contingency plans – Security policy • Protection requirements • Significant threats • Responsibilities
CBK REVIEW - August 1999 E 19
The Steps in a BCP - 1 • Risk Assessment – Potential failure scenarios – Likelihood of failure – Cost of failure (loss impact analysis) • Dollar losses • Additional operational expenses • Violation of contracts, regulatory requirements • Loss of competitive advantage, public confidence – Assumed maximum downtime (recovery time frames) • Rate of losses • Periodic criticality • Time-loss curve charts
CBK REVIEW - August 1999 E 20
The Steps in a BCP - 1 • Risk Assessment/Analysis – Potential failure scenarios (risks) – Likelihood of failure – Cost of failure, quantify impact of threat – Assumed maximum downtime – Annual Loss Expectancy – Worst case assumptions – Based on business process model? Or IT model? – Identify critical functions and supporting resources – Balance impact and countermeasure cost • Key - – Potential damage – Likelihood
CBK REVIEW - August 1999 E 21
Definitions • Threat – any event which could have an undesirable impact • Vulnerability – absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both – Exposure – a measure of the magnitude of loss or impact on the value of the asset • Risk – the potential for harm or loss, including the degree of confidence of the estimate
CBK REVIEW - August 1999 E 22
Definitions • Quantitative Risk Analysis – quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability – Powerful aid to decision making – Difficult to do in time and cost • Qualitative Risk Analysis – minimally quantified estimates – Exposure scale ranking estimates – Easier in time and money – Less compelling • Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative
CBK REVIEW - August 1999 E 23
Results • Loss impact analysis • Recovery time frames – Essential business functions – Information systems applications • Recommended recovery priorities & strategies • Goals – Understand economic & operational impact – Determine recovery time frame (business/DP/Network) – Identify most appropriate strategy – Cost/justify recovery planning – Include BCP in normal decision making process
CBK REVIEW - August 1999 E 24
Risk Management Team • Management - Support • DP Operations • Systems Programming • Internal Audit • Physical Security • Application owners • Application programmers
Threats • Unauthorized access • Illogical processing • Hardware failure • Translation of user needs • Utility failure (technical requirements) • Natural disasters • Inability to control technology • Loss of key personnel • Equipment failure • Human errors • Incorrect entry of data • Neighborhood hazards • Concentration of data • Tampering • Inability to react quickly • Disgruntled employees • Inability to substantiate • Emanations processing • Safety • Concentration of • Improper use of technology responsibilities • Repetition of errors • Erroneous/falsified data • Cascading of errors • Misuse
CBK REVIEW - August 1999 E 28
Threats • Uncontrolled system access • Ineffective application security • Operations procedural errors • Program errors • Operating system flaws • Communications system failure • Utility failure
CBK REVIEW - August 1999 E 29
Risk Analysis Steps • 1 - Identify essential business functions – Dollar losses or added expense – Contract/legal/regulatory requirements – Competitive advantage/market share – Interviews, questionnaires, workshops • 2 - Establish recovery plan parameters – Prioritize business functions • 3 - Gather impact data/Threat analysis – Probability of occurrence, source of help – Document business functions – Define support requirements – Document effects of disruption – Determine maximum acceptable outage period – Create outage scenarios
CBK REVIEW - August 1999 E 30
Risk Analysis Steps • 4 - Analyze and summarize – Estimate potential losses • Destruction/theft of assets • Loss of data • Theft of information • Indirect theft of assets • Delayed processing • Consider periodicity – Combine potential loss & probability – Magnitude of risk is the ALE (Annual Loss Expectancy) – Guide to security measures and how much to spend
CBK REVIEW - August 1999 E 31
Results • Significant threats & probabilities • Critical tasks & loss potential by threat • Remedial measures – Greatest net reduction in losses – Annual cost
CBK REVIEW - August 1999 E 32
Information Valuation • Information has cost/value – Acquire/develop/maintain – Owner/Custodian/User/Adversary • Do a cost/value estimate for – Cost/benefit analysis – Integrate security in systems – Avoid penalties – Preserve proprietary information – Business continuity • Circumstances effect valuation timing • Ethical obligation to use justifiable tools/techniques
CBK REVIEW - August 1999 E 33
Conditions of Value • Exclusive possession • Utility • Cost of creation/recreation • Liability • Convertibility/negotiability • Operational impact • Market forces • Official value • Expert opinion/appraisal • Bilateral agreement/contract
CBK REVIEW - August 1999 E 34
Scenario • A specific threat (potential event/act) in which assets are subject to loss • Write scenario for each major threat • Credibility/functionality review • Evaluate current safeguards • Finalize/Play out • Prepare findings
CBK REVIEW - August 1999 E 35
The Steps in a BCP - 2 • Strategy Development (Alternative Selection) – Management support – Team structure – Strategy selection • Cost effective • Workable
CBK REVIEW - August 1999 E 36
The Steps in a BCP - 3 • Implementation (Plan Development) – Specify resources needed for recovery – Make necessary advance arrangements – Mitigate exposures
CBK REVIEW - August 1999 E 37
The Steps in a BCP - 3 • Risk Prevention/Mitigation – Risk management program – Security - physical and information (access) – Environmental controls – Redundancy - Backups/Recoverability • Journaling, Mirroring, Shadowing • On-line/near-line/off-line – Insurance – Emergency response plans – Procedures – Training
CBK REVIEW - August 1999 E 38
The Steps in a BCP - 3 • Decision Making – Cost effectiveness • Total cost – Human intervention requirements • Manual functions are weakest – Overrides and defaults • Shutdown capability • Default to no access – Design openness – Least Privilege • Minimum information • Visible safeguards – Entrapment • Selected vulnerabilities made attractive
CBK REVIEW - August 1999 E 39
The Steps in a BCP - 3 • Decision Making – Independence of controller and subject – Universality – Compartmentalization, defense in depth – Isolation – Completeness – Instrumentation – Acceptance – Sustainability – Auditability – Accountability – Recovery
The Steps in a BCP - 3 • Plan Development – Specify resources needed for recovery – Team-based – Recovery plans – Mitigation steps – Testing plans – Prepared by those who will carry them out
CBK REVIEW - August 1999 E 43
Included in a BCP • Off-site storage – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power
CBK REVIEW - August 1999 E 44
Included in a BCP • Off-site storage • Alternate site – Hot/Warm/Cold(Shell) sites – Reciprocal agreements/Multiple sites/Service bureaus – Trip there - secure? Timely? – Physical layout of site – Fire protection – Climate controls – Security access controls – Backup power – Agreements
CBK REVIEW - August 1999 E 45
Included in a BCP • Off-site storage • Alternate site • Backup processing – Compatibility – Capacity – Journaling - maintaining audit records • Remote journaling - to off-site location – Shadowing - remote journaling and delayed mirroring – Mirroring - maintaining realtime copy of data – Electronic vaulting - bulk transfer of backup files
CBK REVIEW - August 1999 E 46
Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications – Compatibility – Accessibility – Capacity – Alternatives
CBK REVIEW - August 1999 E 47
Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space – Accessibility – Capacity – Environment
CBK REVIEW - August 1999 E 48
Included in a BCP • Off-site storage • Alternate site • Backup processing • Communications • Work space • Office equipment/supplies/documentation • Security • Critical business processes/Management • Testing • Vendors - Contact info, agreements • Teams - Contact info, transportation • Return to normal operations • Resources needed
The Steps in a BCP - Finally • Plan Testing – Proves feasibility of recovery process – Verifies compatibility of backup facilities – Ensures adequacy of team procedures • Identifies deficiencies in procedures – Trains team members – Provides mechanism for maintaining/updating the plan – Upper management comfort
CBK REVIEW - August 1999 E 51
The Steps in a BCP - Finally • Plan Testing – Desk checks/Checklist – Structured Walkthroughs – Life exercises/Simulations – Periodic off-site recovery tests/Parallel – Full interruption drills
CBK REVIEW - August 1999 E 52
The Steps in a BCP - Finally • Test – Hardware – Software – Personnel – Communications – Procurement – Procedures – Supplies/forms – Documentation – Transportation – Utilities – Alternate site processing – Security
CBK REVIEW - August 1999 E 53
The Steps in a BCP - Finally • Test – Purpose (scenario) – Objectives/Assumptions – Type – Timing – Schedule – Duration – Participants • Assignments – Constraints – Steps
CBK REVIEW - August 1999 E 54
The Steps in a BCP - Finally • Alternate Site Test – Activate emergency control center – Notify & mobilize personnel – Notify vendors – Pickup and transport – tapes – supplies – documentation – Install (Cold and Warm sites) – IPL – Verify – Run – Shut down/Clean up – Document/Report
CBK REVIEW - August 1999 E 55
The Steps in a BCP - Finally • Plan Update and Retest cycle (Plan Maintenance) – Critical to maintain validity and usability of plan • Environmental changes • HW/SW/FW changes • Personnel – Needs to be included in organization plans • Job description/expectations • Personnel evaluations • Audit work plans
CBK REVIEW - August 1999 E 56
BCP by Stages • Initiation • Current state assessment • Develop support processes • Training • Impact Assessment • Alternative selection • Recovery Plan development • Support services continuity plan development • Master plan consolidation • Testing strategy development • Post transition transition plan development
End User Planning • DP is critical to end users • Difficult to use manual procedures • Recovery is complex • Need to plan – manual procedures – recovery of data/transactions – procedures for alternate site operation – procedures to return to normal
CBK REVIEW - August 1999 E 59
The Real World • DR plans normally involve – Essential DP platforms/systems only – A manual on the shelf written 2-3 years ago – Little or no user involvement – No provision for business processes – No active testing – Resource lists and contact information that do not match current realities
CBK REVIEW - August 1999 E 60
Stages in an Incident • Disaster – interruption affecting user operations significantly
CBK REVIEW - August 1999 E 61
Stages in an Incident • Disaster • Initial/Emergency response – Purpose • Ensure safety of people • Prevent further damage – Activate emergency response team – Covers emergency procedures for expected hazards – Safety essential – Emergency supplies – Crisis Management plan - decision making
CBK REVIEW - August 1999 E 62
Stages in an Incident • Disaster • Initial response • Impact assessment – Activate assessment team – Determine situation • What is affected? – Decide whether to activate plan
CBK REVIEW - August 1999 E 63
Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery – Initial recovery of key areas at alternate site – Detailed procedures – Salvage/repair - Clean up
CBK REVIEW - August 1999 E 64
Stages in an Incident • Disaster • Initial response • Impact assessment • Initial recovery • Return to normal/Business resumption – Return to operation at normal site – “Emergency” is not over until you are back to normal – Requires just as much planning - Parallel operations
CBK REVIEW - August 1999 E 65
Special Cases • Y2K – Incidents will happen in a particular time frame – Alternate sites won’t help – Redundant equipment won’t help – Backups won’t help – Involves automated equipment and services
CBK REVIEW - August 1999 E 66
Final Thoughts • Do you really want to activate a DR/BCP plan? – Prevention – Planning