Chapter 02 Planning for Organizational

Principles of Incident Response and Disaster Recovery, 2nd Edition

Chapter 02 Planning for Organizational

Readiness

Objectives

• Discuss why an individual or group needs to be appointed to create a contingency policy and plan

• Describe the elements needed to begin the contingency planning process

• Define business impact analysis and describe each of its components

• List the steps needed to create and maintain a budget used for the contingency planning process

Principles of Incident Response and Disaster Recovery, 2nd Edition 2

Introduction

• Planning for contingencies – Complex and demanding process

• Systematic methodology – Organize the planning process – Prepare detailed and complete plans – Commit to maintaining those plans – Rehearse plans with a military rigor

• Completed after normal working hours – Maintain the processes

Principles of Incident Response and Disaster Recovery, 2nd Edition 3

Beginning the Contingency Planning Process

• Contingency planning management team (CPMT) – Consists of an individual or team

• CPMT responsibilities – Obtain commitment and support – Manage and conducting the overall CP process – Write the master CP document – Conduct the business impact analysis (BIA)

• Assist in identifying and prioritizing threats and attacks • Assist in identifying and prioritizing business functions

Principles of Incident Response and Disaster Recovery, 2nd Edition 4

Beginning the Contingency Planning Process (cont’d.)

• CPMT responsibilities (cont’d.) – Organize and staff subordinate teams leadership

• Incident response • Disaster recovery • Business continuity • Crisis management

– Provide guidance to and integrate the work of the subordinate teams

Principles of Incident Response and Disaster Recovery, 2nd Edition 5

Beginning the Contingency Planning Process (cont’d.)

• CPMT positions – Champion – Project manager – Team members – Representatives from other business units

• Business managers • Information technology managers • Information security managers

– Representatives from subordinate teams

Principles of Incident Response and Disaster Recovery, 2nd Edition 6

Beginning the Contingency Planning Process (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 7

Commitment and Support of Senior Management

• Clear and formal senior executive management commitment required – Prevents CP process failure – Managers and employees provide time and resources – Support gained from communities of interest

• Each should complement the others • Information security communities of interest

– Information security managers and professionals – Information technology managers and professionals – General management managers and professional

Principles of Incident Response and Disaster Recovery, 2nd Edition 8

Information Security Management and Professionals

• Protect information systems and stored information from attacks

• Tightly focused on protecting system integrity and confidentiality – Sometimes lose sight of availability

Principles of Incident Response and Disaster Recovery, 2nd Edition 9

Information Technology Management and Professionals

• Design, build, or operate information systems • IT managers and skilled professionals

– Systems design, programming, networks – Related disciplines categorized as information

technology (IT) • Same objectives as information security community

– Focus • System creation and operation costs • System users ease of use • System creation timeliness; transaction response time

Principles of Incident Response and Disaster Recovery, 2nd Edition 10

Organizational Management and Professionals

• Includes executive management, production management, human resources, accounting, legal, and others

• IT community category reference – Users of information technology systems

• Information security community category reference – Security subjects

• All IT systems and information security objectives – Implement broader organizational community

objectives and safeguard effective use and operation

Principles of Incident Response and Disaster Recovery, 2nd Edition 11

Elements Required to Begin Contingency Planning

• Four required CP process elements – Planning methodology – Policy environment (enables planning process) – Understanding causes and effects of core precursor

activities (business impact analysis) – Access to financial and other resources

• Articulated and outlined by the planning budget • Development of CP policies and plans

– Occurs once CPMT organized and staffed – Expands the four elements

Principles of Incident Response and Disaster Recovery, 2nd Edition 12

Elements Required to Begin Contingency Planning (cont’d.)

• Complete CP development methodology adaption – NIST Special Publications 800-34, Rev. 1,

Contingency Planning Guide for Federal Information Systems (2010)

– Special Publications 800-61, Rev. 2, Computer Security Incident Handling Guide (2012)

• Complete process – Form the CPMT – Develop contingency planning policy statement – Conduct the business impact analysis (BIA)

Principles of Incident Response and Disaster Recovery, 2nd Edition 13

Elements Required to Begin Contingency Planning (cont’d.)

– Form subordinate planning teams – Develop subordinate planning policies – Integrate the BIA – Identify preventive controls – Organize response teams – Create contingency strategies – Develop subordinate plans – Ensure plan testing, training, and exercises – Ensure plan maintenance

Principles of Incident Response and Disaster Recovery, 2nd Edition 14

Contingency Planning Policy

• Required for effective contingency planning • Purpose of policy

– Define the CP operations scope – Establish managerial intent with regard to timetables

for incident response – Recovery from disasters – Reestablishment of operations for continuity – Establish responsibility for the development and

operations of the CPMT in general – Provide specifics on CP-related team constituencies

Principles of Incident Response and Disaster Recovery, 2nd Edition 15

Contingency Planning Policy (cont’d.)

• CP policy sections – Introductory statement – Scope and purpose statement – Call for periodic risk assessment and BIA – Specification of major CP components to be designed – Call for, and guidance in, selection of recovery

options and BC strategies – Requirement to test the plans on a regular basis – Identification of key regulations and standards

impacting CP planning

Principles of Incident Response and Disaster Recovery, 2nd Edition 16

Contingency Planning Policy (cont’d.)

– Identification of key individuals responsible for CP operations

– Challenge to individual members • Asking for their support • Reinforcing their importance in the overall CP process

– Additional administrative information • Each CP meeting should be documented

Principles of Incident Response and Disaster Recovery, 2nd Edition 17

Business Impact Analysis

• Business impact analysis (BIA) – Investigation and assessment of the impact that

various events or incidents can have on the organization

– Provides detailed identification and prioritization of critical business functions

– Different from the risk management process – Begins with prioritized list of threats and

vulnerabilities – Question

• If an attack succeeds, what do you do next? Principles of Incident Response and Disaster Recovery, 2nd Edition 18

Business Impact Analysis (cont’d.)

• Five “keys to BIA success” – Set the project scope carefully – Initiate data-gathering process

• Find information senior managers need – Seek out objective rather than subjective data – Determine higher management needs prior to data

collection – Gain validation of the results:

• Derived from risk assessment and BIA • From owners of the business processes being

examined Principles of Incident Response and Disaster Recovery, 2nd Edition 19

Business Impact Analysis (cont’d.)

• CPMT conducts the BIA in three stages

Principles of Incident Response and Disaster Recovery, 2nd Edition 20

Determine Mission/Business Processes and Recovery Criticality

• First major BIA task – Analyze and prioritize business processes

• Based on relationships to mission – Evaluate independently to compare with organization

as a whole • Business process = “mission/business process”

– Task performed in support of the overall mission • Collect critical information before prioritizing

– Avoid “turf war” • Useful tool: BIA questionnaire Principles of Incident Response and Disaster Recovery, 2nd Edition 21

Determine Mission/Business Processes and Recovery Criticality (cont’d.)

• Weighted analysis table resolves most critical issues • Weighted analysis process

– Identify organization categories – Assign weights to each category

• Assigned weights add to a value of one (100 percent) – Identify various business functions

• Importance value assessed on a scale of one to 10 – Weights are multiplied by the scores in each category – Weights summed to obtain that business function’s

overall value to the organization

Principles of Incident Response and Disaster Recovery, 2nd Edition 22

Determine Mission/Business Processes and Recovery Criticality (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 23

Determine Mission/Business Processes and Recovery Criticality (cont’d.)

• NIST Business Process and Recovery Criticality – NIST Special Publication 800-34 Rev. 1

• Large quantities of information needed • BIA data collection process needed

Principles of Incident Response and Disaster Recovery, 2nd Edition 24

Determine Mission/Business Processes and Recovery Criticality (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 25

Key Downtime Metrics

• Maximum tolerable downtime (MTD) – Total amount of time the system owner/authorizing

official willing to accept for a process outage – Includes all impact considerations

• Recovery time objective (RTO) – Time period within which systems, applications, or

functions must be recovered after an outage • Recovery point objective (RPO)

– Point in time to which lost systems and data can be recovered after outage; determined by business unit

Principles of Incident Response and Disaster Recovery, 2nd Edition 26

Key Downtime Metrics (cont’d.)

• NIST Special Publication 800-34 Rev. 1 – Contains additional definitions for MTD, RTO, RPO

• Reducing RTO requires mechanisms to shorten start-up time or provisions – To make data available online at a failover site

• Reducing RPO requires mechanisms to increase data replication synchronicity between production systems and backup implementations

• Critical need: avoid exceeding MTD – RTO must be shorter than MTD

Principles of Incident Response and Disaster Recovery, 2nd Edition 27

Cost Balance Point

• Different for every organization and system • Based on financial constraint, operating requirement

Principles of Incident Response and Disaster Recovery, 2nd Edition 28

Prioritize Information Assets

• Helpful to understand information assets used by prioritized processes

• High-value information assets – May influence a particular business process valuation

• Task normally performed as part of the risk- assessment function of risk management – Perform task now if organization has not performed

this task

Principles of Incident Response and Disaster Recovery, 2nd Edition 29

Identify Resource Requirements

• Need to determine resources needed to recover prioritized processes and associated assets

• Resource intensive processes: IT functions • Resources require extensive sets of information

processing, storage, and transmission – Supporting customer data, production data, and other

organizational information • Business production-oriented processes

– Require complex or expensive components to operate

Principles of Incident Response and Disaster Recovery, 2nd Edition 30

Principles of Incident Response and Disaster Recovery, 2nd Edition 31

Identify System Resource Recovery Priorities

• Last stage of the BIA • Prioritize resources associated with the

mission/business processes – Brings better understanding of what must be

recovered first • Create additional weighted tables of the resources

– Develop a custom-designed “to-do” list • Use a simple valuation scale

– Primary/Secondary/Tertiary – Critical/Very important/Important/Routine

Principles of Incident Response and Disaster Recovery, 2nd Edition 32

BIA Data Collection

• Not a discrete step • Methods

– Online questionnaires – Facilitated data-gathering sessions – Process flows and interdependency studies – Risk assessment research – IT application or system logs – Financial reports and departmental budgets – BCP/DRP audit documentation – Production schedule

Principles of Incident Response and Disaster Recovery, 2nd Edition 33

Online Questionnaires

• Online or printed questionnaire – Identify and classify

• Business functions and impact they have on other organization areas

• Enables a structured collection method – Collect information directly from those most

knowledgeable • Examples

– Web site for the Texas State Office of Risk Management BIA questionnaire areas

– See Table 2-3 and Table 2-4 Principles of Incident Response and Disaster Recovery, 2nd Edition 34

Online Questionnaires (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 35

Online Questionnaires (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 36

Facilitated Data-Gathering Sessions

• Focus group (facilitated data-gathering session) – Collecting information directly from the end users and

business managers – Individuals brought together

• Brainstorm answers to BIA process questions • To yield quantity or quality of information desired

– Ensure a relaxed, productive session • Provide clear session structure

– Encourage dialog – Restrict managers’ ability to take control

Principles of Incident Response and Disaster Recovery, 2nd Edition 37

Process Flows and Interdependency Studies

• Systems diagramming – Documents ways systems operate – Charts process flows and interdependency studies – Used for both manual and automated systems

• Common diagramming techniques – Use case diagrams and supporting use cases – Specifically designed to help understand interactions

between entities and business functions

Principles of Incident Response and Disaster Recovery, 2nd Edition 38

Principles of Incident Response and Disaster Recovery, 2nd Edition 39

Process Flows and Interdependency Studies (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition 40

Principles of Incident Response and Disaster Recovery, 2nd Edition 41

Process Flows and Interdependency Studies (cont’d.)

• Uniform modeling language (UML) models – Class diagrams, sequence diagrams, collaboration

diagrams • Traditional systems analysis and design approaches

– Workflow, functional decomposition, and dataflow diagrams

– Quite complex • Only use if organization has them in place

Principles of Incident Response and Disaster Recovery, 2nd Edition 42

Principles of Incident Response and Disaster Recovery, 2nd Edition 43

Principles of Incident Response and Disaster Recovery, 2nd Edition 44

Principles of Incident Response and Disaster Recovery, 2nd Edition 45

Risk Assessment Research

• Risk assessment and risk management effort – Provides a wealth of information for BIA effort

• Some modification may be necessary • Risk management process

– Primary starting point for the BIA • Alternative efforts required if risk assessment not

performed • Teams may collect information from outside sources

on risk assessment

Principles of Incident Response and Disaster Recovery, 2nd Edition 46

IT Application or System Logs

• IT staff – Valuable in determining categorical data

• Frequency of occurrence • Probability of success

– Provide information from various logs • Logs collect and provide reports

– Failed login attempts, probes, scans, denial-of-service attacks, malware detected

– Provides more accurate attack environment description

Principles of Incident Response and Disaster Recovery, 2nd Edition 47

Financial Reports and Departmental Budgets

• Documents from normal operations – Provide insight into business operations

• Costs and revenues provided by each functional area – Useful in prioritizing business areas and functions – Provides insight into the area’s profitability and

revenues contribution • Calculating business impact most common method

– Review financial reports and budgets • Lost sales, idle personnel costs, and other opportunity

costs easily obtained

Principles of Incident Response and Disaster Recovery, 2nd Edition 48

Audit Documentation

• Paid external consultant audits – Used by larger organizations and publicly traded firms – Audit function compliance

• Federal and state regulations • National or international standards, • Part of proactive ongoing improvement program

• Audit reports – Provide additional information for the BIA process

Principles of Incident Response and Disaster Recovery, 2nd Edition 49

Production Schedules

• Information valuable in the completion of the BIA – Production schedules, marketing forecasts,

productivity reports, other business documents • Include information collected from multiple sources

– Rather than redundantly re-collecting it from the same sources

• If information not collected directly by the BIA team – Make sure it is current and accurate

• Undated information often worse than no information

Principles of Incident Response and Disaster Recovery, 2nd Edition 50

Budgeting for Contingency Operations

• Incident response – May not require dedicated budgeting

• Disaster recovery and business continuity – Require ongoing expenditures, investment, and

service contracts to support their implementation • Many organizations are “self-insured”

– Put money into an account • Draw upon it should replacements be required

– Some organization forego “self-insured” investments • Due to tight budgets and drops in revenues

Principles of Incident Response and Disaster Recovery, 2nd Edition 51

Incident Response Budgeting

• IR capabilities – Part of a normal IT budget

• Data protection and response, backup and recovery methods

• Uninterruptible power supplies (UPSs) • Antivirus/antispyware/antimalware software • Redundant arrays of independent disks (RAID) • Network-attached storage (NAS) or storage area

networks (SANs) – Additional expenses

• Protection of user data outside common storage areas

Principles of Incident Response and Disaster Recovery, 2nd Edition 52

Incident Response Budgeting (cont’d.)

• Required budgeting – Maintenance of redundant equipment – Use the “rule of three”

• Keep an online production system • Keep an online or very nearly online backup system • Keep an offline testing and development system

• Online “hot” servers have redundancy incorporated • Backup or “warm ”server

– Provides redundant functions standing by in a near- online state

Principles of Incident Response and Disaster Recovery, 2nd Edition 53

Disaster Recovery Budgeting

• Number one DR budgetary expense – Insurance policies

• Provide for the capabilities to rebuild and reestablish operations at the primary site

– Data loss policies • Many organizations cannot afford them

– Losses from a distributed denial-of-service attack (DDoS) not so familiar

– Insurance difficult to estimate exactly • Many expenses not covered by insurance

– Loss of water, electricity, data, and the like Principles of Incident Response and Disaster Recovery, 2nd Edition 54

Business Continuity Budgeting

• Requires the largest budget expenditure • Staggering cost to maintain high level of redundancy

– Example: service level agreements (SLAs) for hot sites

• Set aside “war chest” of funds for items needed during continuity operations – Safety deposit boxes at a local bank

• Store corporate credit cards, purchase orders, cash • Consider nonsalaried employee overtime

Principles of Incident Response and Disaster Recovery, 2nd Edition 55

Crisis Management Budgeting

• Fundamentals of crisis management – Focused physical and psychological losses

associated with catastrophic disasters • Primary budget item

– Employee salaries if unable to come to work • Establish a minimum budget for paid leave

• Other items – Funeral and burial expenses; employee counseling

services

Principles of Incident Response and Disaster Recovery, 2nd Edition 56

Summary

• Approach CP using a systematic methodology – CPMT responsible for contingency policy and plans

• Obtains commitment and support, manages the overall process, writes documents, conducts the BIA, organizes and staffs leadership, provides guidance

• Roster includes champion, project manager, others • Effective CP begins with effective policy

– Policy provides guidance from executives – Policy contains statements, calls for action, guidelines

and additional administrative information

Principles of Incident Response and Disaster Recovery, 2nd Edition 57

Summary (cont’d.)

• BIA: investigation and assessment of event impact – Detailed identification and prioritization of critical

business functions – Key element: placing priorities and values on

mission/business process • Insurance : number-one budgetary expense for DR

– Larger deductibles provide lower monthly premiums • Set aside funds to cover deductibles

– Business continuity: largest budget expenditure • Consider employee overtime, employee loss expenses

Principles of Incident Response and Disaster Recovery, 2nd Edition 58

  • Principles of Incident Response and Disaster Recovery, 2nd Edition
  • Objectives
  • Introduction
  • Beginning the Contingency Planning Process
  • Beginning the Contingency Planning Process (cont’d.)
  • Beginning the Contingency Planning Process (cont’d.)
  • Beginning the Contingency Planning Process (cont’d.)
  • Commitment and Support of Senior Management
  • Information Security Management and Professionals
  • Information Technology Management and Professionals
  • Organizational Management and Professionals
  • Elements Required to Begin Contingency Planning
  • Elements Required to Begin Contingency Planning (cont’d.)
  • Elements Required to Begin Contingency Planning (cont’d.)
  • Contingency Planning Policy
  • Contingency Planning Policy (cont’d.)
  • Contingency Planning Policy (cont’d.)
  • Business Impact Analysis
  • Business Impact Analysis (cont’d.)
  • Business Impact Analysis (cont’d.)
  • Determine Mission/Business Processes and Recovery Criticality
  • Determine Mission/Business Processes and Recovery Criticality (cont’d.)
  • Determine Mission/Business Processes and Recovery Criticality (cont’d.)
  • Determine Mission/Business Processes and Recovery Criticality (cont’d.)
  • Determine Mission/Business Processes and Recovery Criticality (cont’d.)
  • Key Downtime Metrics
  • Key Downtime Metrics (cont’d.)
  • Cost Balance Point
  • Prioritize Information Assets
  • Identify Resource Requirements
  • Slide Number 31
  • Identify System Resource Recovery Priorities
  • BIA Data Collection
  • Online Questionnaires
  • Online Questionnaires (cont’d.)
  • Online Questionnaires (cont’d.)
  • Facilitated Data-Gathering Sessions
  • Process Flows and Interdependency Studies
  • Slide Number 39
  • Process Flows and Interdependency Studies (cont’d.)
  • Slide Number 41
  • Process Flows and Interdependency Studies (cont’d.)
  • Slide Number 43
  • Slide Number 44
  • Slide Number 45
  • Risk Assessment Research
  • IT Application or System Logs
  • Financial Reports and Departmental Budgets
  • Audit Documentation
  • Production Schedules
  • Budgeting for Contingency Operations
  • Incident Response Budgeting
  • Incident Response Budgeting (cont’d.)
  • Disaster Recovery Budgeting
  • Business Continuity Budgeting
  • Crisis Management Budgeting
  • Summary
  • Summary (cont’d.)