Principles of Information Security

Chapter 5 – Planning for Security

Based on the Fourth Edition of:

M. E. Whitman, H. J. Mattord:. Principles of Information Security

School of Business, Department of Information Technology

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Being with the end in mind.

Stephen Covey
Author of Seven Habits of Highly Effective People

Chapter 5 – Planning for Security Principles of Information Security 2

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Learning Objectives

Define management’s role in the development, maintenance,

and enforcement of information security policy, standards,
practices, procedures, and guidelines.

Describe what an information security blueprint is.

Discuss how an organization institutionalizes its policies,

standards, and practices using education, training, and
awareness programs.
Explain what contingency planning is and how incident
response planning, disaster recovery planning, and business
continuity plans are related to contingency planning.

Chapter 5 – Planning for Security Principles of Information Security 3

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Outline

1 Introduction

2 Information Security Policy, Standards, and Practices

3 The Information Security Blueprint

4 Security Education, Training, and Awareness Program

5 Continuity Strategies

Chapter 5 – Planning for Security Principles of Information Security 4

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Introduction

Creation of information security program begins with:

creation or review of an organization’s information security
policies, standards, and practices
selection or creation of information security architecture and a
detailed information security blueprint
Without policy, blueprints, and planning, an organization is
unable to meet information security needs of various
communities of interest

Organizations undertake at least the following plans:

Strategic planning
Contingency planning

Chapter 5 – Planning for Security Principles of Information Security 5

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Information Security Planning and Governance

Planning levels

Planning and the CISO

Information Security Governance

Set of responsibilities and practices exercised by the board and
executive management
Goal to provide strategic direction, ensuring that objectives are
achieved
Ascertaining that risks are managed appropriately and verifying
that the enterprise’s resources are used responsibly

Chapter 5 – Planning for Security Principles of Information Security 6

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Information Security Planning and Governance

Information Security Governance outcomes

Strategic alignment
Risk management
Resource management Performance measures
Value delivery
Governance framework

Chapter 5 – Planning for Security Principles of Information Security 7

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Information Security Policy, Standards, and Practices

Policy: course of action used by organization to convey

instructions from management to those who perform duties
Policies are organizational laws

Standards: more detailed statements of what must be done to

comply with policy

Practices, procedures, and guidelines effectively explain how

to comply with policy

For a policy to be effective, it must be properly disseminated,

read, understood, and agreed to by all members of
organization and uniformly enforced

Chapter 5 – Planning for Security Principles of Information Security 8

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Information Security Policy, Standards, and Practices

Figure 5-1 Policies, Standards, and Practices

Chapter 5 – Planning for Security Principles of Information Security 9

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Enterprise Information Security Policy (EISP)

EISP sets strategic direction, scope, and tone for all security
efforts within the organization

EISP is an Executive-level document, usually drafted by or

with Chief Information Officer (CIO) of the organization

EISP typically addresses compliance in two areas:

1 Ensure meeting requirements to establish program and
responsibilities assigned therein to various organizational
components
2 Use of specified penalties and disciplinary action

Chapter 5 – Planning for Security Principles of Information Security 10

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Issue-Specific Security Policy (ISSP)

An organization must instruct employees on the proper use of

technologies and processes to support routine operations

In general, the ISSP:

Addresses specific areas of technology
Requires frequent updates
Contains a statement on the organization’s position on a
specific issue

Three approaches when creating ISSPs:

1 Create a number of independent ISSP documents
2 Create a single comprehensive ISSP document
3 Create a modular ISSP document

Chapter 5 – Planning for Security Principles of Information Security 11

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Information Security Policy, Standards, and Practices

Systems-Specific Policy (SysSP)

SysSPs frequently function as standards and procedures used
when configuring or maintaining systems

Systems-specific policies fall into two groups:

1 Managerial guidance
2 Technical specifications SysSPs

Access Control Lists (ACLs) can restrict access for a particular

user, computer, time, durationeven a particular file

Configuration rule policies

Combination SysSPs

Chapter 5 – Planning for Security Principles of Information Security 12

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 13

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies

Chapter 5 – Planning for Security Principles of Information Security 13

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies
2 are detailed statements of what must be done to
comply with policy.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 13

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies
2 are detailed statements of what must be done to
comply with policy.
Answer: Standards

Chapter 5 – Planning for Security Principles of Information Security 13

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies
2 are detailed statements of what must be done to
comply with policy.
Answer: Standards
3 True or False: An executive information security policy (EISP)
is also known as a general security policy, IT security policy,
and information security policy.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 13

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies
2 are detailed statements of what must be done to
comply with policy.
Answer: Standards
3 True or False: An executive information security policy (EISP)
is also known as a general security policy, IT security policy,
and information security policy.
Answer: True

Chapter 5 – Planning for Security Principles of Information Security 13

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies
2 are detailed statements of what must be done to
comply with policy.
Answer: Standards
3 True or False: An executive information security policy (EISP)
is also known as a general security policy, IT security policy,
and information security policy.
Answer: True
4 A(n) addresses specific areas of technology, requires
frequent updates, and contains a statement on the
organization’s position on a specific issue.
Answer:
Chapter 5 – Planning for Security Principles of Information Security 13
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 direct how issues should be addressed and
technologies used.
Answer: Policies
2 are detailed statements of what must be done to
comply with policy.
Answer: Standards
3 True or False: An executive information security policy (EISP)
is also known as a general security policy, IT security policy,
and information security policy.
Answer: True
4 A(n) addresses specific areas of technology, requires
frequent updates, and contains a statement on the
organization’s position on a specific issue.
Answer: issue-specific security policy (ISSP)
Chapter 5 – Planning for Security Principles of Information Security 13
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

The Information Security Blueprint

The security blueprint is the basis for design, selection, and

implementation of all security policies, education and training
programs, and technological controls

It is detailed version of security framework (outline of overall

information security strategy for organization)

It specifies the tasks to be accomplished and the order in

which they are to be realized

It also serves as scalable, upgradeable, and comprehensive

plan for information security needs for coming years

Chapter 5 – Planning for Security Principles of Information Security 14

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

The ISO 27000 Series

One of the most widely referenced and often discussed

security models is the Information Technology – Code of
Practice for Information Security Management, which was
originally published as the British Standard BS 7799.

In 2000, this Code of Practice was adopted as an international

standard by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission
(IEC) as ISO/IEC 17799

The document was revised in 2005 (becoming ISO

17799:2005) and then renamed to ISO 27002 in 2007

Chapter 5 – Planning for Security Principles of Information Security 15

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

NIST Security Models

Another possible approach described in documents available

from Computer Security Resource Center of NIST

NIST documents are publicly available at no charge and have

been available for some time

They have been broadly reviewed by government and industry

professionals, and they are among the references cited by the
federal government when it decided not to select the ISO/IEC
17799 standards.

Chapter 5 – Planning for Security Principles of Information Security 16

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Baselining and Best Business Practices

Baselining and best practices are solid methods for collecting

security practices, but provide less detail than a complete
methodology

Possible to gain information by baselining and using best

practices and thus work backwards to an effective design

The Federal Agency Security Practices (FASP) site

(fasp.nist.gov) is designed to provide best practices for public
agencies and is adapted easily to private institutions

Chapter 5 – Planning for Security Principles of Information Security 17

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

The Spheres of Security illustrate how information is under

attack from a variety of sources

Levels of controls
Management controls cover security processes designed by
strategic planners and performed by security administration
Operational controls deal with operational functionality of
security in organization
Technical controls address tactical and technical
implementations related to designing and implementing
security in organization

Chapter 5 – Planning for Security Principles of Information Security 18

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

Figure 5-8 Spheres of Security

Chapter 5 – Planning for Security Principles of Information Security 19

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

Defense in depth
Implementation of security in layers
Requires that organization establish sufficient security controls
and safeguards so that an intruder faces multiple layers of
controls

Security perimeter
Point at which an organization’s security protection ends and
outside world begins
Does not apply to internal attacks from employee threats or
on-site physical threats

Chapter 5 – Planning for Security Principles of Information Security 20

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

Security Perimeter (cont.)

Firewall: device that selectively discriminates against
information flowing in or out of organization

Demilitarized Zones (DMZs): no-man’s land between inside

and outside networks where some place Web servers

Proxy servers: performs actions on behalf of another system

Intrusion detection systems (IDSs): in effort to detect

unauthorized activity within inner network, or on individual
machines, organization may wish to implement an IDS

Chapter 5 – Planning for Security Principles of Information Security 21

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

Figure 5-9 Defense in Depth

Chapter 5 – Planning for Security Principles of Information Security 22

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

Figure 5-10 Security Perimeters

Chapter 5 – Planning for Security Principles of Information Security 23
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Design of Security Architecture

Figure 5-11 Firewalls, Proxy Servers, and DMZs

Chapter 5 – Planning for Security Principles of Information Security 24

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer:

Chapter 5 – Planning for Security Principles of Information Security 25

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth

Chapter 5 – Planning for Security Principles of Information Security 25

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth
2 A(n) defines the edge between the outer limit of an
organization’s security and the beginning of the outside world.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 25

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth
2 A(n) defines the edge between the outer limit of an
organization’s security and the beginning of the outside world.
Answer: security perimeter

Chapter 5 – Planning for Security Principles of Information Security 25

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth
2 A(n) defines the edge between the outer limit of an
organization’s security and the beginning of the outside world.
Answer: security perimeter
3 A(n) is a device that uses a rule set to selectively
discriminate against information flowing into/out of the
organization.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 25

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth
2 A(n) defines the edge between the outer limit of an
organization’s security and the beginning of the outside world.
Answer: security perimeter
3 A(n) is a device that uses a rule set to selectively
discriminate against information flowing into/out of the
organization.
Answer: firewall

Chapter 5 – Planning for Security Principles of Information Security 25

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth
2 A(n) defines the edge between the outer limit of an
organization’s security and the beginning of the outside world.
Answer: security perimeter
3 A(n) is a device that uses a rule set to selectively
discriminate against information flowing into/out of the
organization.
Answer: firewall
4 In an effort to detect unauthorized activity within the inner
network or on individual machines, an organization may want
to implement .
Answer:
Chapter 5 – Planning for Security Principles of Information Security 25
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 Implementing security in layered approach is referred to as .
Answer: defense in depth
2 A(n) defines the edge between the outer limit of an
organization’s security and the beginning of the outside world.
Answer: security perimeter
3 A(n) is a device that uses a rule set to selectively
discriminate against information flowing into/out of the
organization.
Answer: firewall
4 In an effort to detect unauthorized activity within the inner
network or on individual machines, an organization may want
to implement .
Answer: intrusion detection systems
Chapter 5 – Planning for Security Principles of Information Security 25
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Security Education, Training, and Awareness Program

As soon as general security policy defined, an overall security

model created or adapted, it is time to implement a security
education, training, and awareness (SETA) program

SETA is the responsibility of the CISO and is a control

measure designed to reduce accidental security breaches

The SETA program consists of three elements:

1 Security Education
2 Security Training
3 Security Awareness

Chapter 5 – Planning for Security Principles of Information Security 26

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Security Education

Everyone in an organization needs to be trained and aware of

information security; not every member needs formal degree
or certificate in information security

When formal education for individuals in security is needed,

an employee can identify curriculum available from local
institutions of higher learning or continuing education

A number of universities have formal coursework in

information security

Chapter 5 – Planning for Security Principles of Information Security 27

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Security Training

Security training involves providing members of organization

with detailed information and hands-on instruction designed
to prepare them to perform their duties securely

Management of information security can develop customized

in-house training or outsource the training program

Alternatives to formal training include conferences and

programs offered through professional organizations

Chapter 5 – Planning for Security Principles of Information Security 28

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Security Awareness

One of least frequently implemented but most beneficial

programs is the security awareness program

Designed to keep information security at the forefront of

users’ minds

Need not be complicated or expensiv; can include newsletters,

videos, coffee cups, T-shirts, pens, etc.)

If the program is not actively implemented, employees begin to

tune out and risk of employee accidents and failures increases

Chapter 5 – Planning for Security Principles of Information Security 29

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Continuity Strategies

Managers in the IT and information security communities are

called on to provide strategic planning to assure the
continuous availability of information systems.

Plans for events of this type include:

Incident response plan (IRP) focuses on immediate response; if
attack escalates or is disastrous, process changes to disaster
recovery and Business Recovery Plan (BRP).
Disaster recovery plan (DRP) typically focuses on restoring
systems after disasters occur; as such, is closely associated
with BRP
Business continuity plan (BCP) occurs concurrently with DRP
when damage is major or long term, requiring more than
simple restoration of information and information resources.

Chapter 5 – Planning for Security Principles of Information Security 30

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Continuity Strategies (cont.)

Figure 5-14 Components of Contingency Planning

Chapter 5 – Planning for Security Principles of Information Security 31
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Continuity Strategies (cont.)

Before planning can actually begin, a team has to plan the

effort and prepare resulting documents

Champion: high-level manager to support, promote, and

endorse findings of project

Project manager: leads project and makes sure sound project

planning process is used, a complete and useful project plan is
developed, and project resources are prudently managed

Team members: should be managers, or their

representatives, from various communities of interest: e.g.,
business, IT, and information security

Chapter 5 – Planning for Security Principles of Information Security 32

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Continuity Strategies (cont.)

Figure 5-15 Contingency Planning Timeline

Chapter 5 – Planning for Security Principles of Information Security 33

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Continuity Strategies (cont.)

Figure 5-16 Major Steps in Contingency Planning

Chapter 5 – Planning for Security Principles of Information Security 34

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 35

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)

Chapter 5 – Planning for Security Principles of Information Security 35

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)
2 A(n) is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 35

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)
2 A(n) is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
Answer: incident

Chapter 5 – Planning for Security Principles of Information Security 35

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)
2 A(n) is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
Answer: incident
3 deals with the preparation for and recovery from a
disaster, whether natural or man-made.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 35

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)
2 A(n) is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
Answer: incident
3 deals with the preparation for and recovery from a
disaster, whether natural or man-made.
Answer: Disaster recover planning (DRP)

Chapter 5 – Planning for Security Principles of Information Security 35

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)
2 A(n) is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
Answer: incident
3 deals with the preparation for and recovery from a
disaster, whether natural or man-made.
Answer: Disaster recover planning (DRP)
4 consists of the actions taken to plan for, detect, and
correct the impact of an incident on information assets.
Answer:
Chapter 5 – Planning for Security Principles of Information Security 35
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz
1 is planning for the identification, classification,
response, and recovery from an incident.
Answer: Incident response planning (IRP)
2 A(n) is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
Answer: incident
3 deals with the preparation for and recovery from a
disaster, whether natural or man-made.
Answer: Disaster recover planning (DRP)
4 consists of the actions taken to plan for, detect, and
correct the impact of an incident on information assets.
Answer: Incident response (IR)
Chapter 5 – Planning for Security Principles of Information Security 35
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Business Impact Analysis (BIA)

A BIA is an investigation and assessment of the impact that

various attacks can have on the organization

It assumes that security controls have been bypassed, have

failed, or have proven ineffective, and attack has succeeded

Stages of BIA
Threat attack identification and prioritization
Business unit analysis
Attack success scenario development
Potential damage assessment
Subordinate plan classification

Chapter 5 – Planning for Security Principles of Information Security 36

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning

Incident response planning covers identification of,

classification of, and response to an incident.

Attacks classified as incidents if:

They are directed against information assets
They have a realistic chance of success
They could threaten confidentiality, integrity, or availability of
information resources.
Incident response (IR) consists of four phases:
1 Planning
2 Detection
3 Reaction
4 Recovery

Chapter 5 – Planning for Security Principles of Information Security 37

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Incident Planning
Planning for incident is the first step in overall process of
incident response planning

Predefined responses enable organization to react quickly and

effectively to detected incident if:
Organization has IR team
Organization can detect incident

IR team consists of individuals needed to handle systems as

incident takes place.

Planners should develop guidelines for reacting to and

recovering from incident.

Chapter 5 – Planning for Security Principles of Information Security 38

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Incident Detection
Most common occurrence is complaint about technology
support, often delivered to help desk

The mechanisms that could potentially detect an incident

include host-based and network-based intrusion detection
systems, virus detection software, systems administrators, and
even end users

Careful training needed to quickly identify and classify an

incident.

Once attack is properly identified, organization can respond.

Chapter 5 – Planning for Security Principles of Information Security 39

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Incident Reaction
Incident reaction consists of actions outlined in the IR plan
that guide the organization in attempting to stop the incident,
mitigate the impact of the incident, and provide information
for recovery from the incident

Before incident can be contained, areas affected must be

determined

Organization can stop incident and attempt to recover control

through a number or strategies

Chapter 5 – Planning for Security Principles of Information Security 40

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Incident Recovery
Once incident has been contained and control of systems
regained, the next stage is recovery.

First task is to identify human resources needed and launch

them into action

Chapter 5 – Planning for Security Principles of Information Security 41

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Incident Recovery
Once incident has been contained and control of systems
regained, the next stage is recovery.

First task is to identify human resources needed and launch

them into action

Full extent of the damage must be assessed

Organization repairs vulnerabilities, addresses any

shortcomings in safeguards, and restores data and services of
the systems

Chapter 5 – Planning for Security Principles of Information Security 41

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Incident Recovery (cont.)
Incident damage assessment determines the scope of the
breach of the confidentiality, integrity, and availability of
information and information assets during or just after an
incident

Related to the task of incident damage is the field of computer

forensics. Computer forensics is the process of collecting,
analyzing, and preserving computer-related evidence.

Evidence is a physical object or documented information that

proves an action occurred or identifies the intent of a
perpetrator. Computer evidence must be carefully collected,
documented, and maintained to be acceptable in formal or
informal proceedings.
Chapter 5 – Planning for Security Principles of Information Security 42
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Incident Response Planning (cont.)

Disaster Recovery Planning (DRP)

An event can be categorized as a disaster when the following
happens:
the organization is unable to mitigate the impact of an
incident during the incident
the level of damage is so sever that the organization is unable
to recover quickly

The contingency planning team must decide which actions

constitute disasters and which constitute incidents.

DRP strives to reestablish operations at the primary site.

Chapter 5 – Planning for Security Principles of Information Security 43

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Business Continuity Planning (BCP)

BCP outlines reestablishment of critical business operations

during a disaster that impacts operations

If disaster has rendered the business unusable for continued

operations, there must be a plan to allow business to continue
functioning

Development of BCP is somewhat simpler than IRP or DRP;

consists primarily of selecting a continuity strategy and
integrating off-site data storage and recovery functions into
this strategy

Chapter 5 – Planning for Security Principles of Information Security 44

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Business Continuity Planning (cont.)

Continuity Strategies
There are a number of strategies from which an organization can
choose when planning for business continuity:
In general there are three exclusive options:
1 Hot site – a fully configured computer facility, with all services,
communications links, including heating and air conditioning
2 Warm site – provides many of the same services of the hot
site, but does not include the actual applications the company
needs
3 Cold site – Provides only rudimentary services and facilities.
No computer hardware or peripherals are provided. All
communications services must be installed after the site is
occupied.

Chapter 5 – Planning for Security Principles of Information Security 45

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Business Continuity Planning (cont.)

Continuity Strategies (cont.)

Also, there are three shared options :
1 Time-shares – is a hot, warm or cold site that is leased in
conjunction with a business partner or sister organization.
2 Service Bureaus – is an agency that provides a service for a
fee.
3 Mutual Agreement – is a contract between two or more
organizations that specifies how each will assist the other in
the event of a disaster.

Chapter 5 – Planning for Security Principles of Information Security 46

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 A(n) provides many of the same services and options

as a hot site. However, it typically does not include the
applications the company needs, or the applications may not
yet be properly installed and configured.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 47

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 A(n) provides many of the same services and options

as a hot site. However, it typically does not include the
applications the company needs, or the applications may not
yet be properly installed and configured.
Answer: warm site

Chapter 5 – Planning for Security Principles of Information Security 47

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 A(n) provides many of the same services and options

as a hot site. However, it typically does not include the
applications the company needs, or the applications may not
yet be properly installed and configured.
Answer: warm site

2 A(n) is a fully configured computer facility with all

services, communications links, and physical plant operations,
including heating and air conditioning.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 47

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 A(n) provides many of the same services and options

as a hot site. However, it typically does not include the
applications the company needs, or the applications may not
yet be properly installed and configured.
Answer: warm site

2 A(n) is a fully configured computer facility with all

services, communications links, and physical plant operations,
including heating and air conditioning.
Answer: hot site

Chapter 5 – Planning for Security Principles of Information Security 47

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 A(n) provides many of the same services and options

as a hot site. However, it typically does not include the
applications the company needs, or the applications may not
yet be properly installed and configured.
Answer: warm site

2 A(n) is a fully configured computer facility with all

services, communications links, and physical plant operations,
including heating and air conditioning.
Answer: hot site

3 A(n) is the next step down from the warm site and
provides only rudimentary services and facilities. No computer
hardware or peripherals are provided.
Answer:
Chapter 5 – Planning for Security Principles of Information Security 47
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 A(n) provides many of the same services and options

as a hot site. However, it typically does not include the
applications the company needs, or the applications may not
yet be properly installed and configured.
Answer: warm site

2 A(n) is a fully configured computer facility with all

services, communications links, and physical plant operations,
including heating and air conditioning.
Answer: hot site

3 A(n) is the next step down from the warm site and
provides only rudimentary services and facilities. No computer
hardware or peripherals are provided.
Answer: cold site
Chapter 5 – Planning for Security Principles of Information Security 47
Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Crisis Management

Actions taken during and after a disaster that focus on people

involved and address viability of business are referred to as
crisis management.

Crisis management team is responsible for managing event

from an enterprise perspective and covers:
Supporting personnel and families during crisis.
Determining impact on normal business operations.
Keeping the public informed.
Communicating with major customers, suppliers, partners,
regulatory agencies, industry organizations, the media, and
other interested parties.

Chapter 5 – Planning for Security Principles of Information Security 48

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Model for a Consolidated Contingency Plan

Single document set approach supports concise planning and
encourages smaller organizations to develop, test, and use IR
and DR plans

Model is based on analyses of disaster recovery and incident

response plans of dozens of organizations

Six steps in contingency planning process

1 Identifying mission- or business-critical functions
2 Identifying resources that support critical functions
3 Anticipating potential contingencies or disasters
4 Selecting contingency planning strategies
5 Implementing contingency strategies
6 Testing and revising strategy

Chapter 5 – Planning for Security Principles of Information Security 49

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Law Enforcement Involvement

When incident at hand constitutes a violation of law,

organization may determine involving law enforcement is
necessary

Several questions need to be answered:

When should organization get law enforcement involved?
What level of law enforcement agency should be involved
(local, state, federal)?
What happens when law enforcement agency is involved?

Some questions are best answered by the legal department

Chapter 5 – Planning for Security Principles of Information Security 50

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Benefits and Drawbacks of Law Enforcement Involvement

Involving law enforcement agencies has advantages:

Agencies may be better equipped at processing evidence.

Organization may be less effective in convicting suspects.

Law enforcement agencies are prepared to handle any

necessary warrants and subpoenas.

Law enforcement is skilled at obtaining witness statements

and other information collection.

Chapter 5 – Planning for Security Principles of Information Security 51

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Benefits and Drawbacks of Law Enforcement Involvement

Involving law enforcement agencies has disadvantages:

Once a law enforcement agency takes over case, organization
loses complete control over chain of events.

Organization may not hear about case for weeks or months.

Equipment vital to the organization’s business may be tagged

as evidence.

If organization detects a criminal act, it is legally obligated to

involve appropriate law enforcement officials.

Chapter 5 – Planning for Security Principles of Information Security 52

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 is the process of collecting, analyzing, and preserving

computer-related evidence.
Answer:

Chapter 5 – Planning for Security Principles of Information Security 53

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 is the process of collecting, analyzing, and preserving

computer-related evidence.
Answer: Computer forensics

Chapter 5 – Planning for Security Principles of Information Security 53

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 is the process of collecting, analyzing, and preserving

computer-related evidence.
Answer: Computer forensics

2 The actions taken during and after a disaster are referred to

as .
Answer:

Chapter 5 – Planning for Security Principles of Information Security 53

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Quick Quiz

1 is the process of collecting, analyzing, and preserving

computer-related evidence.
Answer: Computer forensics

2 The actions taken during and after a disaster are referred to

as .
Answer: crisis management

Chapter 5 – Planning for Security Principles of Information Security 53

Introduction Policy, Standards IS Blueprint Security Awareness Continuity Strategies

Additional Resources

1 COBIT Framework for IT Governance and Control

http://www.isaca.org/Knowledge-
Center/COBIT/Pages/Overview.aspx

2 ITIL
http://www.itil-officialsite.com/home/home.asp

3 Security Governance
http://www.securitygovernance.net/

4 Strategic Planning (in nonprofit and for0profit organizations)

http://managementhelp.org/plan dec/str plan/str plan.htm

Chapter 5 – Planning for Security Principles of Information Security 54