© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security Lesson 8 Risk, Response, and Recovery
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 8
Risk, Response, and Recovery
Page 2Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 2Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective(s)
Describe the principles of risk
management, common response
techniques, and issues related to recovery
of IT systems.
Page 3Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 3Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Quantitative and qualitative risk assessment
approaches
Business impact analysis (BIA)
Business continuity plan (BCP)
Incident handling
Disaster recovery plan (DRP)
Page 4Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 4Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Management and Information
Security
Seek a balance between the utility and cost of various risk management options
• Don’t spend more to protect an asset than it is worth
• A countermeasure without a corresponding risk is a solution seeking a problem; difficult to justify the cost
Page 5Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 5Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Terminology
• Something (generally bad) that might happen
Threat
• Any exposure that could allow a threat to be realized
Vulnerability
• The likelihood that a particular threat will be realized against a specific vulnerability
Risk
• The amount of harm a threat exploiting a vulnerability can cause
Impact
Page 6Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 6Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Terminology (cont.)
• A measurable occurrence that has an impact on the business
Event
• Any event that violates or threatens to violate your security policy
Incident
• Includes both safeguards and countermeasures
Control
• Addresses gaps or weaknesses in controls that could lead to a realized threat
Safeguard
• Counters or addresses a specific threat
Countermeasure
Page 7Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 7Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements of Risk
Assets
Vulnerabilities
Threats
Page 8Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 8Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Purpose of Risk Management
Identify risks
• Before they lead to an incident
• In time to enable you to plan and begin risk-handling activities (controls and countermeasures)
• On a continuous basis across the life of the product, system, or project
Page 9Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 9Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Risk Management Process
Page 10Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 10Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify Risks
Develop scenarios for each threat to assess
the threats
Popular risk identification methods include:
• Brainstorming
• Surveys
• Interviews
• Working groups
• Checklists
• Historical information
Page 11Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 11Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Register
A description of the risk
Expected impact if the event occurs
The probability of the event occurring
Steps to mitigate the risk
Steps to take should the event occur
Rank of the risk
Page 12Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 12Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Emerging Threats
New technology
Changes in culture of organization/environment
Unauthorized use of technology
Changes in regulations and laws
Changes in business practices
Page 13Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 13Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Static Environments
Supervisory Control and Data Acquisition (SCADA)
Embedded systems
Mobile devices (Android, iOS, Windows)
Mainframes
Gaming consoles
Vehicle systems
Page 14Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 14Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Assess Risks
Quantitative—Attempts to describe risk in
financial terms and put a dollar value on each risk
Qualitative—Ranks risks based on their
probability of occurrence and impact on business
operations
Page 15Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 15Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Calculating Quantified Risk
Determine annualized loss expectancy (ALE)
Determine how often a loss is likely to occur every year
Calculate the single loss expectancy (SLE)
Calculate the exposure factor (EF)
Calculate the asset value (AV)
Page 16Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 16Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Determining Quantified Risk
Calculation Formula
Single loss expectancy (SLE) AV × EF = SLE
Annualized rate of occurrence
(ARO)
ARO = Number of incidents
per year
Annualized loss expectancy
(ALE)
SLE × ARO = ALE
Page 17Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 17Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Qualitative Risk Analysis
Probability or
likelihood
Impact
Page 18Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 18Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Plan a Risk Response
• Reduce (reduction/mitigation)
• Transfer (transference/assignment)
• Accept (acceptance)
• Avoid (avoidance)
Negative risks
• Exploit (exploitation)
• Share (sharing)
• Enhance (enhancement)
• Accept (acceptance)
Positive risks
Page 19Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 19Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Acceptable Range of Risk
Page 20Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 20Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Total Risk and Residual Risk
Page 21Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 21Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Implement the Risk Response Plan
Administrative controls
• Manage the activity phase of security—the things
people do
Activity phase controls
• Either administrative or technical
• Correspond to the life cycle of a security program
- Detective controls
- Preventive controls
- Corrective controls
- Deterrent controls
- Compensating controls
Page 22Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 22Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Protecting Physical Security
HVACFire
suppressionEMI
shielding
Lighting SignsVideo
surveillance
Access lists Safety plan
Page 23Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 23Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Selecting Countermeasures
Fix known exploitable software flaws
Develop and enforce operational
procedures and access controls (data and
system)
Provide encryption capability
Improve physical security
Disconnect unreliable networks
Page 24Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 24Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Monitor and Control Risk Response
What problem is this countermeasure
designed to solve?
Does this countermeasure solve this problem?
• Countermeasures might pose new risk to the
organization
• Perform certification and accreditation of
countermeasure programs
• Follow best practices and exercise due
diligence
Page 25Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 25Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Continuity Management
(BCM)
Business continuity plan (BCP)
• Contains the actions needed to keep critical business
processes running after a disruption
Disaster recovery plan (DRP)
• Details the steps to recover from a disruption and
restore the infrastructure necessary for normal
business operations
Disruptions include extreme weather, criminal activity,
civil unrest/terrorist acts, operational, and application
failure disruptions
Page 26Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 26Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Terminology
Business impact analysis (BIA)
Critical business function (CBF)
Maximum tolerable downtime (MTD)
Recovery time objective (RTO)
Recovery point objective (RPO)
Emergency operations center (EOC)
Page 27Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 27Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Assessing Maximum Tolerable
Downtime (MTD)
Page 28Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 28Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Impact Analysis
Security pro should ask two questions:
• What can affect the business?
• How will it affect the business?
Conduct a BIA for these reasons:
• Set value of each business unit or resource as it
relates to how the entire organization operates
• Identify critical needs to develop a business recovery
plan
• Set order or priority for restoring the organization’s
functions after a disruption
Page 29Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 29Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Critical Dependencies
Information processing
Personnel Communications
Equipment FacilitiesOther
organizational functions
Vendors Suppliers
Page 30Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 30Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Assessing the Impact of Downtime
PropertyDataSystemsPeople
Page 31Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 31Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Review and Test the Plan
Important to review and update BCP
regularly
Tests for a BCP and DRP
• Checklist
• Structured walk-through
• Simulation
• Parallel
• Full interruption
Page 32Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 32Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Backing Up Data and Applications
Plans must include dealing with:
• Backup storage media
• Location
• Access
Backups provide extra copies of needed resources, such as:
• Data
• Documentation
• Equipment
Page 33Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 33Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Types of Backups
Full
Differential
Incremental
Page 34Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 34Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Incident Handling
Documentation and reporting
Recovery and followup
Response
Notification
Identification
Preparation
Page 35Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 35Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Recovery from a Disaster
A disaster recovery plan (DRP):
• Establishes an emergency operations
center (EOC) as an alternate location from
which the BCP/DRP will be coordinated and
implemented
• Names an EOC manager
• Determines when that manager should
declare an incident a disaster
Page 36Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 36Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Activating the Disaster Recovery
Plan
Restore business operations
Return operations to their original state
before the disaster
Page 37Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 37Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Operating in a Reduced/Modified
Environment
Suspend normal processes
Identify minimum recovery resources as
part of the recovery needs
Combine services that were on different
hardware platforms onto common servers
Continue to make backups of data and
systems
Page 38Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 38Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Primary Steps to Disaster Recovery
Ensure the safety of individuals
Contain the damage
Assess damage and begin recovery
operations according to the DRP and BCP
Page 39Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 39Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Restoring Damaged Systems
Know where to get configuration charts, inventory lists,
and backup applications and data
Have access control lists to make sure that the system
allows only legitimate users on it
Update the operating systems and applications with the
most current patches
Make sure the operating systems and applications are
current and secure
Activate the access control rules, directories, and remote
access systems to permit users to get on the new systems
Page 40Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 40Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Recovery Alternatives
A dedicated site operated by the business, such as a secondary
processing center
A commercially leased facility, such as a hot site or mobile facility
An agreement with an internal or external facility
Page 41Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 41Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Comparing Common Recovery Site
OptionsFeature Hot
Site
Warm
Site
Cold
Site
Multiple
Sites
Cost High Medium Low No direct
costs
Computer
equipped
Yes Yes No Yes
Connectivity
equipped
Yes Yes No Yes
Data equipped Yes No No Yes
Staffed Yes No No Yes
Typical lead time
to readiness
Minutes
to hours
Hours to
days
Days to
weeks
Moments to
minutes
Page 42Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 42Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Quantitative and qualitative risk assessment
approaches
Business impact analysis (BIA)
Business continuity plan (BCP)
Incident handling
Disaster recovery plan (DRP)