INTRODUCTION

An organization’s information security effort succeeds only when it operates in conjunction

with the organization’s information security policy. An information security program begins
with policy, standards, and practices, which are the foundation for the information security
architecture and blueprint. The creation and maintenance of these elements require coordi-
nated planning. The role of planning in modern organizations is hard to overemphasize. All but
the smallest organizations engage in some planning: strategic planning to manage the allo-
cation of resources and contingency planning to prepare for the uncertainties of the business
environment.
Information Security Planning and Governance
Strategic planning guides an organization's long-term direction and focuses resources on
specific goals. It develops a general strategy and extends it to major divisions, translating
objectives into specific objectives for each level. The executive team defines individual
responsibilities.

Planning Levels
Strategic planning transforms broad plans into specific, measurable, achievable, and time-
bound objectives for an organization's major divisions or operations. Tactical planning focuses
on short-term undertakings, breaking each goal into incremental objectives with delivery dates
within a year. It includes budgeting, resource allocation, and personnel. Tactical plans include
project plans, budgets, reviews, and reports. CISOs and security managers use tactical plans to
organize, prioritize, and acquire resources for major projects, supporting the overall strategic
plan.
Operational planning organizes daily tasks and communication for departments, reflecting
organizational structure. Frequent feedback and communication between teams and
management levels improves the planning process's manageability and success.

Planning and the CISO

The CISO and information security management team prioritize creating a strategic plan to
achieve an organization's information security objectives. This plan evolves as the organization
implements the objectives of the information security charter, expressed in the enterprise
information security policy (EISP). A systematic approach is required to translate this strategy
into a program that informs and leads all members of the organization. The plan is translated
into specific strategies for intermediate layers of management, tactical planning for supervisory
managers, and operational plans for non-management members. This multi-layered approach
focuses on general strategy and overall strategic planning, with the Information Security group
supporting the strategic plans of all business units. This may conflict with the IT department's
role in delivering information and resources, while information security focuses on protecting
all information assets.
Governance is the strategic controlling function of an organization's senior management,
ensuring informed decisions in the best interest of the organization. It includes guiding
documents, appointed leaders, and planning and operating procedures. Information security
governance applies these principles and management structures to safeguard information. To
secure information assets, management must integrate information security practices into the
organization's fabric, expanding corporate governance policies and controls to encompass the
objectives of the information security process. Information security governance encompasses
all an organization's information assets, including knowledge managed by IT assets.
Information Security Governance Outcomes
Effective communication among stakeholders is crucial for governance structures, particularly
in information security governance. It involves developing constructive relationships, a
common language, and commitment to organizational objectives. Goals include strategic
alignment, risk management, resource management, performance measurement, and value
delivery.
Policies should guide information security planning, design, and deployment, directing issues
and technologies. They should not specify equipment or software operation but should be
documented in user manuals and systems documentation. Policies should not contradict law,
stand up in court, and be properly administered through dissemination and acceptance. Good
security programs begin and end with policy, as it is a management tool that obliges personnel
to preserve information asset security. Security policies are the least expensive control but the
most difficult to implement, requiring minimal time and effort from management teams.
Policy as the Foundation for Planning
Policies and standards are essential components of an organization's culture and procedures.
Policies dictate acceptable behavior and penalties for non-compliance, while standards provide
detailed instructions for compliance. These policies can be informal or formal, and can be
published, scrutinized, or ratified by a group. Practices, procedures, and guidelines help explain
how to comply with policy. Security policy, a set of rules protecting an organization's assets,
can be categorized into three types: enterprise information security policies, issue-specific
security policies, and systems-specific security policies.
Enterprise Information Security Policy
An enterprise information security policy (EISP) is an executive-level document that guides the
development, implementation, and management of a security program. It sets requirements,
defines the purpose, scope, constraints, and applicability of the security program, assigns
responsibilities for security areas, and addresses legal compliance. EISPs typically address
general compliance and the use of specified penalties and disciplinary action. Most EISP
documents should include an overview of the corporate philosophy on security, information on
the organization's structure, shared responsibilities for security among all members, and unique
responsibilities for each role within the organization.
Issue-Specific Security Policy
An organization must instruct employees on proper use of various technologies and processes
to support routine operations. An issue-specific security policy (ISSP) addresses specific areas
of technology, requires frequent updates, and outlines the organization's position on a specific
issue. ISSPs may cover email, internet usage, computer configurations, hacking, personal
equipment, telecommunications, photocopying, portable storage devices, and cloud-based
storage services. Information Security Policies Made Easy by Charles Cresson Wood provides
examples and recommendations for creating ISSPs. Three common approaches are
independent ISSP documents, a single comprehensive document covering all issues, and a
modular document that unifies policy creation and administration while maintaining specific
issue requirements.
The independent ISSP document often lacks comprehensive coverage of necessary issues,
leading to poor policy distribution and enforcement. A single comprehensive ISSP is centrally
managed and controlled, but may overgeneralize issues and skip vulnerabilities. The modular
ISSP, tailored to individual technology issues, provides a balance between issue orientation and
policy management. It consists of individual modules created and updated by responsible
parties, reporting to a central policy administration group. Organizations should start with this
structure and add specific details to dictate security procedures not covered by general
guidelines.
Statement of Policy: Policy should have a clear purpose, scope, accountability, and address
fair and responsible Internet use, addressing relevant technologies and issues.
Authorized Access and Usage of Equipment: The policy statement outlines the use of
technology and its purpose, emphasizing the organization's exclusive property rights and
addressing legal issues like personal information protection.
Prohibited Use of Equipment: Organizations cannot penalize employees for misuse unless
specific uses are clearly prohibited, such as personal, disruptive, criminal, offensive, or
intellectual property infringement.
Systems Management: ISSP policy statement emphasizes users' relationship with systems
management, regulating email usage, material storage, employee monitoring, and document
scrutiny, assigning responsibilities to administrators or users.
Violations of Policy: Policy violations should carry appropriate penalties, including specific
penalties for each category and instructions for reporting. Ensuring anonymous submissions
can encourage reporting, as powerful employees may retaliate against those who report
violations.
Policy Review and Modification: Up-to-date policies require procedures and periodic review
to ensure organization's needs and technologies remain relevant and prevent users from
circumventing them.
Limitations of Liability: Management avoids liability for employees violating company
policies or laws using company technologies. Policies should state that the company will not
protect them, and prosecutions are often conducted without authorization.
Systems-Specific Security Policy (SysSP)
Systems-specific security policies (SysSPs) are written documents that serve as standards or
procedures for configuring or maintaining systems. They can be divided into managerial
guidance and technical specifications, or combined into a single policy document.
Managerial Guidance SysSPs
A managerial guidance SysSP document is created by management to guide technology
implementation and employee behavior for information security. It includes guidelines for
firewalls and other systems that impact confidentiality, integrity, or availability. Systems-
specific policies can be developed simultaneously with ISSPs or prepared in advance. Some
organizations prefer to develop ISSPs and SysSPs in tandem, ensuring operational procedures
and user guidelines are created simultaneously.
Technical Specifications SysSPs
Managers can collaborate with systems administrators to create managerial policies, which
translate management's intent for technical control into enforceable approaches. Equipment
types require specific policies, such as user password changes, which can be enforced using
access control lists and configuration rules.
Access Control Lists
An access control list (ACL) outlines user access and use permissions for an organizational
asset, while a capabilities table focuses on users, their access, and their use of assets. These
specifications form complex matrices, forming an access control matrix for administrators to
control system access.
ACLs restrict access to specific users, computers, and files, providing powerful control to
administrators by regulating who, what, when, and where authorized users can access the
system.
ACL access is determined by a person's identity or group membership. It restricts authorized
users' access by type, name, or location. Organizations can implement time-of-day and day-of-
week restrictions, block remote usage, and restrict access by MAC address or IP address. These
ACL options govern resource usage.
Configuration Rule Policies
Configuration rules govern a security system's response to data, with rule-based policies being
more specific and not directly dealing with users. Examples include firewalls, IDPSs, and
proxy servers using specific configuration scripts.
Combination SysSPs
Organizations often create a single document combining managerial and technical guidance,
known as SysSP, for a practical and clear understanding of technical control systems. This
hybrid approach is ideal for organizations with multiple systems and smaller organizations
seeking a compact document.
Policy Management
Policies are vital living documents that require proper distribution, understanding, and
management. Good management practices ensure a resilient organization. Corporate mergers
and divestitures can stress policies, leading to system vulnerabilities. To maintain viability,
security policies should have a responsible manager, review schedule, recommendations, and
policy issuance and revision dates.
Responsible Manager
Policy managers, also known as policy administrators, are essential in information systems and
security projects. They don't need extensive technical knowledge, but should seek input from
experts and business-focused managers when revising security policies. They should notify
affected members and ensure the policy is placed in the hands of those accountable for its
implementation. The policy administrator should be clearly identified in the document as the
primary point of contact for additional information or suggested revisions.
Schedule of Reviews
Policies must be regularly reviewed and modified to maintain effectiveness in a changing
environment. Organizations must actively meet market requirements, demonstrating due
diligence, and maintain a well-organized schedule of reviews. Annually reviewing policies
ensures effective control.
Review Procedures and Practices
Policy managers should create a mechanism for employees to make revisions, either through
email, mail, or an anonymous drop box. This encourages honest opinions and allows for
management-approved improvements. While most policies are drafted by a single employee,
it's essential to collect and review employee input.
Policy and Revision Date
Policy dating is crucial to avoid confusion, legal issues, and potential legal issues in high-
turnover environments. Policies should include the date of origin, revisions, and a sunset
clause. Establishing a policy end date helps prevent temporary policies from becoming
permanent and allows organizations to gain experience before adopting permanent ones.
Automated Policy Management
A new category of software has emerged for managing information security policies, designed
to automate repetitive steps such as writing, tracking policy approvals, publishing, and tracking
employee readability. Vigilent Policy Center (VPC) automates this process, ensuring effective
communication and understanding of policies among employees. VPC helps educate
employees about current policies, update existing documents, and distribute policies globally.
It also allows for instant news updates and alerts, making it a comprehensive security
management solution for businesses expanding and incorporating new policies.
The Information Security Blueprint
An organization's information security policies and standards are developed, and the security
community begins developing the blueprint for the security program. Risk assessments are
conducted to assess the organization's information assets and prioritize threats. The security
team then develops a design blueprint to implement the security program, which includes
policy implementation, ongoing policy management, risk management programs, education
and training programs, technological controls, and program maintenance. The security
blueprint builds on the organization's information security policies and is a detailed
implementation of an information security framework. To choose a methodology, the security
team should adapt a recognized or widely accepted information security model backed by an
established organization or agency. However, each organization's unique environment may
require modifications or adaptations from various frameworks.
The ISO 27000 Series
The Information Technology—Code of Practice for Information Security Management,
originally published as British Standard BS7799, was adopted as ISO/IEC 17799 in 2000. It
has been revised multiple times, and is now known as ISO 27002:2013. Its purpose is to
provide guidelines and voluntary directions for information security management, offering a
general description of important areas for initiating, implementing, or maintaining security in
organizations. ISO 27001 is a standard for organizations to adopt for certification and
information security programs. It addresses 35 control objectives and over 110 individual
controls. ISO 27001 is a formal, comprehensive approach to implementing security controls,
but faced resistance from countries like the US, Germany, and Japan due to its lack of
justification, measurement precision, and incompleteness.

NIST Security Models

The NIST Computer Security Resource Center offers numerous documents for designing a
security framework. These publicly available documents have been reviewed by government
and industry professionals, and were cited by the U.S. government when it chose not to use
ISO/IEC 17799 standards. These documents can help in designing a security framework,
including SP 800-12, SP 800-14, SP 800-18, SP 800-30, SP 800-37, SP 800-39, Managing
Information Security Risk, SP 800-50, SP 800-55, and SP 800-100. These documents are
essential for managing security and ensuring the security of information systems.
NIST SP 800-12
SP 800-12, NIST Handbook, useful for information security management, but lacks guidance
for new system design and implementation.
NIST SP 800-14
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology
Systems, offers best practices and security principles for security teams to develop a security
blueprint. It focuses on supporting the organization's mission, ensuring security is an integral
part of sound management, being cost-effective, and having systems owners with security
responsibilities outside their organizations. Security responsibilities and accountability should
be made explicit, with policy documents clearly identifying users, administrators, and
managers. This framework should be combined with other NIST publications to provide a
comprehensive security framework. Chapter 3 emphasizes the importance of understanding the
law and policy in security policies. A comprehensive approach is crucial, with stakeholders
including information technology management, security management, and users. Regular
reassessments and ongoing maintenance are essential for effective security. Societal factors,
such as legal demands and business practices, also influence security controls and safeguards.
NIST SP 800-18 Rev. 1
SP 800-18 Rev. 1 provides a comprehensive security blueprint, assessing, designing, and
implementing controls for various applications, but must be customized for specific needs.
NIST and the Risk Management Framework
The NIST Risk Management Framework (RMF) focuses on building information security
capabilities in federal information systems, maintaining awareness of security status, and
providing senior leaders with essential information for risk-based decisions. It integrates
security into enterprise architecture, emphasizes selection, implementation, assessment, and
monitoring, links information system and organization processes, and establishes responsibility
and accountability for security controls.
The NIST Cybersecurity Framework
In 2014, NIST published a new Cybersecurity Framework to address cybersecurity risk in
critical infrastructure services. The framework is vendor-neutral and focuses on managing
cybersecurity risk for processes, information, and systems. It consists of three components: the
Framework core, which outlines information security activities, the Framework tiers, which
provide tiers for organizations to compare their security programs' maturity and implement
corresponding measures and functions. The framework aims to help organizations
communicate about cybersecurity risk and improve their overall cybersecurity posture.
Organizations fall into three tiers: Risk Informed, Repeatable, and Adaptive. Risk Informed
organizations have not fully implemented risk management practices, while Repeatable
organizations have established and documented policies. Adaptive organizations have well-
established security programs and can quickly adapt to new environments. The Framework
profile helps organizations identify their security program tiers and use recommendations to
improve them.
The NIST Framework offers a seven-step approach for organizations to implement or improve
their risk management and information security programs. This process involves prioritizing
and focusing on business objectives, orienting the cybersecurity program, creating a current
profile, conducting a risk assessment, creating a target profile, determining, analyzing, and
prioritizing gaps, and implementing an action plan. The iterative process gradually moves
organizations closer to a Tier 4 security level, resulting in better risk management and
information protection. NIST also provides a "Roadmap for Improving Critical Infrastructure
Cybersecurity," providing guidance for the Framework's future development and refinement.
Other Sources of Security Frameworks
Public and private organizations promote best security practices through institutions like
CERT/CC, professional societies, seminars, and web portals. Information security
professionals can also consult information security consultants and organizations for specific
assistance.
Design of Security Architecture
Key components of security architecture discussed, industry best practices, and framework
evaluation.
Spheres of Security
The spheres of security are the foundation of the security framework, illustrating how
information is attacked from various sources. The sphere of use focuses on how people access
information, while the sphere of protection outlines layers of protection between people and
information. Controls are implemented between systems, networks, and internal networks,
reinforcing the concept of defense in depth. Information security is designed in three layers:
policies, people (education, training, awareness programs), and technology (PPT). Effective
training, implementation, and maintenance of these layers are crucial for effective information
security.
Levels of Controls
Information security safeguards have three levels of control: managerial, operational, and
technical. Managerial controls guide security planning, risk management, legal compliance,
and maintenance. Operational controls protect personnel, physical systems, and data integrity.
Technical controls implement security tactically and technically.
Defense in Depth
Security architectures involve layered implementation of controls and safeguards, organized
into policy, training, education, and technology. Policy prepares organizations for attacks,
while training and education deter them. Technology works in layers, and redundancy is
implemented in firewalls, proxy servers, and access controls.
Security Perimeter
A security perimeter is a boundary that protects internal systems from external threats, but it
doesn't protect against employee or physical threats. The emergence of cloud-based computing
and mobile devices has made the definition and defense of the perimeter more difficult.
Security perimeters can be implemented as multiple technologies, with key components like
firewalls, DMZs, proxy servers, and IDPSs. The responsibility for protecting an organization's
data using every available resource is still alive and well, regardless of whether the perimeter is
dead or not.
Security Education, Training, and Awareness Program
Implementing a security education, training, and awareness (SETA) program is crucial for
organizations to reduce accidental security breaches by employees. The CISO is responsible
for this control measure, which consists of three elements: security education, training, and
awareness. SETA aims to enhance security by improving awareness, developing skills, and
building in-depth knowledge for designing, implementing, or operating security programs.
Security Education
Organizations should train employees in information security, but not all require formal
education. Local institutions offer continuing education courses, and resources like the
National Centers of Academic Excellence program provide information.
Security Training
Security training equips employees with detailed information and hands-on instruction for
secure duties. In-house or outsourced training options include industry conferences and
professional agencies like SANS, ISC2, and ISSA.
Security Awareness
A security awareness program is crucial for keeping information security at the forefront of
users' minds. It can be implemented through various methods, such as newsletters, posters,
videos, bulletin boards, flyers, and trinkets. A dedicated person and champion are essential for
promoting the program, while a cost-effective newsletter is the most cost-effective method.
Continuity Strategies
Contingency planning is crucial for IT and information security communities to ensure
continuous system availability. Managers must be prepared to respond to adverse events,
including incident response, disaster recovery, and business continuity plans. However, many
organizations lack adequate planning, resulting in inadequate plans for these critical functions.
Contingency planning involves three main elements: incident response planning (IR), disaster
recovery planning (DRP), and business continuity planning (BCP). These plans help
organizations prepare for adverse events, such as disasters, and involve immediate response,
restoration of systems, and establishment of critical business functions at alternate sites. While
some experts argue they are indistinguishable, each has a distinct role and planning
requirement.
A contingency planning management team (CPMT) is assembled to initiate planning,
consisting of a champion, project manager, and team members. The CPMT is responsible for
obtaining commitment, writing a contingency plan, conducting business impact analysis, and
organizing subordinate teams. The process includes developing a policy statement, conducting
a business impact analysis, identifying preventive controls, creating contingency strategies,
developing a contingency plan, ensuring plan testing, training, and exercises, and ensuring plan
maintenance. The plan should be a living document updated regularly to reflect system
enhancements and organizational changes. The seven-step methodology for contingency
planning (CP) development is adapted from NIST's SP 800-34 and SP 800-61. It involves
creating a policy document, developing a contingency planning policy statement, conducting a
business impact analysis (BIA), and forming subordinate planning teams for IR, DR, and BC
plans. Develop subordinate planning policies, integrate business impact analysis, identify
preventive controls, organize response teams, create contingency strategies, develop
subordinate plans, ensure plan testing, training, and maintenance. Develop plans for incident
response, recovery, and operations at alternate sites. Ensure personnel are trained and tested on
subordinate plans.
The CP Policy
The CP policy should include an introductory statement from senior management emphasizing
the importance of contingency planning for the organization's strategic long-term operations. It
should outline the scope and purpose of CP operations, call for periodic risk assessment and
impact analysis, specify major components, guide recovery options and strategies, and require
regular testing. Key regulations and standards should be identified, and key people responsible
for CP operations should be identified.
Business Impact Analysis
The business impact analysis (BIA) is a crucial step in contingency planning, following the
development of CP policy. It helps identify critical business functions and information systems
for an organization's success. Unlike risk management, BIA assumes that controls have been
bypassed, failed, or ineffective, and the adversity has come to fruition. The BIA should
consider scope, plan, balance, know the objective, and follow-up to ensure process owners and
decision-makers support the process. The CPMT conducts the BIA in three stages: determining
mission/business processes, recovery criticality, resource requirements, and recovery priorities
for system resources.
Determine Mission/Business Processes and Recovery Criticality
The BIA task involves analyzing and prioritizing business processes based on their relationship
to the organization's mission. Each business unit must be evaluated to determine its
importance, avoiding "turf wars" and selecting functions that must be sustained for continued
operations. Recovery criticality is determined by key recovery measures, such as Maximum
tolerable downtime (MTD), Recovery time objective (RTO), Recovery point objective (RPO),
and Work recovery time (WRT). Planners must determine the optimal point for recovering the
information system to meet BIA-mandated recovery needs while balancing system
inoperability and resource costs.
Identify Resource Requirements
Prioritize mission and business processes, determine required resources for recovery, including
IT functions, complex components, and expensive components.
Identify Recovery Priorities for System Resources
CPMT conducts BIA to assess priorities and values for mission/business processes, identifying
and prioritizing information assets for better protection and value.
Incident Response Planning
Incident response planning involves identifying and classifying incidents and their response. It
focuses on detecting and correcting their impact on information assets, with prevention being
omitted. IR is more reactive than proactive, with CSIRTs preparing for real-world incidents.
The plan consists of four phases: planning, detection, reaction, and recovery.
Incident Response Policy
An IR policy is crucial for the IR team, requiring key components such as a statement of
management commitment, purpose, scope, definition of InfoSec incidents, organizational
structure, roles, responsibilities, authority, prioritization, performance measures, and reporting
and contact forms. It should have top management support and be clearly understood by
affected parties, particularly communities of interest. Ensuring authorized actions and
protecting the organization from misunderstandings and potential liability is essential.
Incident Planning
Identifying BIA scenarios helps the IR planning team develop predefined responses for CSIRT
and information security staff to respond quickly and effectively to incidents.
Incident Response Plan
Military team responses guide incident response planners, directing actions and organizing
plans for effective recovery.
Format and Content: The IR plan should be organized with tabbed sections for easy access to
information. Planners should develop detailed procedures for responding to incidents,
including actions during and afterward, and prepare staff for potential incidents.
Storage: The IR plan is sensitive and must be protected to prevent attackers from learning
from the company's response. Ensuring the information is readily available to those responding
is crucial. Organizations can store the plan in arm's reach, using physical binders or encrypted
files on online resources.
Testing: An untested IR plan is ineffective unless practiced or tested. Four common testing
strategies include checklists, structured walk-throughs, and simulations. Checklists involve
distribution of copies to individuals, while structured walk-throughs practice actions during
actual incidents. Simulations simulate tasks required for recovery from simulated incidents.
Walkthroughs and simulations differ in their independence, with walkthroughs focusing on
individual tasks and assuming responsibility for identifying faults. Full interruption tests
involve real-world disruption, while walkthroughs are more practical. Organizations should
conduct periodic walk-throughs or talk-throughs of their incident response plan to ensure
effective response. Richard Marcinko's advice emphasizes the importance of training,
simplicity, and accountability.
Incident Detection
An organization may report an unusual occurrence to systems administrators, security
administrators, or their managers, often resulting in complaints. Incident detection relies on
human or automated systems, such as intrusion detection and prevention systems, virus
detection software, and end users. Training users, help desks, and security personnel is crucial
for identifying and classifying attacks. Once identified, the organization can execute
procedures from the IR plan.
Incident Indicators: An incident candidate may be identified through various occurrences,
such as unfamiliar files, unknown programs or processes, unusual resource consumption, or
unusual system crashes. Possible incident indicators include unfamiliar files, programs or
processes, sudden resource consumption, and unusual system crashes. Probabilistic indicators
include unexpected network traffic levels and a surge in activity during peak hours.
Organizations add their own indicators based on their context and experience. An incident may
be in progress if systems access drives when the operator is not using them.

New accounts, reported attacks, and IDPS notifications indicate a strong likelihood of an
incident. Definite indicators include use of dormant accounts, changes to logs, and reports of
suspected attacks. Administrators must determine the significance of these events and
determine if the notification is significant or a routine operation. Hacker tools can be installed
on office computers to scan internal networks and support attack profiles. Without proper
authorization, these tools can be detected as threats.

Organizations often have policies prohibiting the installation of such tools without CISO
permission. Notifications from partners, peers, and hackers can indicate an incident. Other
incident indicators include loss of availability, integrity, confidentiality, violation of policy,
and violation of law. These actions can impact an organization's reputation and potentially lead
to disciplinary action.

Incident Reaction
Incident reaction involves implementing a plan to stop, mitigate, and recover from incidents
quickly.
Notification of Key Personnel: An incident is detected by help desks, users, or systems
administrators, and the right people must be notified in the right order. Organizations maintain
an alert roster, which can be sequential or hierarchical. The process must be maintained and
tested for accuracy. Other personnel may not be included in the scripted notification, and
management should be notified early to avoid undue alarm. If the incident spreads beyond the
target organization's resources or is part of a large-scale assault, the IR planning team must
determine who to notify and offer guidance on additional notification steps.
Documenting an Incident: Documenting an incident or disaster allows organizations to learn
about the event, record actions, and serve as a case study. It also ensures proper response,
protects due care, and aids future training sessions.
Incident Containment Strategies: Incident reaction focuses on stopping or containing the
incident's scope or impact. Incident containment strategies vary depending on the incident and
damage caused. Organizations must determine which information and systems are affected
before implementing containment strategies. Approaches include severing communication
circuits, monitoring, and dynamically applying filtering rules to limit network access. Ad hoc
controls can be used to stop attacks on networks using vulnerabilities in SNMP. These controls
can include disabling compromised accounts, reconfiguring firewalls, temporarily disabling
specific services or processes, or taking down e-mail-supporting applications. Containment
involves isolating affected channels, processes, or computers, stopping losses, and regaining
control of affected systems. The incident response manager determines the length of the
interruption.
Incident Recovery: Incident recovery involves identifying necessary resources, assessing
damage, computer forensics, repairing vulnerabilities, addressing safeguard shortcomings, and
restoring systems data and services after containment.
Prioritization of Efforts: Incident aftermath may cause confusion; recovery operations should
follow IR plan.
Damage Assessment: Incident damage assessment can take minutes or weeks depending on
the extent of damage. It uses various sources to determine the type, scope, and extent of
damage. Computer forensics involves collecting, documenting, and maintaining computer
evidence for use in formal or informal proceedings. Special training is required for those
examining damage to ensure they are prepared for potential criminal or civil actions.
Recovery: The recovery process from an incident involves identifying vulnerabilities,
addressing safeguards, evaluating monitoring capabilities, restoring data from backups,
restoring services and processes, and continuously monitoring the system to prevent future
incidents. This process involves addressing backup strategies, restoring services and processes,
and continuously monitoring the system to ensure the organization's safety and prevent future
incidents. Hackers often boast in chat rooms, attracting peers to try similar attacks. Maintain
vigilance during the incident response (IR) process and restore confidence in the organization's
communities. Issue a memorandum stating minor incidents and assure minimal damage.
Conduct an after-action review (AAR) to update the IR plan and serve as a training case for
future staff.
Backup Media: Technical Details offers backup management strategies, including DAT, QIC,
DLT, CD-ROM, DVD options, and specialized drives.
Online and Cloud Backup: Organizations are adopting cloud-based architectures for
improved performance, resilience, and shifting operations risk to key suppliers. This shifts
responsibility for backup and recovery to the service provider, requiring accounting for
operational capability and security in contracts and audit requirements. Cloud computing offers
three offerings: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure
as a Service (IaaS). Clouds can be public, community, or private, with public clouds being the
most common. Ownership can be public, community, or private. Security is crucial, and
organizations must obtain it through a warranty and rigorous service agreements.
Automated Response: New technologies in incident response extend traditional systems,
enabling autonomous responses based on preconfigured options. However, legal issues like
tracking suspects and counterattack liabilities remain unresolved, requiring better tools for
security professionals.

Disaster Recovery Planning

An incident can be classified as a disaster if it is too severe to mitigate and recover quickly.
Disaster recovery planning prepares organizations to handle natural or man-made disasters,
focusing on reestablishing operations at the primary site to restore operations.
The Disaster Recovery Plan: The Disaster Recovery Plan (DR) is a structured plan that
provides detailed guidance in the event of a disaster. It is organized by type and outlines
recovery procedures, roles, and responsibilities for the DR effort. The plan must be tested using
the same mechanisms as the IR plan and reviewed periodically. The DR group consists of a
planning and response team, with priorities focusing on human life preservation. Roles and
responsibilities are clearly defined, with some coordinating with local authorities, others
evacuating personnel, initiating alert rosters, documenting disasters, and attempting to mitigate
the impact on the organization's operations.
Recovery Operations: Disaster responses vary widely; organizations must examine
contingency planning scenarios, restore systems, and transition to business continuity planning
if necessary.
Business Continuity Planning
Business continuity planning ensures organizations can reestablish or relocate critical
operations during disasters, with different options for small companies and large corporations.
Developing Continuity Programs: A business continuity plan (BC) is a simpler approach to
disaster recovery, focusing on selecting a continuity strategy and integrating off-site data
storage and recovery functions. It involves identifying critical business functions and
resources, evaluating alternatives, and periodically reviewing the chosen strategy to determine
if a superior alternative is needed.
Site and Data Contingency Strategies
Organizations select strategies for business continuity based on cost, sites, and shared
functions.
Hot Sites: A hot site is a fully configured computer facility with services, communications,
and physical plant operations. It is crucial for contingency planning and can be operational in
minutes. Although expensive, it offers 24/7 recovery capability.
Warm Sites: Warm site offers similar services as hot site but lacks installed applications and
requires hours or days for full functionality.
Cold Sites: Cold sites offer basic services without computer hardware, and require installation
after occupancy. They are cost-effective and may be preferred over hot and warm sites due to
reduced disruptions.
Time-shares: Time-share enables organizations to maintain disaster recovery and business
continuity by sharing the cost of a hot, warm, or cold site with partners. However,
disadvantages include simultaneous facility needs, equipment and data stocking, negotiations,
and potential additional agreements.
Service Bureaus: Service bureaus provide physical facilities and off-site data storage for
disasters, ensuring space availability without requiring dedicated facilities. However, they
require periodic renegotiating and can be expensive.
Mutual Agreements: Mutual agreements require unaffected organizations to provide facilities,
resources, and services until recovery, but may be viewed as a short-term solution for short-
term assistance.
Other Options: Specialized alternatives include mobile sites, externally stored resources,
prefabricated buildings, and Disaster Recovery as a Service (DRaaS). These options allow
organizations to access data remotely, reducing the need for expensive, temporary physical
offices.
Off-site Disaster Data Storage: To quickly set up continuity sites, organizations can use
various backup methods, including electronic vaulting, remote journaling, and database
shadowing. Electronic vaulting transfers data off-site, while remote journaling transfers
transactions in real-time. Database shadowing combines server fault tolerance with remote
journaling for simultaneous backups.
Crisis Management
Disasters are larger and less manageable than incidents, but their planning processes are
similar. Response teams differ from incidents in their roles and knowledge. Crisis
management, a separate field, focuses on the people involved and involves supporting
personnel, determining the event's impact on business operations, keeping the public informed,
and communicating with stakeholders. The disaster recovery team works closely with the crisis
management team to ensure the recovery process is successful. The crisis management
response team involves all functional areas to ensure communication and cooperation. Key
areas include verifying personnel head count, checking alert rosters, and checking emergency
information cards. Balancing employee needs with business needs is crucial for providing
support during disasters.
The Consolidated Contingency Plan
An organization can create a single document combining contingency policy and plan,
incorporating IR, DR, and BC plans. This document should be easily accessible online, stored
in encrypted files, and accessible to employees.
Law Enforcement Involvement
Incidents can be considered a violation of law, and organizations must consider when, level,
and consequences of involving law enforcement.
Benefits and Drawbacks of Law Enforcement Involvement
Law enforcement agencies can be more capable of processing evidence than organizations, but
they may do more harm than good. Organizations should communicate with local and state
officials responsible for information security laws before reporting suspected crimes. However,
organizations cannot control the chain of events, collection of evidence, and prosecution of
suspects. Equipment may be tagged as evidence and removed or stored. Security administrators
must ask law enforcement officials when their agencies need to become involved and which
crimes need to be addressed.