MC4205 CYBER SECURITY

UNIT II SECURITY CONTROLS

People Management -Human Resource Security-Security Awareness and

Education-Information Management- Information Classification and
handlingPrivacy-Documents and Record Management-Physical Asset Management-
Office Equipment-Industrial Control Systems-Mobile Device Security- System
Development-Incorporating Security into SDLC - Disaster management and
Incident response planning.

People Management

• The Information Security Forum’s (ISF’s) Standard of Good Practice for Information
Security (SGP) uses the term people management to refer to all aspects of security
related to the behavior of employees and others who have access to the
organization’s information and systems.
• As many security experts have pointed out, superb technical solutions for ensuring
security are bound to fail if employees do not understand their security
responsibilities and are trained and motivated to fulfill those responsibilities.

Human Resource Security

➢ Human Resource Management (HRM) is an operation in companies designed to

maximize employee performance in order to meet the employer's strategic goals
and objectives. More precisely, HRM focuses on management of people within
companies, emphasizing on policies and systems.
➢ Sound security practice dictates that information security requirements be
embedded into each stage of the employment life cycle, specifying securityrelated
actions required during the induction of each individual, the employee’s ongoing
management, and termination of his or her employment.

– Hiring new employees

– Training employees
– Monitoring employee behavior
– Handling employee departure/termination
Especially important is the management of personnel with privileged user access to
information and IT assets.
 MC4205 CYBER SECURITY

General guidelines for checking applicants include the following:

1)SecurityintheHiringProcess
✓ ISO 27002, Code of Practice for Information Security Controls, lists the
followingsecurityobjective of the hiring process: to ensure that employees
and contractors
understand their responsibilities and are suitable for the
roles for which theyconsidered.
are
o Background Checksand Screening
o Employment Agreements
o JobDescriptions

Security
-Related Tasks by Job Description
2) During Employment ✓ ISO 27002 lists the following security objective with respect
to current employees: to ensure that employees and contractors are aware of and fulfill
their information security responsibilities.
o Least privilege o Separation of
duties o Limited reliance on key employees o
Dual operator policy
3) Termination of Employment
✓ ISO 27002 lists the following security objective with respect to termination of
employment: to protect the organization’s interests as part of the process of
changing or terminating employment.
 MC4205 CYBER SECURITY

o Removing the person’s name from all lists of authorized access to

applications and systems
o For IT personnel, ensuring that no rogue admin accounts were created o
Explicitly informing guards that the ex-employee is not allowed into the
building without special authorization by named employees
o Removing all personal access codes o Recovering all assets, including
employee ID, disks, documents, and equipment
o Notifying, by memo or email, appropriate departments so that they are
aware of the change in employment status

Security Awareness and Education

▪ A critical element of an information security program is the security awareness and

training program.
▪ It is the means for disseminating security information to all employees, including
IT staff, IT security staff, and management, as well as IT users and other employees.
▪ A workforce that has a high level of security awareness and appropriate security
training for each individual’s role is as important as, if not more important than,
any other security countermeasure or control.
✓ Two key National Institute of Standards and Technology (NIST) publications,
SP 800-16.
MC4205 CYBER SECURITY

1. Security Awareness
✓ All employees have security responsibilities; all employees must have
suitable awareness training. Awareness seeks to focus an individual’s
attention on an issue or a set of issues

o security culture
o negligent behavior
✓ A Role-Based Model for Federal Information Technology/Cyber security
Training. SP 800-50, Building an Information Technology Security Awareness
and Training Program.
o security awareness
o accidental behavior o malicious behavior o
change management
• Change management is designed to minimize resistance to organizational
change through involvement of key players and stakeholders.
• Plan, assess, and design
• Execute and manage
• Evaluate and adjust
MC4205 CYBER SECURITY

Awareness Program Communication Materials

✓ An awareness training program are the communication materials and methods

used to convey security awareness. o Use in-house materials o Use externally
obtained materials
✓ In-house materials that are effectively used include the following:
o Brochures, leaflets, and fact sheets
o Security handbook:
o Regular email or newsletter:
o Distance learning:
Workshop and training sessions:
o Formal classes
o Video:
o Website
✓ Emphasizing the difference between
critical information and sensitive
information, which must be treated
differently.
▪ Critical information -Information that needs to be available and
have integrity
▪ Sensitive information -Information that can be disclosed only to
authorized individual

Awareness Program Evaluation

o Number of security incidents due to human behavior o

Audit findings o Results of staff surveys o Tests of
whether staff follow correct procedures o Number of
staff completing training
2. Cyber security Essentials Program
✓ Its principal function is to target users of IT systems and applications, including
company-supplied mobile devices and bring your own device (BYOD) policies,
and develop sound security practices for these employees.
✓ Secondarily, it provides the foundation for subsequent specialized or rolebased
training by providing a universal baseline of key security terms and concepts.
 MC4205 CYBER SECURITY

Bring your own device (BYOD)

✓ An IT strategy in which employees, business partners, and others use their

personally selected and purchased client devices to execute enterprise
applications and access data and the corporate network. ✓ Key topics that should
be covered include:
o Technical underpinnings of cybersecurity and its
taxonomy, terminology, and challenges
o Common information and computer system security vulnerabilities o
Common cyberattack mechanisms, their consequences,
and motivations for use
o Different types of cryptographic algorithms o Firewalls and other means
of intrusion prevention o Fundamental security design principles and
their role in limiting points of vulnerability
3. Role-Based Training
✓ Role-based training is targeted at individuals who have functional rather than user
roles with respect to IT systems and applications.
– Manage
– Design
– Implement
– Evaluate
4. Education and Certification
✓ An education and certification program is targeted at those who have
specific security responsibilities, as opposed to IT workers who have some
other.
▪ Global Information Assurance Certification (GIAC) Security
Essentials (GSEC)
▪ Systems Security Certified Practitioner (SSCP):
▪ Information Systems Audit and Control Association (ISACA)
Certified Information Security Manager (CISM)
▪ SANS computer security training and certification
MC4205 CYBER SECURITY

Security Awareness Processes

 MC4205 CYBER SECURITY

INFORMATION MANAGEMENT

The area of information management, according to the Information Security Forum’s

(ISF’s) Standard of Good Practice for Information Security (SGP), encompasses four
topics,
✓ Information classification and handling: Deals with methods of classifying and
protecting an organization’s
✓ information assets Privacy : Is concerned with threat, controls, and policies
related to the privacy of personally identifiable information .
✓ Document and records management: Is concerned with the protection and
handling of the documents and records maintained by an organization Sensitive
✓ physical information: Covers specific issues related to the security of information
assets in physical form.
 MC4205 CYBER SECURITY

INFORMATION CLASSIFICATION AND HANDLING

✓ A necessary preliminary step to the development of security controls and
policies for protecting information is that all the information assets of the
organization must be classified according to their importance and
according to the impact of security breaches involving the information.
▪ Classification of information
▪ Labeling of information:
▪ Handling of assets:
1. Information Classification
✓ It is useful to view information classification and handling in the
overall context of risk management.
Categorize
Select
Implement
Assess
Authorize
Monitor

• That are essential to information classification:

– Information type
– Security objective
– Impact
– Security classification
MC4205 CYBER SECURITY

2. Information Labeling
✓ A label needs to be associated with each instance of an information type
so that its classification is clearly and unambiguously known.
✓ Methods are needed to ensure that a label is not separated from the
information and that the content of the label is secure from unauthorized
modification.

Radio-frequency identification (RFID)

✓ A data collection technology that uses electronic tags attached to items to

allow the items to be identified and tracked with a remote system. The
tag consists of an RFID chip attached to an antenna.
3. Information Handling
✓ Information handling refers to processing, storing, communicating, or
otherwise handling information consistent with its classification.ISO
27002 lists the following relevant considerations:
✓ Access restrictions supporting the protection requirements for each level
of classification o Maintenance of a formal record of the authorized
recipients of assets
o Protection of temporary or permanent copies of information to a
level consistent with the protection of the original information
o Storage of IT assets in accordance with
manufacturers’ specifications
✓ An organization can also take advantage of broader
information management tools, such as a document management
system (DMS) or a records management system (RMS)

Data Loss Prevention (DLP)

✓ The automated tools should facilitate integration with other security tools,
such as encryption and digital signature modules and data loss prevention
(DLP) packages.
✓ A set of technologies and inspection techniques used to classify information
content contained within an object—such as a file, an email, a packet, an
application, or a data store—while at rest (in storage), in use (during an
operation), or in transit (across a network).
 MC4205 CYBER SECURITY

PRIVACY
✓ The term privacy usually refers to making ostensibly private information about an
individual unavailable to parties who should not have that

information.
✓ Privacy interests attach to the gathering, control, protection, and use of
information about individual.
✓ Examples
o Personal identification number (PIN), such as Social Security number
(SSN), passport number, driver’s license number,
identification number, patient identification number, or financial
account or credit card number
o Telephone numbers, including mobile, business, and personal numbers

Relationship between Information Security and Privacy

1. Privacy Threats
✓ To understand the requirements for privacy, the threats must
first be Identified taxpayer
 MC4205 CYBER SECURITY

✓ Information collection is not necessarily harmful but can in some cases

constitute a privacy threat.
– Surveillance
– Interrogation
– Information processing refers to the use, storage, and manipulation
of data that have been collected.
▪ Aggregation
▪ Identification
▪ Insecurity
▪ Secondary use
✓ The area of information dissemination encompasses the revelation of
personalinformation or the threat of such revelation.
– Disclosure
– Breach of confidentiality
– Exposure
– Blackmail
– Appropriation
✓ The fourth area of privacy threats is referred to as invasions, and it involves
impingements directly on the individual
– Intrusion
– Decisional interference
Privacy Principles and Policies
✓ A number of international organizations and national governments have introduced
standards, laws, and regulations intended to protect individual privacy.
 MC4205 CYBER SECURITY

ISO 29100

✓ ISO 29100, Privacy Framework, lists the following 11 privacy principles that form
the bases of this international standard

European Union’s GDPR

✓ One of the most comprehensive initiatives is European Union’s (EU’s) General

Data Protection Regulation (GDPR), approved by the European Parliament in
2016,

U.S. Privacy Laws and Regulations

✓ There is no single law or regulation covering privacy in the United States.

Rather, a collection of federal privacy laws cover various aspects of privacy;

U.S. Privacy Laws and Regulations

✓ There is no single law or regulation covering privacy in the United States.

Rather, a collection of federal privacy laws cover various aspects of privacy;

2. Privacy Controls
✓ To counter privacy threats and comply with government laws and regulations,
organizations need a set privacy controls that encompass their privacy
requirements and that respond to legal requirements – Authority and
purpose:
– Accountability, audit, and risk management
– Data quality and integrity
– Data minimization and retention: – Individual participation and redress –
Security:
– Transparency
– Use limitation

DOCUMENT AND RECORDS MANAGEMENT

✓ A specific class of information consists of documents and records.

✓ Document: A set of information pertaining to a topic, structured for human
comprehension, represented by a variety of symbols, and stored and handled
as a unit. A document may be modified.
MC4205 CYBER SECURITY

✓ Record: A subclass of documents that clearly delineates terms and conditions,

statements, or claims or that provides an official record. Generally a record,
once created, is not modified.
• Document management system: Software that manages documents for
electronic publishing. It generally supports a large variety of document formats
and provides extensive access control and searching capabilities across
networks.
• Records management system: Software that provides tools for and aids in
records management.
1. Document Management
✓ Document management is a key business function because of the importance
of documents to the operation of an organization.
– To record or to document contracts and agreements
– To record policies, standards, and procedures
– To represent a view of reality at a point in time
– To create an image or impression
– To generate revenue as a product

Document Management Life Cycle

2. Records Management
✓ Records management is a vital business function that requires stronger
security measures than those for document management.
 MC4205 CYBER SECURITY

✓ The Information Security Guide developed by the Higher Education

Information Security Council (HEISC).
o Establish a strategic planning group that includes
managers/executives to support the program.
o Identify a records manager to oversee all aspects of the program,
including ongoing management and use of internal personnel or
outside consultants.
o Complete a records inventory.
o Develop a records management manual with defined policies and
procedures.
o Make records management a high priority.
✓ A key aspect of records management is the retention and disposition
policy.
o Active
o Semi-active
o Inactive
o
Physical Asset Management
top
The Information Security Forum’s (ISF’s) Standard of Good Practice for Information
Security (SGP) uses the term physical asset to refer to all information and communications
technology (ICT) hardware, including systems and network equipment; office equipment
(such as, network printers and multifunction devices); mobile devices; and specialist
equipment (for example, industrial control systems).

OFFICE EQUIPMENT

✓ Office equipment includes printers, photocopiers, facsimile machines, scanners,

and multifunction devices (MFDs).
MC4205 CYBER SECURITY

✓ Office equipment often contains the same components as a server (e.g.,

operating system, hard disk drives, and network interface cards) and runs
services such as web, mail, and ftp.
✓ A multifunction device (MFD) is generally defined as a network -attached
document production device that combines two or more of these functions:
copy, print, scan, and fax.

1. Threats and Vulnerabilities

There are numerous potential threats to office equipment

1. Network Services
– Management protocols:
– Services protocols:
2. Information Disclosure
– Print, fax, and copy/scan logs
– Address books
– Mailboxes
3.Denial-of-Service
Attacks
– Physical Security
– Operating System Security
2. Security Controls
✓ A useful checklist of security measures an organization can take to protect
MFDs isprovided in the SANS.
o Network protocols and services
o Management
o Security updates
o Physical security
o The choice of measures should depend on the organization’s risk assessment
relative to a particular office device asset.
▪ Physical device management ▪ Remote device management:
▪ Job access and processing
▪ Application development platforms
▪ User management:
▪ Logging and monitoring
▪ Miscellaneous
3. Equipment Disposal
✓ The SGP recommends that sensitive information stored on office equipment be
securely destroyed.
MC4205 CYBER SECURITY

o Clear
o Purge
✓ Self-Encrypting Drive (SED)
o A hard drive with a circuit built into the disk drive controller chip
that encrypts all data to the magnetic media and decrypts all the
data from the media automatically.

INDUSTRIAL CONTROL SYSTEMS

✓ An industrial control system (ICS) is used to control industrial processes such
as manufacturing, product handling, production, and distribution.
✓ Industrial control systems include supervisory control and data acquisition
(SCADA ) systems used to control geographically dispersed assets, as well as
distributed control systems (DCSs) and smaller control systems, using
programmable logic controllers to control localized processes.
✓ Three increasingly secure actions for sanitization are defined:
MC4205 CYBER SECURITY

✓ Sensor: A sensor measures some parameter of a physical, chemical, or biological

entity and delivers an electronic signal proportional to the observed
characteristic, either in the form of an analog voltage level or a digital signal. In
both cases, the sensor out put is typically input to a microcontroller or other
management element.
✓ Actuator: An actuator receives an electronic signal from a controller and
responds by interacting with its environment to produce an effect on some
parameter of a physical, chemical, or biological entity.
✓ Controller: The controller interprets the signals and generates corresponding
manipulated variables, based on a control algorithm and target set points, which
it transmits to the actuators. The controller may have very limited intel ligence
and may rely on the human –machine interface for direction. But typically, a
controller adjusts the directives given to actuators automatically, based on sensor
input.
✓ Human–machine interface : Operators and engineers use human interfaces to
monitor and configure set points, control algorithms, and adjust and establish
parameters in the controller.
 MC4205 CYBER SECURITY

✓ The human interface also displays process status information and historical
information. Remote diagnostics and maintenance: Diagnostics and
maintenance utilities are used to prevent, identify, and recover from abnormal
operation or failures.

Differences Between IT Systems and Industrial Control Systems

IT Systems ICSs
Response must be consistent Response is time-critical.

Responses such as rebooting are Responses such as rebooting may not be acceptable
acceptable because of process availability
requirements
Manage data. Control physical world
Systems are specified with enough Systems are designed to support the resources to
support the addition of intended industrial process and may not third- party applications
such as security have enough memory and computing
solutions resources to support the addition of
security capabilities.
Standard communications protocols are Many proprietary and standard used.
communication protocols are used
Component lifetime is on the order of 3 Component lifetime is on the order of 10 to 5 years
to 15 years.

ICS Security
✓ The Department of Homeland Security’s (DHS’s) Recommended Practice:
Improving Industrial Control System Cyber security with Defense-in-
Depth Strategies.
✓
IT Systems ICSs
Easily deployed and updated Ability to protect legacy systems with aftermarket
solutions
Multiple vendors Usually the same vendor over time
Modern methods Modern methods possibly inappropriate
Regular and scheduled Strategic scheduling
MC4205 CYBER SECURITY

Integral part of the development Historically not an integral part of the

process development process

Typical Security Threats to ICSs

✓ Blocked or delayed flow of information through ICS networks, which could

disrupt ICS operation.
✓ Unauthorized changes to instructions, commands, or alarm thresholds, which
could damage, disable, or shut down equipment ✓ Inaccurate information sent
to system operators.
✓ ICS software or configuration settings modified, or ICS software infected with
malware, which could have various negative effects.

Key Security Measures

• The DHS has offered these recommendations for protecting ICSs. –

Implement application white listing:
– Ensure configuration management and patch management
– Reduce attack surface areas

Attack surface

• The reachable and exploitable vulnerabilities in a system.

• Build a defendable environment
• Manage authentication
• multifactor authentication (MFA)

Resources for ICS Security

– Recommended Practice: Improving Industrial Control System Cyber

security with Defense-in-Depth Strategies
– Cyber Security Assessments of Industrial Control Systems
– SP 800-82, Guide to Industrial Control Systems Security
– Catalog of Control Systems Security: Recommendations for
Standards Developers
 MC4205 CYBER SECURITY

MOBILE DEVICE SECURITY

✓ A mobile device as a “portable computing and communications device with
information storage capability”. o Growing use of new devices o Cloud-based
applications
o External business requirements

Growing use of new devices: Organizations are experiencing significant growth in

employee use of mobile devices. In many cases, employees are allowed to use a
combination of endpoint devices as part of their day-to-day activities.

Cloud-based applications: Applications no longer run solely on physical servers in

corporate data centers. Today applications can run anywhere—on traditional physical
servers, on mobile virtual servers, or in the cloud. In addition, end users can now take
advantage of a wide variety of cloudbased applications and IT services for personal and
professional use.

External business requirements: An enterprise must also provide guests, third-party

contractors, and business partners network access using various devices from a multitude
of locations

Mobile Device Technology

Providing enterprise security for mobile devices is extraordinarily complex, both because
of the technology of these devices and the ecosystem in which they operate.
Hardware:
The base layer of the technology stack is the device hardware. This includes an application
processor, with the ARM family of processors being the most common. There is also a
separate processor that runs the cellular network processor, typically referred to as the
baseband processor.

Firmware: The firmware necessary to boot the mobile operating system (that is, boot
loader) may verify additional device initialization code, device drivers used for
peripherals, and portions of the mobile operating system— all before a user can use the
device. I
 MC4205 CYBER SECURITY

Mobile operating system : The most common operating systems for mobile
devices are Android and iOS. An operating system includes a sandbox facility for
isolating third -party applications in some manner to prevent unexpected or
unwanted interaction between the system, its ap plications, and applications’
respective data (including user data).
Application: The application layer includes third -party applications, various
apps and services provided by the mobile device vendor, and facilities for
defining permissions

1. Mobile Ecosystem
✓ The execution of mobile applications on a mobile device may involve
communication across a number of networks and interaction with a number
of systems owned and operated by a variety of parties.
✓ This ecosystem makes the achievement of effective security challenging.
o Cellular and Wi-Fi infrastructure:
o Public application stores o Private
application stores o Device and OS vendor
infrastructure:
MC4205 CYBER SECURITY

o Enterprise mobility management systems

o Enterprise mobile services o app store
✓ Cellular and Wi-Fi infrastructure: Modern mobile devices are typically equipped
with the capability to use cellular and Wi-Fi networks to access the Internet and to
place telephone calls. Cellular network cores also rely on authentication servers to
use and store customer authentication information.
✓ Public application stores (public app store): Public app stores include native
app stores, which are digital distribution services operated and developed by
mobile operating system vendors. For Android, the official app store is Google Play,
and for iOS, it is simply called the App Store.
✓ Device and OS vendor infrastructure: Mobile device and operating system
vendors host servers to provide updates and patches to operating systems and
apps. Other cloud-based services may be offered, such as storing user data and
wiping missing devices.
✓ Enterprise mobility management systems: Enterprise mobility management
(EMM) is a general term that refers to everything involved in managing mobile
devices and related components (such as wireless networks). EMM is much
broader than just information security; it includes mobile application
management, inventory management, and cost management.
✓ Enterprise mobile services: These back-end services are accessible from
authorized users’ mobile devices, including email, file sharing, and other
applications
MC4205 CYBER SECURITY

Mobile Eco system

 MC4205

2. Vulnerabilities
✓ Mobile devices need additional specialized protection measures beyond those
implemented for other client devices, such as desktop and laptop devices that
are used only within the organization’s facilities and on the organization’s
networks.
– Lack of Physical Security Controls
– Use of Untrusted Mobile Devices
– Use of Untrusted Networks
– Use of Applications Created by Unknown Parties
– Use of Untrusted Content
– Use of Location Services
3. Mobile Device Security Strategy
✓ The recent DHS report Study on Mobile Device Security groups security threats
and defenses into five primary components of the mobile ecosystem and their
associated attack surface: the mobile device technology stack, mobile
applications, mobile network protocols and services, physical access to the
device, and enterprise mobile infrastructure.
– Rooting
– Side loading

Common Mobile Device Threats

– Mobile device technology stack

– Mobile applications
– Mobile networks
– Device physical systems
– Mobile enterprise
4. Resources for Mobile Device Security
✓ A number of documents for U.S. agencies are valuable resources for any
organization.
– Study on Mobile Device Security
– Assessing Threats to Mobile Devices & Infrastructure
– Guidelines for Managing and Securing Mobile Devices in the Enterprise –
Test the Security of Mobile Applications:
– Guidelines on Hardware-Rooted Security in Mobile Devices – Mobile
Device Security: Cloud and Hybrid Builds
 MC4205

System Development
The system development life cycle (SDLC) is the overall process of developing,
implementing, and retiring information systems. Various SDLC models have
been developed to guide the processes involved, and some methods work
better than others for specific types of projects.

INCORPORATING SECURITY INTO THE SDLC

✓ Enterprise security considerations dictate that security-focused activities and
deliverables be a part of every phase of the SDLC in order to ensure that the
developed system is able to withstand malicious attacks.
✓ Whatever SDLC methodology is used, an enterprise should make sure both that
the SDLC methodology lends itself to a comprehensive security component and
that security policies and procedures are well defined for each phase.
✓ The following elements in defining the security considerations applied during
each phase:
o Major security activities o
Expected outputs o
Synchronization o Control
gates
1. Initiation Phase
✓ The relationships among five key security-related activities that comprise the
initiation phase. During this initial phase, the security focus is on identifying
and assessing risks.
 MC4205

• Initiating Project Security Planning

– system owner
– Categorizing Information Systems and Assessing Impact
▪ Ensuring Secure System Development
▪ Secure concept of operations:
▪ Standards and processes
▪ Security training for development team
▪ Quality management:
▪ source code repository
▪ Control Gates
▪ Determine acquisition strategy
▪ System concept review
▪ Performance specification review
▪ Financial review
▪ Risk management review

2. Development/Acquisition Phase
✓ The relationships among six key security-related activities that comprise the
development/acquisition phase.
 MC4205

✓ A key security activity in this phase is conducting a risk assessment and using the
results to supplement the baseline security controls.

✓ Assessing Risks and Selecting Controls

✓ Developing, Testing, and Documenting Security Controls and Features
o functional testing
o penetration testing
o user testing
✓ Control Gates
o Architecture/design review:
o Performance review
o Functional test review:
o Risk management review

3. Implementation/Assessment Phase
✓ The relationship among four key security-related activities that comprise the
implementation/assessment phase.
 MC4205

✓ Creating a Detailed Plan for C&A

o Certification and Accreditation (C&A)
✓ Integrating Security with Environments or Systems
✓ Assessing System Security
✓ Authorizing Information System
✓ Control Gates
o System test readiness review
o Deployment readiness review o Certification and
accreditation (C&A) review o Authorization decision
o Final project status and financial review
 MC4205

4. Operations and Maintenance Phase

✓ The relationship among three key security-related activities that comprise

the operations and maintenance phase.

✓ Reviewing Operational Readiness

✓ Ensuring Configuration Management and Control
✓ change control
✓ change control board (CCB)
✓ Conducting Monitoring Continuously
✓ Control Gates
o Operational readiness review:
o Change control board
o Authorization decision

5. Disposal Phase
✓ The disposal phase is the process of preserving (if applicable) and discarding
system information, hardware, and software. During this phase, information,
hardware, and software are moved to another system, archived, discarded, or
destroyed.
✓ The disposal phase involves the following control gates:
 MC4205

• System closure review

• Change control board
• Security review of closure
•

✓ The following key activities:

o Create a disposal/transition plan o
Ensure information protection o
Dispose of hardware and software o
Close system

DISASTER MANAGEMENT

• Disaster recovery is generally a planning process and it produces a document

which ensures businesses to solve critical events that affect their activities.
• Such events can be a natural disaster (earthquakes, flood, etc.), cyber–attack
or hardware failure like servers or routers. Cyber attack in disaster
management
 MC4205

• Cyber attacks aim to disable, disrupt, destroy or control computer systems or

to alter, block, delete, manipulate or steal the data held within these systems.
• A cyber attack can be launched from anywhere by any individual or group
using one or more various attack strategies.

Steps to creating a disaster recovery plan

• Identify representatives from each area of the business

• Document your risks
• Specify which data, technologies, and tools are most critical
• Maintain an inventory of physical assets
• Determine where and how critical business information will be backed up
• Protection for every computer
• Taps the benefits of cloud backup
• Runs automatically
• Prioritizes easy recovery

Cyber security Disaster Recovery Plan

• Requirements to Have a Disaster Recovery Plan

• Disaster recovery starts with an inventory of all assets like computers, network
equipment, server

Example
 MC4205

security incidents.
• Incident response planning contains specific directions for specific attack
scenarios, avoiding further damages, reducing recovery time and mitigating
cyber security risk.
• Incident response procedures focus on planning for security breaches and how
organizations will recover from them.
 MC4205

Responsible for Incident Response Planning

• Organizations should form a computer security incident response team

security incidents.
• Incident response manager
• Security analysts
• Threat researchers

Different Types of Security Incidents

• Types of malware
• Man-in-the-middle attacks
• Social engineering
• Data breaches
• Data leaks
• Email spoofing
• Domain hijacking
• Denial of service (DoS)

Tools are Available for Incident Response

• There are tools and industry standards that can be helpful to incident
response teams.
• Tools can be split into three categories:
• Prevention
• Detection
• Response
(CSIRT) who is responsible for analyzing, categorizing and responding to

What is the Industry Standard for Incident Response?

• There are two frameworks that have become industry standard, the NIST
Incident Response Process and the SANS Incident Response Process.
• The NIST Incident Response Process is four steps:
• Preparation
• Detection and analysis
• Containment, eradication and recovery
• Post-incident activity
• The SANS Incident Response Process is six:
 MC4205

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned