Security + Certification - Chapter 12: Policies and Disaster Recovery - Athena

Chapter 12 Policies and Disaster Recovery Objective in this chapter  Policies and Procedures  Privilege Management  Education and Documentation  Communication  Disaster Recovery  Business Continuity ATHENA Introduction  Policies, procedures, documentation, and disaster recovery are some of the most important parts of a Security Analyst’s job.  Privilege management allows you to control access through various methods, and is a primary feature of good security  Education and documentation are two extremely important topics as part of security  Business continuity and disaster recovery is a fundamental part of any security infrastructure ATHENA Policies and Procedures  Address concerns and identify risks  Consist of a series of steps that inform someone how to perform a task and/or deal with a problem  Creating policies and procedures requires answering questions: • Who and Where? • What? • When? • Why? • How? ATHENA Policies and Procedures (cont.)  Security Policies • Restricted Access Policies • Workstation Security Policies • Physical Security Policies  Acceptable use policies  Due Care  Privacy  Separation of Duties  Need to know  Password Management • Strong passwords • Password changes and Restrictions • Using passwords as part of a multifaceted Security System • Administrator Accounts ATHENA Policies and Procedures (cont.)  SLA (Service Level Agreements)  Disposal/ Destruction  HR Policy  Incident Response Policy ATHENA Communication • Internal or Internet mail • Phone systems • Papers • Private/ public web sites • Public foldes • Instant Messaging and live chat • ATHENA Privilege Management  User/ Group/ Role Management  Single Sign-on  Centralized versus decentralized  Auditing: process of monitoring and examining items to determine if problems exist. • Privilege • Usage • Escalation  MAC/DAC/ RBAC ATHENA Education and Documentation  User Awareness  Education  Online Resources  Documentation • Standards and guidelines • System Architecture • Change Documentation • Logs and Inventories • Classification • Notification • Retention/ Storage • Destruction ATHENA Disaster Recovery Overview: What is Disaster Recovery (DR)?  Importance of DR  Risk Analysis  Business Impact Analysis  Creating a DR plan  Scenario Examples ATHENA Definition Part of Business Continuity Planning Procedure for restoring system(s) Security during/after disaster Minimize business losses Rapidly resume business operations Lower stress for IT staff ATHENA How important is it?  Priority different for each site  Importance may change  Cost dependant  Resource dependant  Risk Analysis dependant  Business Impact Analysis dependant ATHENA Risk Analysis: How likely will a disaster occur?  Physical & Electronic security  High or low profile organization or systems  Natural disasters: • Flood plain • Tornado alley • Fault line • Volcano nearby ATHENA Risk Analysis (cont.) War • Country at War • Nearby country at war  Terrorism • In or near high profile target • National security impact • Infrastructure impact ATHENA Business Impact Analysis: What will happen if a disaster does occur?  Loss of equipment  Loss of data  Loss of personnel  Loss of clients  Disruption of operations  Revenue Impact ATHENA Business Impact Analysis (cont.)  Cost projections: • Cost per minute, hour or day • Cost to client • Extra personnel or consultants • Spare equipment or hot/cold site costs ATHENA •Public Image Creating a DR plan  Budgeting and resources available • Capital budget • Personnel • Equipment • Vendors • Consultants Management Buy-in ATHENA Creating DR plan (cont.)  Defined risks • What assets are at risk? How? • Restore assets  Defined Business Impact • What business is disrupted? How? • Restore operations  Post-Mortem Analysis  Revise DR plan ATHENA Disaster Recovery: Critical Points  Importance varies – evaluate your site!  Analyze your own risks  Remember your clients!  Balance between needs and resources  Nobody is prepared for what really happens  Everyone needs a DR plan in writing! ATHENA Budgeting and Resources  What is available budget?  What personnel are assigned?  How many hours are committed?  What equipment is available?  What space is available?  What vendors are in your area? ATHENA Disaster Recovery  Backups • Backup classify – Full Backup – Incremental Backup – Differential backup • Rotation Schemes • Offsite storage  Secure recovery • Alternate Sites (Hot site, Warm site, Cold site)  Disaster recovery plan ATHENA Backups ATHENA Business Continuity  Disaster recovery plan  Business Recovery plan: how business func will resume  Business Resumption plan: how critical sys  Contingency plan: what actions can be performed  Utilities • UPS • Power generations  High availability/ Fault tolerance • Raid 0 • Raid 0 +1 • Raid 1, 2, 3, 4, 5, 10, 53 ATHENA BUSINESS CONTINUANCE AND DISASTER RECOVERY Lessons from 11 September The Importance of Business Continuance IT Aspects of Business Continuance and Disaster Recovery Non-IT Issues in Disaster Recovery ATHENA Day the World Changed TUESDAY 11 SEPTEMBER 2001  Heart of the United States  Beyond Expectation  Emotional, personal and physical devastation was beyond belief  Remarkable human / national spirit ATHENA  People and Information • virtually everything else was replaceable or re- creatable  Email was vital  Communications were difficult  Crisis Management became critical • command post and friends  Communicate well-being of company  Finances are strained Lesson from 11 Sept - 1 A TIME OF CRISIS ATHENA  Alternate workplaces  IT issues were significant • tapes inaccessible, poor backup, slow recovery • DR staff were not dispersed in some cases • lack of automation • government info linkage ?  Paper records lost  Supply chain severely impacted Lesson from 11 Sept - 2 A TIME OF CRISIS ATHENA  NY Economic impact = US$83B  57,000 job loss by 2003  30 % of Office Space lost in NY  25 %: outage of over 8 hours (since 1997) • several high profile  Quick Facts DISASTERS ATHENA  People  Information Technology  Facilities  Connectivity  Supply Chain Maintaining the Business THE FIVE CRITICAL POINTS ATHENA Outages THE ENEMY OF BUSINESS CONTINUANCE Unplanned Outages 13% ATHENA Planned Outages Find/SVP, 2001 87% Definitions - BC and DR ACHIEVING 24 x 7 (X 365) AVAILABILITY  Business Continuance (BC)  Disaster Recovery (DR) ATHENA Meta Group, 2002 Insurance ?? 30 % Never Re-Open 29 % Out within Two years Insurance ?? 6% Survive Massive Data Loss University of Texas, 2001 Outages are Far Reaching BROAD RANGE OF EFFECTS Lost revenue Business interruption  E-commerce down  Applications down  Lost billings records  Lost business information  Used against you  Lost business  Lost market share  Higher expenses  Opportunity Costs  End-users cannot do their jobs  IT operations disrupted  Customers cannot access data  Suppliers cannot complete service  Higher phone volume  Lost orders  Customer care calls disconnected ATHENA Competitiveness Litigation Company reputation  Customer perception  Investor uncertainty  Lender uncertainty  Hiring slowdown  Employee turnover  Impact to brand and image  Investor filings  Supplier misunderstandings  Customer contracts unmet  Service levels unmet Who Owns BC ? BUSINESS OWNERSHIP / IT FACILITATION ATHENA By 2002, 30% of Global 2000’s IT organisations (where no plan exists) will initiate BC projects in unison with business units By 2005, BC will account for 5+ % of IT budgets Meta Group, 2001  Typically BC is integrated into IT planning  Typically DR is ad-hoc and not integrated • DR is often a “company secret” Facilitation of BC and DR INTEGRATING DR INTO IT ATHENA  Power failure • Remember local utility crises  Telecommunications failure  Natural Disaster  Terrorist / political threat  Cyber-attack • virus, firewall breaches, disgruntled employees Disasters THEY DO HAPPEN ATHENA  Where are my staff ?  Could you get your systems back running ?  Do you have an alternate location ?  Does a formal DR plan exist ? Tested ?  Would it be quick enough (RTO) ?  How much data would you lose (DRO) ?  Does it fulfil legal / statutory / contractual reqts ?  Does it have a business owner ? IT owner ?  Could your staff work from an alternate location ?  How about a similar loss for a partner / supplier? Loss of Main Data Centre BRIEF ASSESSMENT – BUSINESS SURVIVAL ? ATHENA  Personnel – Roles / Accountability  Vital Records – electronic and hardcopy  Alternate Facilities • Commercial / vendor / partner / internal  Redundant Infrastructure • computing systems, utilities, networks, PABX  Documentation • schedules, methods, contacts, etc  Testing • regular, effective testing  Make plan concise, efficient and actionable DR Plan - Key Elements REQUIRES MULTIPLE RESOURCES T $ ATHENA PR Business Objectives  Second business location  External DR supplier  External service provider  Sharing sites  Productive Protection • turning DR into an active asset • common government DR sites ? DR Location SHARING THE COSTS  Hot Site  Warm Site  Cold Site ATHENA  Sites must not be affected by the same disaster • power, networks, weather, utilities  Easy access to both • staff access • telco costs • synchronous techniques  Cost  Available locations How Far Away A CLASSIC TRADE-OFF ATHENA Nearly All Mission Critical LOT OF DATA DEPENDENCIES Product or Service Related Data  80% Essential  15% Support  5% Deferrable Reality is: ATHENA Business Support DataDeferrable Data And data dependencies are increasing Essential data includes: Major business appls AND email, web systems, HR Systems, billing, intranet, future plans, electronic records  Up to date personnel contact lists / calling trees • multiple forms (home/office/mobile/pager/email) • paper and electronic form • potential use of outside service • ensure HR systems are part of the DR plan  Keep staff informed • contact phone point (ex-PABX), internet presence  Train personnel to react appropriately • pressure for long work hours • access to food, rest, ease of access (taxi / parking)  Availability of Contract staff Personnel and Staff YOUR MOST VALUABLE ASSET ATHENA  Cover outages / failures of external suppliers • infrastructure suppliers • major service providers  Check service providers BC plans  Healthy relationships with service providers was critical on Sept 11 Contingency Planning FOR WHEN THINGS GO WRONG ATHENA  September 11 • decision makers for declaring IT disaster pre- determined  Crisis Mgmt is not just for IT disasters  Communication is critical (“Command Post”) • internal personnel / family / friends • public relations (company spokespeople) • major clients / shareholders / suppliers • maintain a “visible” business • alternate physical mail site • transportation • evacuation Crisis Management ORGANISED EMERGENCY DECISION MAKING ATHENA  Importance of electronic copies of key files • copies of contracts • copies of critical company documents  Ensure PC business data is backed up Paper and PC Data AVOIDING LOSS ATHENA Summary WOULD YOUR BUSINESS SURVIVE ? ATHENA Ask Yourself: What Do I Do Now ?