Policies, procedures, documentation, and disaster
recovery are some of the most important parts of a
Security Analyst’s job.
Privilege management allows you to control access
through various methods, and is a primary feature of
good security
Education and documentation are two extremely
important topics as part of security
Business continuity and disaster recovery is a
fundamental part of any security infrastructure
45 trang |
Chia sẻ: candy98 | Lượt xem: 527 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Security + Certification - Chapter 12: Policies and Disaster Recovery - Athena, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 12
Policies and
Disaster Recovery
Objective in this chapter
Policies and Procedures
Privilege Management
Education and Documentation
Communication
Disaster Recovery
Business Continuity
ATHENA
Introduction
Policies, procedures, documentation, and disaster
recovery are some of the most important parts of a
Security Analyst’s job.
Privilege management allows you to control access
through various methods, and is a primary feature of
good security
Education and documentation are two extremely
important topics as part of security
Business continuity and disaster recovery is a
fundamental part of any security infrastructure
ATHENA
Policies and Procedures
Address concerns and identify risks
Consist of a series of steps that inform someone how to
perform a task and/or deal with a problem
Creating policies and procedures requires answering
questions:
• Who and Where?
• What?
• When?
• Why?
• How?
ATHENA
Policies and Procedures (cont.)
Security Policies
• Restricted Access Policies
• Workstation Security Policies
• Physical Security Policies
Acceptable use policies
Due Care
Privacy
Separation of Duties
Need to know
Password Management
• Strong passwords
• Password changes and Restrictions
• Using passwords as part of a multifaceted Security System
• Administrator Accounts
ATHENA
Policies and Procedures (cont.)
SLA (Service Level Agreements)
Disposal/ Destruction
HR Policy
Incident Response Policy
ATHENA
Communication
• Internal or Internet mail
• Phone systems
• Papers
• Private/ public web sites
• Public foldes
• Instant Messaging and live chat
•
ATHENA
Privilege Management
User/ Group/ Role Management
Single Sign-on
Centralized versus decentralized
Auditing: process of monitoring and examining items to
determine if problems exist.
• Privilege
• Usage
• Escalation
MAC/DAC/ RBAC
ATHENA
Education and Documentation
User Awareness
Education
Online Resources
Documentation
• Standards and guidelines
• System Architecture
• Change Documentation
• Logs and Inventories
• Classification
• Notification
• Retention/ Storage
• Destruction
ATHENA
Disaster Recovery Overview:
What is Disaster Recovery (DR)?
Importance of DR
Risk Analysis
Business Impact Analysis
Creating a DR plan
Scenario Examples
ATHENA
Definition
Part of Business Continuity Planning
Procedure for restoring system(s)
Security during/after disaster
Minimize business losses
Rapidly resume business operations
Lower stress for IT staff
ATHENA
How important is it?
Priority different for each site
Importance may change
Cost dependant
Resource dependant
Risk Analysis dependant
Business Impact Analysis dependant
ATHENA
Risk Analysis:
How likely will a disaster occur?
Physical & Electronic security
High or low profile organization or systems
Natural disasters:
• Flood plain
• Tornado alley
• Fault line
• Volcano nearby
ATHENA
Risk Analysis (cont.)
War
• Country at War
• Nearby country at war
Terrorism
• In or near high profile target
• National security impact
• Infrastructure impact
ATHENA
Business Impact Analysis:
What will happen if a disaster does occur?
Loss of equipment
Loss of data
Loss of personnel
Loss of clients
Disruption of operations
Revenue Impact
ATHENA
Business Impact Analysis (cont.)
Cost projections:
• Cost per minute, hour or day
• Cost to client
• Extra personnel or consultants
• Spare equipment or hot/cold site costs
ATHENA
•Public Image
Creating a DR plan
Budgeting and resources available
• Capital budget
• Personnel
• Equipment
• Vendors
• Consultants
Management Buy-in
ATHENA
Creating DR plan (cont.)
Defined risks
• What assets are at risk? How?
• Restore assets
Defined Business Impact
• What business is disrupted? How?
• Restore operations
Post-Mortem Analysis
Revise DR plan
ATHENA
Disaster Recovery:
Critical Points
Importance varies – evaluate your site!
Analyze your own risks
Remember your clients!
Balance between needs and resources
Nobody is prepared for what really happens
Everyone needs a DR plan in writing!
ATHENA
Budgeting and Resources
What is available budget?
What personnel are assigned?
How many hours are committed?
What equipment is available?
What space is available?
What vendors are in your area?
ATHENA
Disaster Recovery
Backups
• Backup classify
– Full Backup
– Incremental Backup
– Differential backup
• Rotation Schemes
• Offsite storage
Secure recovery
• Alternate Sites (Hot site, Warm site, Cold site)
Disaster recovery plan
ATHENA
Backups
ATHENA
Business Continuity
Disaster recovery plan
Business Recovery plan: how business func will resume
Business Resumption plan: how critical sys
Contingency plan: what actions can be performed
Utilities
• UPS
• Power generations
High availability/ Fault tolerance
• Raid 0
• Raid 0 +1
• Raid 1, 2, 3, 4, 5, 10, 53
ATHENA
BUSINESS CONTINUANCE AND DISASTER RECOVERY
Lessons from 11 September
The Importance of Business Continuance
IT Aspects of Business Continuance and
Disaster Recovery
Non-IT Issues in Disaster Recovery
ATHENA
Day the World Changed
TUESDAY 11 SEPTEMBER 2001
Heart of the United States
Beyond Expectation
Emotional, personal and
physical devastation was
beyond belief
Remarkable human / national
spirit
ATHENA
People and Information
• virtually everything else was replaceable or re-
creatable
Email was vital
Communications were difficult
Crisis Management became critical
• command post and friends
Communicate well-being of company
Finances are strained
Lesson from 11 Sept - 1
A TIME OF CRISIS
ATHENA
Alternate workplaces
IT issues were significant
• tapes inaccessible, poor backup, slow recovery
• DR staff were not dispersed in some cases
• lack of automation
• government info linkage ?
Paper records lost
Supply chain severely impacted
Lesson from 11 Sept - 2
A TIME OF CRISIS
ATHENA
NY Economic impact = US$83B
57,000 job loss by 2003
30 % of Office Space lost in NY
25 %: outage of over 8 hours (since 1997)
• several high profile
Quick Facts
DISASTERS
ATHENA
People
Information Technology
Facilities
Connectivity
Supply Chain
Maintaining the Business
THE FIVE CRITICAL POINTS
ATHENA
Outages
THE ENEMY OF BUSINESS CONTINUANCE
Unplanned
Outages
13%
ATHENA
Planned
Outages
Find/SVP, 2001
87%
Definitions - BC and DR
ACHIEVING 24 x 7 (X 365) AVAILABILITY
Business Continuance (BC)
Disaster Recovery (DR)
ATHENA
Meta Group, 2002
Insurance ??
30 % Never Re-Open
29 % Out within Two years
Insurance ??
6% Survive Massive Data Loss
University of Texas, 2001
Outages are Far Reaching
BROAD RANGE OF EFFECTS
Lost revenue
Business
interruption
E-commerce down
Applications down
Lost billings records
Lost business information
Used against you
Lost business
Lost market share
Higher expenses
Opportunity Costs
End-users cannot do their jobs
IT operations disrupted
Customers cannot access data
Suppliers cannot complete
service
Higher phone volume
Lost orders
Customer care calls
disconnected
ATHENA
Competitiveness
Litigation
Company
reputation
Customer perception
Investor uncertainty
Lender uncertainty
Hiring slowdown
Employee turnover
Impact to brand and image
Investor filings
Supplier misunderstandings
Customer contracts unmet
Service levels unmet
Who Owns BC ?
BUSINESS OWNERSHIP / IT FACILITATION
ATHENA
By 2002, 30% of Global 2000’s IT organisations (where no plan
exists) will initiate BC projects in unison with business units
By 2005, BC will account for 5+ % of IT budgets
Meta Group, 2001
Typically BC is integrated into IT planning
Typically DR is ad-hoc and not integrated
• DR is often a “company secret”
Facilitation of BC and DR
INTEGRATING DR INTO IT
ATHENA
Power failure
• Remember local utility crises
Telecommunications failure
Natural Disaster
Terrorist / political threat
Cyber-attack
• virus, firewall breaches, disgruntled employees
Disasters
THEY DO HAPPEN
ATHENA
Where are my staff ?
Could you get your systems back running ?
Do you have an alternate location ?
Does a formal DR plan exist ? Tested ?
Would it be quick enough (RTO) ?
How much data would you lose (DRO) ?
Does it fulfil legal / statutory / contractual reqts ?
Does it have a business owner ? IT owner ?
Could your staff work from an alternate location ?
How about a similar loss for a partner / supplier?
Loss of Main Data Centre
BRIEF ASSESSMENT – BUSINESS SURVIVAL ?
ATHENA
Personnel – Roles / Accountability
Vital Records – electronic and hardcopy
Alternate Facilities
• Commercial / vendor / partner / internal
Redundant Infrastructure
• computing systems, utilities, networks, PABX
Documentation
• schedules, methods, contacts, etc
Testing
• regular, effective testing
Make plan concise, efficient and actionable
DR Plan - Key Elements
REQUIRES MULTIPLE RESOURCES
T $
ATHENA
PR
Business Objectives
Second business location
External DR supplier
External service provider
Sharing sites
Productive Protection
• turning DR into an active
asset
• common government DR
sites ?
DR Location
SHARING THE COSTS
Hot Site
Warm Site
Cold Site
ATHENA
Sites must not be affected by the same disaster
• power, networks, weather, utilities
Easy access to both
• staff access
• telco costs
• synchronous techniques
Cost
Available locations
How Far Away
A CLASSIC TRADE-OFF
ATHENA
Nearly All Mission Critical
LOT OF DATA DEPENDENCIES
Product or Service
Related Data
80% Essential
15% Support
5% Deferrable
Reality is:
ATHENA
Business Support
DataDeferrable Data
And data dependencies
are increasing
Essential data includes:
Major business appls AND
email, web systems, HR
Systems, billing, intranet,
future plans, electronic
records
Up to date personnel contact lists / calling trees
• multiple forms (home/office/mobile/pager/email)
• paper and electronic form
• potential use of outside service
• ensure HR systems are part of the DR plan
Keep staff informed
• contact phone point (ex-PABX), internet presence
Train personnel to react appropriately
• pressure for long work hours
• access to food, rest, ease of access (taxi / parking)
Availability of Contract staff
Personnel and Staff
YOUR MOST VALUABLE ASSET
ATHENA
Cover outages / failures of external suppliers
• infrastructure suppliers
• major service providers
Check service providers BC plans
Healthy relationships with service
providers was critical on Sept 11
Contingency Planning
FOR WHEN THINGS GO WRONG
ATHENA
September 11
• decision makers for declaring IT disaster pre-
determined
Crisis Mgmt is not just for IT disasters
Communication is critical (“Command Post”)
• internal personnel / family / friends
• public relations (company spokespeople)
• major clients / shareholders / suppliers
• maintain a “visible” business
• alternate physical mail site
• transportation
• evacuation
Crisis Management
ORGANISED EMERGENCY DECISION MAKING
ATHENA
Importance of electronic copies of key files
• copies of contracts
• copies of critical company documents
Ensure PC business data is backed up
Paper and PC Data
AVOIDING LOSS
ATHENA
Summary
WOULD YOUR BUSINESS SURVIVE ?
ATHENA
Ask Yourself:
What Do I Do Now ?