IT 2042 Information Security 4-1

Transcription

1 IT 2042 Infrmatin Security 4-1 UNIT IV LOGICAL DESIGN Blueprint fr Security, Infrmatin Security plicy, Standards and Practices, ISO 17799/BS 7799, NIST Mdels, VISA Internatinal Security Mdel, Design f Security Architecture, Planning fr Cntinuity. Planning fr Security - Creatin f infrmatin security prgram begins with creatin and/r review f rganizatin s infrmatin security plicies, standards, and practices Then, selectin r creatin f infrmatin security architecture and the develpment and use f a detailed infrmatin security blueprint creates plan fr future success Security educatin and training t successfully implement plicies and ensure secure envirnment Why Plicy? A quality infrmatin security prgram begins and ends with plicy Plicies are least expensive means f cntrl and ften the mst difficult t implement Sme basic rules must be fllwed when shaping a plicy: Never cnflict with law Stand up in curt Prperly supprted and administered Cntribute t the success f the rganizatin Invlve end users f infrmatin systems Definitins Plicy: curse f actin used by an rganizatin t cnvey instructins frm management t thse wh perfrm duties Organizatinal rules fr acceptable/unacceptable behavir Penalties fr vilatins Appeals prcess Standards: mre detailed statements f what must be dne t cmply with plicy Practices, prcedures and guidelines effectively explain hw t cmply with plicy Fr a plicy t be effective it must be Prperly disseminated Read Understd Agreed t by all members f rganizatin

2 IT 2042 Infrmatin Security 4-2 Types f Plicies Enterprise infrmatin Security prgram Plicy(EISP) Issue-specific infrmatin Security Plicy ( ISSP) Systems-specific infrmatin Security Plicy (SysSP) Enterprise Infrmatin Security Plicy (EISP) Als Knwn as a general Security plicy, IT security plicy, r infrmatin security plicy. Sets strategic directin, scpe, and tne fr all security effrts within the rganizatin Assigns respnsibilities t varius areas f infrmatin security Guides develpment, implementatin, and management f infrmatin security prgram Issue-Specific Security Plicy (ISSP) The ISSP: Addresses specific areas f technlgy Requires frequent updates Cntains statement n psitin n specific issue Appraches t creating and managing ISSPs: Create number f independent ISSP dcuments

3 IT 2042 Infrmatin Security 4-3 Create a single cmprehensive ISSP dcument Create a mdular ISSP dcument ISSP tpics culd include: , use f Web, cnfiguratins f cmputers t defend against wrms and viruses, prhibitins against hacking r testing rganisatin security cntrls, hme use f cmpany-wned cmputer equipment, use f persnal equipment n cmpany netwrks, use f telecmmunicatins technlgies(fax and phne), use f phtcpiers Cmpnents f the ISSP Statement f Plicy Scpe and Applicability Definitin f Technlgy Addressed Respnsibilities Authrized Access and Usage f Equipment User Access Fair and Respnsible Use Prtectin f Privacy Prhibited Usage f Equipment Disruptive Use r Misuse Criminal Use Offensive r Harassing Materials Cpyrighted, Licensed r ther Intellectual Prperty Other Restrictins Systems Management Management f Stred Materials Emplyer Mnitring Virus Prtectin Physical Security Encryptin Vilatins f Plicy Prcedures fr Reprting Vilatins Penalties fr Vilatins Plicy Review and Mdificatin Scheduled Review f Plicy and Prcedures fr Mdificatin Limitatins f Liability Statements f Liability r Disclaimers Systems-Specific Plicy (SysSP) SysSPs are frequently cdified as standards and prcedures t be used when cnfiguring r maintaining systems Systems-specific plicies fall int tw grups: Access cntrl lists (ACLs) cnsist f the access cntrl lists, matrices, and capability tables gverning the rights and privileges f a particular user t a particular system Cnfiguratin rules cmprise the specific cnfiguratin cdes entered int security systems t guide the executin f the system

4 IT 2042 Infrmatin Security 4-4 ACL Plicies Bth Micrsft Windws NT/2000 and Nvell Netware 5.x/6.x families f systems translate ACLs int sets f cnfiguratins that administratrs use t cntrl access t their respective systems ACLs allw a cnfiguratin t restrict access frm anyne and anywhere ACLs regulate: Wh can use the system What authrized users can access When authrized users can access the system Where authrized users can access the system frm Hw authrized users can access the system The Infrmatin Security Blueprint It is the basis fr the design, selectin, and implementatin f all security plicies, educatin and training prgrams, and technlgical cntrls. Mre detailed versin f security framewrk, which is an utline f verall infrmatin security strategy fr rganizatin and a rad map fr planned changes t the infrmatin security envirnment f the rganizatin. Shuld specify tasks t be accmplished and the rder in which they are t be realized. Shuld als serve as a scalable, upgradeable, and cmprehensive plan fr the infrmatin security needs fr cming years. Security Mdels ISO 17799/BS 7799 One f the mst widely referenced and ften discussed security mdels is the Infrmatin Technlgy Cde f Practice fr Infrmatin Security Management, which was riginally published as British Standard BS 7799 In 2000, this Cde f Practice was adpted as an internatinal standard framewrk fr infrmatin security by the Internatinal Organizatin fr Standardizatin (ISO) and the Internatinal Electrtechnical Cmmissin (IEC) as ISO/IEC Drawbacks f ISO 17799/BS 7799 Several cuntries have nt adpted claiming there are fundamental prblems: The glbal infrmatin security cmmunity has nt defined any justificatin fr a cde f practice as identified in the ISO/IEC lacks the necessary measurement precisin f a technical standard There is n reasn t believe that is mre useful than any ther apprach currently available

5 IT 2042 Infrmatin Security is nt as cmplete as ther framewrks available is perceived t have been hurriedly prepared given the tremendus impact its adptin culd have n industry infrmatin security cntrls Objectives f ISO Organizatinal Security Plicy is needed t prvide management directin and supprt. Ten Sectins f ISO/IEC a. Organizatinal Security Plicy b. Organizatinal Security Infrastructure c. Asset Classificatin and Cntrl d. Persnnel Security e. Physical and Envirnmental Security f. Cmmunicatins and Operatins Management g. System Access Cntrl h. System Develpment and Maintenance i. Business Cntinuity Planning j. Cmpliance Alternate Security Mdels available ther than ISO 17799/BS 7799 NIST Security Mdels This refers t The Natinal Security Telecmmunicatins and Infrmatin systems Security Cmmittee dcument. This dcument presents a cmprehensive mdel fr infrmatin security. The mdel cnsists f three dimensins. Anther pssible apprach available is described in the many dcuments available frm the Cmputer Security Resurce Center f the Natinal Institute fr Standards and Technlgy (csrc.nist.gv). The fllwing NIST dcuments can assist in the design f a security framewrk: NIST SP : An Intrductin t Cmputer Security: The NIST Handbk NIST SP : Generally Accepted Security Principles and Practices fr Securing IT Systems NIST SP : The Guide fr Develping Security Plans fr IT Systems NIST SP : Security Self-Assessment Guide fr IT systems. NIST SP : Risk Management fr IT systems. NIST Special Publicatin SP SP is an excellent reference and guide fr the security manager r administratr in the rutine management f infrmatin security.

6 IT 2042 Infrmatin Security 4-6 It prvides little guidance, hwever, n design and implementatin f new security systems, and therefre shuld be used nly as a valuable precursr t understanding an infrmatin security blueprint. NIST Special Publicatin SP Generally accepted Principles and practices fr Security Infrmatin Technlgy Systems. Prvides best practices and security principles that can direct the security team in the develpment f Security Blue Print. The scpe f NIST SP is brad. It is imprtant t cnsider each f the security principles it presents, and therefre the fllwing sectins examine sme f the mre significant pints in mre detail: Security Supprts the Missin f the Organizatin Security is an Integral Element f Sund Management Security Shuld Be Cst-Effective Systems Owners Have Security Respnsibilities Outside Their Own Organizatins Security Respnsibilities and Accuntability Shuld Be Made Explicit Security Requires a Cmprehensive and Integrated Apprach Security Shuld Be Peridically Reassessed Security is Cnstrained by Scietal Factrs 33 Principles enumerated NIST SP The Guide fr Develping Security plans fr Infrmatin Technlgy Systems can be used as the fundatin fr a cmprehensive security blueprint and framewrk. It prvides detailed methds fr assessing, and implementing cntrls and plans fr applicatins f varying size. It can serve as a useful guide t the activities and as an aid in the planning prcess. It als includes templates fr majr applicatin security plans. The table f cntents fr Publicatin is presented in the fllwing. System Analysis - System Bundaries - Multiple similar systems - System Categries Plan Develpment- All Systems - Plan cntrl - System identificatin - System Operatinal status - System Intercnnectin/ Infrmatin Sharing - Sensitivity f infrmatin handled - Laws, regulatins and plicies affecting the system Management Cntrls Risk Assessment and Management

7 IT 2042 Infrmatin Security 4-7 Review f Security Cntrls Rules f behavir Planning fr security in the life cycle Authrizatin f Prcessing (Certificatin and Accreditatin) System Security Plan Operatinal Cntrls 1. Persnnel Security 2. Physical Security 3. Prductin, Input/Output Cntrls 4. Cntingency Planning 5. Hardware and Systems Sftware 6. Data Integrity 7. Dcumentatin 8. Security Awareness, Training, and Educatin 9. Incident Respnse Capability Technical Cntrls Identificatin and Authenticatin Lgical Access Cntrls Audit Trails NIST SP : Security Self-Assessment Guide fr IT systems NIST SP Table f cntents Management Cntrls 1. Risk Management 2. Review f Security Cntrls 3. Life Cycle Maintenance 4. Authrizatin f Prcessing (Certificatin and Accreditatin) 5. System Security Plan Operatinal Cntrls 6. Persnnel Security 7. Physical Security 8. Prductin, Input/Output Cntrls 9. Cntingency Planning 10. Hardware and Systems Sftware 11. Data Integrity 12. Dcumentatin 13. Security Awareness, Training, and Educatin 14. Incident Respnse Capability Technical Cntrls 15. Identificatin and Authenticatin 16. Lgical Access Cntrls 17. Audit Trails Management cntrls address the design and implementatin f the security planning prcess and security prgram management. They als address risk management and security cntrl reviews. They further describe the necessity and scpe f legal cmpliance and the maintenance f the entire security life cycle.

8 IT 2042 Infrmatin Security 4-8 Operatinal cntrls deal with the peratinal functinality f security in the rganizatin. They include management functins and lwer level planning, such as disaster recvery and incident respnse planning. They als address persnnel security, physical security, and the prtectin f prductin inputs and utputs. They guide the develpment f educatin, training and awareness prgrams fr users, administratrs, and management. Finally, they address hardware and sftware systems maintenance and the integrity f data. Technical cntrls address the tactical and technical issues related t designing and implementing security in the rganizatin, as well as issues related t examining and selecting the technlgies apprpriate t prtecting infrmatin. They address the specifics f technlgy selectin and the acquisitin f certain technical cmpnents. They als include lgical access cntrls, such as identificatin, authenticatin, authrizatin, and accuntability. They cver cryptgraphy t prtect infrmatin in strage and transit. Finally, they include the classificatin f assets and users, t facilitate the authrizatin levels needed. Using the three sets f cntrls, the rganizatin shuld be able t specify cntrls t cver the entire spectrum f safeguards, frm strategic t tactical, and frm managerial t technical. VISA Internatinal Security Mdel It prmtes strng security measures in its business assciates and has established guidelines fr the security f its infrmatin systems. It has develped tw imprtant dcuments 1. Security Assessment Prcess 2. Agreed Upn Prcedures. Bth dcuments prvide specific instructins n the use f the VISA Cardhlder Infrmatin Security Prgram. The Security Assessment Prcess dcument is a series f recmmendatins fr the detailed examinatin f an rganizatin s systems with the eventual gal f integratin int the VISA systems. The Agreed upn Prcedures dcument utlines the plicies and technlgies required fr security systems that carry the sensitive card hlder infrmatin t and frm VISA systems. Using the tw dcuments, a security team can develp a sund strategy fr the design f gd security architecture. The nly dwnside t this apprach is the specific fcus n systems that can r d integrate with VISA s systems with the explicit purpse f carrying the afrementined cardhlder infrmatin. Baselining & Best Business Practices Baselining and best practices are slid methds fr cllecting security practices, but prvide less detail than a cmplete methdlgy Pssible t gain infrmatin by baselining and using best practices and thus wrk backwards t an effective design

9 IT 2042 Infrmatin Security 4-9 The Federal Agency Security Practices (FASP) site (fasp.nist.gv) designed t prvide best practices fr public agencies and adapted easily t private institutins. The dcuments fund in this site include specific examples f key plicies and planning dcuments, implementatin strategies fr key technlgies, and psitin descriptins fr key security persnnel. Of particular value is the sectin n prgram management, which includes the fllwing: - A summary guide: public law, executive rders, and plicy dcuments - Psitin descriptin fr cmputer system security fficer. - Psitin descriptin fr infrmatin security fficer - Psitin descriptin fr cmputer specialist. - Sample f an infrmatin technlgy(it) security staffing plan fr a large service applicatin(lsa) - Sample f an infrmatin technlgy(it) security prgram plicy - Security handbk and standard perating prcedures. - Telecmmuting and mbile cmputer security plicy. Hybrid Framewrk fr a Blueprint f an Infrmatin Security System -The framewrk f security includes philsphical cmpnents f the Human Firewall Prject, which maintain that peple, nt technlgy, are the primary defenders f infrmatin assets in an infrmatin security prgram, and are uniquely respnsible fr their prtectin. - The spheres f security are the fundatin f the security framewrk. - The sphere f use, at the left in fig, explains the ways in which peple access infrmatin; fr example, peple read hard cpies f dcuments and can als access infrmatin thrugh systems. - The sphere f prtectin at the right illustrates that between each layer f the sphere f use there must exist a layer f prtectin t prevent access t the inner layer frm the uter layer. - Each shaded band is a layer f prtectin and cntrl. Sphere f Prtectin The sphere f prtectin verlays each f the levels f the sphere f use with a layer f security, prtecting that layer frm direct r indirect use thrugh the next layer The peple must becme a layer f security, a human firewall that prtects the infrmatin frm unauthrized access and use Infrmatin security is therefre designed and implemented in three layers plicies peple (educatin, training, and awareness prgrams) technlgy

10 IT 2042 Infrmatin Security 4-10 As illustrated in the sphere f prtectin, a variety f cntrls can be used t prtect the infrmatin. The items f cntrl shwn in the figure are nt intended t be cmprehensive but rather illustrate individual safeguards that can prtect the varius systems that are lcated clser t the center f the sphere. Hwever, because peple can directly access each ring as well as the infrmatin at the cre f the mdel, the side f the sphere f prtectin that attempt t cntrl access by relying n peple requires a different apprach t security than the side that uses technlgy. Design f Security Architecture Defense in Depth - One f the basic fundatins f security architectures is the implementatin f security in layers. This layered apprach is called defense in depth. - Defense in depth requires that the rganizatin establish sufficient security cntrls and safeguards, s that an intruder faces multiple layers f cntrls. -These layers f cntrl can be rganized int plicy, training and educatin and technlgy as per the NSTISSC mdel. - While plicy itself may nt prevent attacks, they cupled with ther layers and deter attacks.

11 IT 2042 Infrmatin Security Training and Educatin are similar. - Technlgy is als implemented in layers, with detectin equipment, all perating behind access cntrl mechanisms. - Implementing multiple types f technlgy and thereby preventing the failure f ne system frm cmprmising the security f the infrmatin is referred t as redundancy. - Redundancy can be implemented at a number f pints thrughut the security architecture, such as firewalls, prxy servers, and access cntrls. - The figure shws the use f firewalls and intrusin detectin systems(ids) that use bth packet-level rules and data cntent analysis. Security Perimeter A Security Perimeter is the first level f security that prtects all internal systems frm utside threats. Unfrtunately, the perimeter des nt prtect against internal attacks frm emplyee threats, r n-site physical threats. Security perimeters can effectively be implemented as multiple technlgies that segregate the prtected infrmatin frm thse wh wuld attack it. Within security perimeters the rganizatin can establish security dmains, r areas f trust within which users can freely cmmunicate. The presence and nature f the security perimeter is an essential element f the verall security framewrk, and the details f implementing the perimeter make up a great deal f the particulars f the cmpleted security blueprint.

12 IT 2042 Infrmatin Security 4-12 The key cmpnents used fr planning the perimeter are presented in the fllwing sectins n firewalls, DMZs, prxy servers, and intrusin detectin systems. Key Technlgy Cmpnents Other key technlgy cmpnents A firewall is a device that selectively discriminates against infrmatin flwing int r ut f the rganizatin. Firewalls are usually placed n the security perimeter, just behind r as part f a gateway ruter. Firewalls can be packet filtering, stateful packet filtering, prxy, r applicatin level. A Firewall can be a single device r a firewall subnet, which cnsists f multiple firewalls creating a buffer between the utside and inside netwrks. The DMZ (demilitarized zne) is a n-man s land, between the inside and utside netwrks, where sme rganizatins place Web servers These servers prvide access t rganizatinal web pages, withut allwing Web requests t enter the interir netwrks. Prxy server- An alternative apprach t the strategies f using a firewall subnet r a DMZ is t use a prxy server, r prxy firewall. When an utside client requests a particular Web page, the prxy server receives the request as if it were the subject f the request, then asks fr the same infrmatin frm the true Web server(acting as a prxy fr the requestr), and then respnds t the request as a prxy fr the true Web server.

13 IT 2042 Infrmatin Security 4-13 Fr mre frequently accessed Web pages, prxy servers can cache r temprarily stre the page, and thus are smetimes called cache servers. Intrusin Detectin Systems (IDSs). In an effrt t detect unauthrized activity within the inner netwrk, r n individual machines, an rganizatin may wish t implement Intrusin Detectin Systems r IDS. IDs cme in tw versins. Hst-based & Netwrk-based IDSs. Hst-based IDSs are usually installed n the machines they prtect t mnitr the status f varius files stred n thse machines. Netwrk-based IDSs lk at patterns f netwrk traffic and attempt t detect unusual activity based n previus baselines. This culd include packets cming int the rganizatin s netwrks with addresses frm machines already within the rganizatin (IP spfing). It culd als include high vlumes f traffic ging t utside addresses (as in cases f data theft) r cming int the netwrk (as in a denial f service attack). Bth hst-and netwrk based IDSs require a database f previus activity.

14 IT 2042 Infrmatin Security 4-14 Security Educatin, Training, and Awareness Prgram As sn as general security plicy exists, plicies t implement security educatin, training and awareness (SETA) prgram shuld fllw. SETA is a cntrl measure designed t reduce accidental security breaches by emplyees. Security educatin and training builds n the general knwledge the emplyees must pssess t d their jbs, familiarizing them with the way t d their jbs securely The SETA prgram cnsists f three elements: security educatin; security training; and security awareness The purpse f SETA is t enhance security by: - Imprving awareness f the need t prtect system resurces. - Develping skills and knwledge s cmputer users can perfrm their jbs mre securely. - Building in-depth knwledge, as needed, t design, implement, r perate security prgrams fr rganizatins and systems. Security Educatin Everyne in an rganizatin needs t be trained and aware f infrmatin security, but nt every member f the rganizatin needs a frmal degree r certificate in infrmatin security. A number f universities have frmal cursewrk in infrmatin security. Fr thse interested in researching frmal infrmatin security prgrams, there are resurces available, such as the NSA-identified Centers f Excellence in Infrmatin Assurance Educatin.

15 IT 2042 Infrmatin Security 4-15 Security Training It invlves prviding members f the rganizatin with detailed infrmatin and hands-n instructin t prepare them t perfrm their duties securely. Management f infrmatin security can develp custmized in-huse training r utsurce the training prgram. Security Awareness One f the least frequently implemented, but mst beneficial prgrams is the security awareness prgram Designed t keep infrmatin security at the frefrnt f users minds Need nt be cmplicated r expensive If the prgram is nt actively implemented, emplyees may begin t tune ut and risk f emplyee accidents and failures increases Cntingency Planning (CP) Cntingency Planning (CP) cmprises a set f plans designed t ensure the effective reactin and recvery frm an attack and the subsequent restratin t nrmal mdes f business peratins. Organizatins need t develp disaster recvery plans, incident respnse plans, and business cntinuity plans as subsets f an verall CP. An incident respnse plan (IRP) deals with the identificatin, classificatin, respnse, and recvery frm an incident, but if the attack is disastrus(e.g., fire, fld, earthquake) the prcess mves n t disaster recvery and BCP A disaster recvery plan (DRP) deals with the preparatin fr and recvery frm a disaster, whether natural r man-made and it is clsely assciated with BCP. A Business cntinuity plan (BCP) ensures that critical business functins cntinue, if a catastrphic incident r disaster ccurs. BCP ccurs cncurrently with DRP when the damage is majr r lng term, requiring mre than simple restratin f infrmatin and infrmatin resurces. Cmpnents f Cntingency Planning Cntingency Planning Incident Respnse Plan Disaster recvery Business cntinuity

16 IT 2042 Infrmatin Security 4-16 There are six steps t cntingency planning. They are 1. Identifying the missin-r business-critical functins, 2. Identifying the resurces that supprt the critical functins, 3. Anticipating ptential cntingencies r disasters, 4. Selecting cntingency planning strategies, 5. Implementing the cntingencies strategies, 6. and Testing and revising the strategy. Incident respnse plan (IRP) It is the set f activities taken t plan fr, detect, and crrect the impact f an incident n infrmatin assets. IRP cnsists f the fllwing 4 phases: 1. Incident Planning 2. Incident Detectin 3. Incident Reactin 4. Incident Recvery Incident Planning -Planning fr an incident is the first step in the verall prcess f incident respnse planning. - The planners shuld develp a set f dcuments that guide the actins f each invlved individual wh reacts t and recvers frm the incident. - These plans must be prperly rganized and stred t be available when and where needed, and in a useful frmat. Incident Detectin -Incident Detectin relies n either a human r autmated system, which is ften the help desk staff, t identify an unusual ccurrence and t classify it prperly as an incident. - The mechanisms that culd ptentially detect an incident include intrusin detectin systems (bth hst-based and netwrk based), virus detectin sftware, systems administratrs, and even end users. - Once an attack is prperly identified, the rganizatin can effectively execute the crrespnding prcedures frm the IR plan. Thus, incident classificatin is the prcess f examining a ptential incident, r incident candidate, and determining whether r nt the candidate cnstitutes an actual incident. - Incident Indicatrs- There is a number f ccurrences that culd signal the presence f an incident candidate. - Dnald Pipkin, an IT security expert, identifies three categries f incident indicatrs: Pssible, Prbable, and Definite Indicatrs. -Pssible Indicatrs- There are 4 types f pssible indicatrs f events,they are, 1. Presence f unfamiliar files. 2. Presence r executin f unknwn prgrams r prcesses. 3. Unusual cnsumptin f cmputing resurces 4. Unusual system crashes

17 IT 2042 Infrmatin Security Prbable Indicatrs- The fur types f prbable indicatrs f incidents are 1. Activities at unexpected times. 2. Presence f new accunts 3. Reprted attacks 4. Ntificatin frm IDS Definite Indicatrs- The five types f definite indicatrs f incidents are 1. Use f Drmant accunts 2. Changes t lgs 3. Presence f hacker tls 4. Ntificatins by partner r peer 5. Ntificatin by hacker Incident Reactin It cnsists f actins utlined in the IRP that guide the rganizatin in attempting t stp the incident, mitigate the impact f the incident, and prvide infrmatin fr recvery frm the incident. These actins take place as sn as the incident itself is ver. In reacting t the incident there are a number f actins that must ccur quickly, including ntificatin f key persnnel and dcumentatin f the incident. These must have been priritized and dcumented in the IRP fr quick use in the heat f the mment. Incident Recvery The recvery prcess invlves much mre than the simple restratin f stlen, damaged, r destryed data files. It invlves the fllwing steps. 1. Identify the Vulnerabilities 2. Address the safeguards. 3. Evaluate mnitring capabilities 4. Restre the data frm backups. 5. Restre the services and prcesses in use. 6. Cntinuusly mnitr the system 7. Restre the cnfidence f the members f the rganizatin s cmmunities f interest. Disaster Recvery Plan (DRP) DRP prvides detailed guidance in the event f a disaster and als prvides details n the rles and respnsibilities f the varius individuals invlved in the disaster recvery effrt, and identifies the persnnel and agencies that must be ntified. At a minimum, the DRP must be reviewed during a walk-thrugh r talkthrugh n a peridic basis. Many f the same precepts f incident respnse apply t disaster recvery: 1. There must be a clear establishment f pririties 2. There must be a clear delegatin f rles and respnsibilities 3. Smene must initiate the alert rster and ntify key persnnel. 4. Smene must be tasked with the dcumentatin f the disaster. 5. If and nly if it is pssible, attempts must be made t mitigate the impact f the disaster n the peratins f the rganizatin.

18 IT 2042 Infrmatin Security 4-18 Business Cntinuity Plan (BCP) It prepares an rganizatin t reestablish critical business peratins during a disaster that affects peratins at the primary site. If a disaster has rendered the current lcatin unusable fr cntinued peratins, there must be a plan t allw the business t cntinue t functin. Develping Cntinuity Prgrams Once the incident respnse plans and disaster recvery plans are in place, the rganizatin needs t cnsider finding temprary facilities t supprt the cntinued viability f the business in the event f a disaster. The develpment f the BCP is simpler than that f the IRP and DRP,in that it cnsists f selecting a cntinuity strategy and integrating the ff-site data strage and recvery functins int this strategy. Cntinuity Strategies There are a number f strategies frm which an rganizatin can chse when planning fr business cntinuity. The determining factr in selectin between these ptins is usually cst. In general there are three exclusive ptins: Ht sites, Warm Sites, and Cld sites; and three shared functins: Time-share, Service bureaus, and Mutual Agreements. Ht sites: A ht site is a fully cnfigured facility, with all services, cmmunicatins links, and physical plant peratins including heating and air cnditining. It is the pinnacle f cntingency planning, a duplicate facility that needs nly the latest data backups and the persnnel t functin as a fully peratinal twin f the riginal. Disadvantages include the need t prvide maintenance fr all the systems and equipment in the ht site, as well as physical and infrmatin security. Warm sites: A warm site includes cmputing equipment and peripherals with servers but nt client wrk statins. It has many f the advantages f a ht site, but at a lwer cst. Cld Sites: A cld site prvides nly rudimentary services and facilities, N cmputer hardware r peripherals are prvided. Basically a cld site is an empty rm with heating, air cnditining, and electricity. The main advantage f cld site is in the area f cst. Time-shares: It allws the rganizatin t maintain a disaster recvery and business cntinuity ptin, but at a reduced verall cst. The advantages are identical t the type f site selected(ht, warm, r cld). The disadvantages are the pssibility that mre than ne rganizatin invlved in the time share may need the facility simultaneusly and the need t stck the facility with the equipment and data frm all rganizatins invlved, the negtiatins fr arranging the timeshare, and assciated arrangements, shuld ne r mre parties decide t cancel the agreement r t sublease its ptins.

19 IT 2042 Infrmatin Security 4-19 Service bureaus: A service bureau is an agency that prvides a service fr a fee. In the case f disaster recvery and cntinuity planning, the service is the agreement t prvide physical facilities in the event f a disaster. These types f agencies als prvide ff-site data strage fr a fee. The disadvantage is that it is a service, and must be renegtiated peridically. Als, using a service bureau can be quite expensive. Mutual Agreements: A mutual agreement is a cntract between tw r mre rganizatins that specifies hw each will assist the ther in the event f a disaster. Review Questins 1. What is a plicy? 2. Explain hw infrmatin security plicy is implemented as prcedure? 3. What are the three types f security plicies? Explain. 4. What are ACL Plicies? 5. What is Infrmatin Security Blueprint? 6. Define ISO 17799/BS 7799 Standards and their drawbacks 7. What are the bjectives f ISO 17799? 8. What is the alternate Security Mdels available ther than ISO 17799/BS 7799? 9. Cmpare the Issues-Specific Security Plicy(ISSP) and System Specific Plicies (SysSP). 10. What is meant by Internatinal Security Mdel? 11. State the prs f VISA internatinal security mdel. 12. Describe NIST security mdels. 13. Explain NIST SP Explain NIST SP What is Sphere f prtectin? 16. What is Defense in Depth? 17. What is Security perimeter? 18. What are the key technlgical cmpnents used fr security implementatin? 19. Hw can a security framewrk assist in the design and implementatin f a security infrastructure? 20. Briefly describe management, peratinal, and technical cntrls, and explain when each wuld be applied as part f a security framewrk? 21. What is cntingency planning? What are the cmpnents f cntingency planning? 22. When is IRP used? 23. When is DRP used? 24. When is BCP used? Hw d yu determine when t use IRP, DRP, r BCP plans? 25. What are Pipkin s three categries f incident indicatrs? 26. List and describe the six cntinuity strategies. 27. Explain clearly abut spheres f security fr a blue print f an Infrmatin Security System. 28. List the styles f architecture security mdels. Discuss them in detail.