Chapter 12 - Policies and disaster recovery. The main contents of this chapter include all of the following: Policies and procedures, privilege management, education and documentation, communication, disaster recovery, business continuity.
Chapter 12 Policies and Disaster Recovery Objective in this chapter ATHENA Policies and Procedures Privilege Management Education and Documentation Communication Disaster Recovery Business Continuity Introduction ATHENA Policies, procedures, documentation, and disaster recovery are some of the most important parts of a Security Analyst’s job Privilege management allows you to control access through various methods, and is a primary feature of good security Education and documentation are two extremely important topics as part of security Business continuity and disaster recovery is a fundamental part of any security infrastructure Policies and Procedures Address concerns and identify risks Consist of a series of steps that inform someone how to perform a task and/or deal with a problem Creating policies and procedures requires answering questions: • • • • • ATHENA Who and Where? What? When? Why? How? Policies and Procedures (cont.) Security Policies • • • Acceptable use policies Due Care Privacy Separation of Duties Need to know Password Management • • • • ATHENA Restricted Access Policies Workstation Security Policies Physical Security Policies Strong passwords Password changes and Restrictions Using passwords as part of a multifaceted Security System Administrator Accounts Policies and Procedures (cont.) ATHENA SLA (Service Level Agreements) Disposal/ Destruction HR Policy Incident Response Policy Communication • Internal or Internet mail • • • • • • ATHENA Phone systems Papers Private/ public web sites Public foldes Instant Messaging and live chat … Privilege Management User/ Group/ Role Management Single Sign-on Centralized versus decentralized Auditing: process of monitoring and examining items to determine if problems exist • Privilege • Usage • Escalation ATHENA MAC/DAC/ RBAC Education and Documentation User Awareness Education Online Resources Documentation • Standards and guidelines • System Architecture • Change Documentation • Logs and Inventories • Classification • Notification • Retention/ Storage • Destruction ATHENA Disaster Recovery Overview: ATHENA What is Disaster Recovery (DR)? Importance of DR Risk Analysis Business Impact Analysis Creating a DR plan Scenario Examples Definitions - BC and DR ACHIEVING 24 x (X 365) AVAILABILITY Business Continuance (BC) Disaster Recovery (DR) Insurance ?? Insurance ?? 30 % Never Re-Open 29 % Out within Two years Meta Group, 2002 ATHENA 6% Survive Massive Data Loss University of Texas, 2001 Outages are Far Reaching BROAD RANGE OF EFFECTS E-commerce down Applications down Lost revenue Used against you Suppliers cannot complete Business interruption Lost business Lost market share Higher expenses Opportunity Costs IT operations disrupted Customers cannot access data Lost billings records Lost business information End-users cannot their jobs service Higher phone volume Lost orders Customer care calls disconnected Competitiveness Investor filings Customer perception Litigation Supplier misunderstandings Investor uncertainty Customer contracts unmet Lender uncertainty Service levels unmet Hiring slowdown Employee turnover Impact to brand and image ATHENA Company reputation Who Owns BC ? BUSINESS OWNERSHIP / IT FACILITATION By 2002, 30% of Global 2000’s IT organisations (where no plan exists) will initiate BC projects in unison with business units By 2005, BC will account for 5+ % of IT budgets ATHENA Meta Group, 2001 Facilitation of BC and DR INTEGRATING DR INTO IT Typically BC is integrated into IT planning Typically DR is ad-hoc and not integrated • DR is often a “company secret” ATHENA Disasters THEY DO HAPPEN Power failure • Remember local utility crises Telecommunications failure Natural Disaster Terrorist / political threat Cyber-attack • ATHENA virus, firewall breaches, disgruntled employees Loss of Main Data Centre BRIEF ASSESSMENT – BUSINESS SURVIVAL ? Where are my staff ? Could you get your systems back running ? Do you have an alternate location ? Does a formal DR plan exist ? Tested ? Would it be quick enough (RTO) ? How much data would you lose (DRO) ? Does it fulfil legal / statutory / contractual reqts ? Does it have a business owner ? IT owner ? Could your staff work from an alternate location ? ATHENA How about a similar loss for a partner / supplier? DR Plan - Key Elements REQUIRES MULTIPLE RESOURCES Personnel – Roles / Accountability Vital Records – electronic and hardcopy Alternate Facilities • Commercial / vendor / partner / internal $ Redundant Infrastructure • T R computing systems, utilities, networks, PABX P Documentation • schedules, methods, contacts, etc Testing Business Objectives • regular, effective testing ATHENA Make plan concise, efficient and actionable DR Location SHARING THE COSTS Second business location External DR supplier Hot Site External service provider Warm Site Sharing sites Cold Site Productive Protection • turning DR into an active asset ATHENA • common government DR sites ? How Far Away A CLASSIC TRADE-OFF Sites must not be affected by the same disaster • power, networks, weather, utilities Easy access to both • staff access • telco costs • synchronous techniques Cost Available locations ATHENA Nearly All Mission Critical LOT OF DATA DEPENDENCIES Reality is: Product or Service Related Data 80% Essential 15% Support Business Support Data Deferrable Data And data dependencies are increasing … ATHENA 5% Deferrable Essential data includes: Major business appls AND email, web systems, HR Systems, billing, intranet, future plans, electronic records… Personnel and Staff YOUR MOST VALUABLE ASSET Up to date personnel contact lists / calling trees • • • • multiple forms (home/office/mobile/pager/email) paper and electronic form potential use of outside service ensure HR systems are part of the DR plan Keep staff informed • contact phone point (ex-PABX), internet presence Train personnel to react appropriately • pressure for long work hours • access to food, rest, ease of access (taxi / parking) ATHENA Availability of Contract staff Contingency Planning FOR WHEN THINGS GO WRONG Cover outages / failures of external suppliers • infrastructure suppliers • major service providers Check service providers BC plans Healthy relationships with service providers was critical on Sept 11 ATHENA Crisis Management ORGANISED EMERGENCY DECISION MAKING September 11 • decision makers for declaring IT disaster predetermined Crisis Mgmt is not just for IT disasters Communication is critical (“Command Post”) ATHENA • • • • • • • internal personnel / family / friends public relations (company spokespeople) major clients / shareholders / suppliers maintain a “visible” business alternate physical mail site transportation evacuation Paper and PC Data AVOIDING LOSS Importance of electronic copies of key files • copies of contracts • copies of critical company documents ATHENA Ensure PC business data is backed up Summary WOULD YOUR BUSINESS SURVIVE ? Ask Yourself: What Do I Do Now ? ATHENA ...Objective in this chapter ATHENA Policies and Procedures Privilege Management Education and Documentation Communication Disaster Recovery Business Continuity Introduction ATHENA Policies,... costs •Public Image ATHENA Creating a DR plan Budgeting and resources available • • • • • ATHENA Capital budget Personnel Equipment Vendors Consultants Management Buy-in Creating DR plan... What business is disrupted? How? • Restore operations ATHENA Post-Mortem Analysis Revise DR plan Disaster Recovery: Critical Points ATHENA Importance varies – evaluate your site! Analyze