Best Damn IT Security Management Book Period (eBook)

Front Cover 1
The Best Damn IT Security Management Book Period 2
Copyright Page 4
About the Authors 6
Contents 14
Part 1: From Vulnerability to Patch 45
Chapter 1: Windows of Vulnerability 47
Introduction 48
What Are Vulnerabilities? 48
Understanding the Risks Posed by Vulnerabilities 53
Summary 57
Chapter 3: Vulnerability Assessment Tools 81
Introduction 82
Features of a Good Vulnerability Assessment Tool 82
Using a Vulnerability Assessment Tool 84
Step 1: Identify the Hosts on Your Network 86
Step 2: Classify the Hosts into Asset Groups 89
Step 3: Create an Audit Policy 90
Step 4: Launch the Scan 92
Step 5: Analyze the Reports 94
Step 6: Remediate Where Necessary 95
Summary 96
Chapter 4: Vulnerability Assessment: Step One 97
Introduction 98
Know Your Network 98
Classifying Your Assets 104
I Thought This Was a Vulnerability Assessment Chapter 107
Summary 110
Chapter 5: Vulnerability Assessment: Step Two 111
Introduction 112
An Effective Scanning Program 112
Scanning Your Network 113
When to Scan 119
Summary 123
Chapter 6: Going Further 125
Introduction 126
Types of Penetration Tests 126
Scenario: An Internal Network Attack 128
Client Network 128
Step 1: Information Gathering 130
Operating System Detection 131
Discovering Open Ports and Enumerating 132
Step 2: Determine Vulnerabilities 135
Setting Up the VA 136
Interpreting the VA Results 138
Penetration Testing 143
Step 3: Attack and Penetrate 144
Uploading Our Data 144
Attack and Penetrate 147
Searching the Web Server for Information 152
Discovering Web Services 153
Vulnerability Assessment versus a Penetration Test 158
Tips for Deciding between Conducting a VA or a Penetration Test 158
Internal versus External 159
Summary 162
Chapter 7: Vulnerability Management 163
Introduction 164
The Vulnerability Management Plan 164
The Six Stages of Vulnerability Management 165
Stage One: Identify 166
Stage Two: Assess 167
Stage Three: Remediate 168
Stage Four: Report 168
Stage Five: Improve 169
Stage Six: Monitor 170
Governance (What the Auditors Want to Know) 171
Measuring the Performance of a Vulnerability Management Program 172
Common Problems with Vulnerability Management 176
Summary 178
Chapter 8: Vulnerability Management Tools 179
Introduction 180
The Perfect Tool in a Perfect World 180
Evaluating Vulnerability Management Tools 181
Commercial Vulnerability Management Tools 183
eEye Digital Security 183
Symantec (BindView) 183
Attachmate (NetIQ) 184
StillSecure 184
McAfee 184
Open Source and Free Vulnerability Management Tools 185
Asset Management, Workflow, and Knowledgebase 185
Host Discovery 185
Vulnerability Scanning and Configuration Scanning 185
Configuration and Patch Scanning 186
Vulnerability Notification 186
Security Information Management 186
Managed Vulnerability Services 187
Summary 189
Chapter 9: Vulnerability and Configuration Management 191
Introduction 192
Patch Management 192
System Inventories 195
System Classification 196
System Baselines 197
Creating a Baseline 198
Baseline Example 199
The Common Vulnerability Scoring System 200
Building a Patch Test Lab 201
Establish a Patch Test Lab with "Sacrificial Systems" 201
Virtualization 201
Environmental Simulation 203
Patch Distribution and Deployment 205
Logging and Reporting 206
Configuration Management 206
Change Control 206
Summary 210
Chapter 10: Regulatory Compliance 211
Introduction 212
Regulating Assessments and Pen Tests 212
The Payment Card Industry (PCI) Standard 212
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 214
The Sarbanes-Oxley Act of 2002 (SOX) 216
Compliance Recap 217
Drafting an Information Security Program 219
Summary 224
Chapter 11: Tying It All Together 225
Introduction 226
A Vulnerability Management Methodology 226
Step One: Know Your Assets 226
What You Need to Do 226
Why You Need to Do It 227
How to Do It 227
What Tools Exist to Help You Do It 229
Step Two: Categorize Your Assets 230
What You Need to Do 230
Why You Need to Do It 231
How to Do It 231
What Tools Exist to Help You Do It 232
Step Three: Create a Baseline Scan of Assets 232
What You Need to Do 232
Why You Need to Do It 233
How to Do It 233
What Tools Exist to Help You Do It 234
Step Four: Perform a Penetration Test on Certain Assets 234
What You Need to Do 234
Why You Need to Do It 235
How to Do It 235
What Tools Exist to Help You Do It 236
Step Five: Remediate Vulnerabilities and Risk 236
What You Need to Do 236
Why You Need to Do It 237
How to Do It 237
What Tools Exist to Help You Do It 238
Step Six: Create a Vulnerability Assessment Schedule 238
What You Need to Do 238
Why You Need to Do It 238
How to Do It 238
Step Seven: Create a Patch and Change Management Process 241
What You Need to Do 241
Why You Need to Do It 241
How to Do It 241
What Tools Exist to Help You Do It 242
Step Eight: Monitor for New Risks to Assets 242
What You Need to Do 242
Why You Need to Do It 242
How to Do It 242
What Tools Exist to Help You Do It 243
Part 2: Network Security Evaluation 245
Chapter 12: Introducing the INFOSEC Evaluation Methodology 247
Introduction 248
What Is the IEM? 248
Tying the Methodologies Together 249
What the IEM Is Not 253
The IEM Is Not an Audit or Inspection 255
The IEM Is Not a Risk Assessment 256
Standards and Regulations 256
Lack of Expertise 257
Certification Does Not Give You Expertise 258
Summary 259
Chapter 13: Before the Evaluation Starts 261
Introduction 262
The Evaluation Request 262
Why Are Evaluations Requested? 262
Compliance With Laws and Regulations 262
The Sarbanes-Oxley Act 262
Federal Information Security Management Act 262
Health Insurance Portability and Accountability Act of 1996 263
The Gramm-Leach-Bliley Act 263
The Family Educational Rights and Privacy Act 263
The DoD Information Technology Security Certification and Accreditation Process 263
The National Information Assurance Certification and Accreditation Process 263
Defense Information Assurance Certification and Accreditation Process 264
ISO 17799 264
The North American Electric Reliability Council 264
Response to Suspicious Activities 265
Recent Successful Penetration 265
Suspected Possible Penetration 265
Unsuccessful Penetration Attempt 265
"I Don't Know If Our Organization Has Been Penetrated" 266
Third-Party Independent Reviews of Security Posture 266
Customer-Required Reviews 266
Insurance-Required Reviews 266
SLA-Required Reviews 267
It's The Right Thing To Do 267
How Are Evaluations Requested? 267
Validating the Evaluation Request 268
Sources of Information for Validation 269
Validating with the Customer 269
The Engagement Scoping Questionnaire 269
Customer Discussions and Information Confirmation 270
Publicly Available Information 270
Understanding the Level of Effort 270
The Formal Engagement Agreement 271
Nondisclosure Agreements 271
Engagement Agreement Composition 271
Minimum Engagement Agreement Contents 272
Understanding the Pricing Options 273
Government Contracting 274
Commercial Contracting 274
Fixed Price vs. Hourly Rate 274
Additional Engagement Agreement Contents 275
Dealing with Contract Pitfalls 277
"Scope Creep" and Timelines 277
Uneducated Salespeople 278
Evaluations 101 278
Bad Assumptions 279
Assumption Topic Areas 279
Poorly Written Contracts 279
Poor Scope Definition 279
Underbid or Overbid: The Art of Poor Cost Estimating 280
Customer and Evaluation Team Approval 281
The Customer Approval Process 281
The Evaluation Team Approval Process 281
Summary 282
Chapter 14: Setting Expectations 283
Introduction 284
Objectives of the Pre-Evaluation Phase 284
Understanding Concerns and Constraints 286
What Are the Requirements? 286
Other Significant Regulations 287
Budgetary Concerns 288
Cyber-Insurance 289
System Accreditation 290
FISMA 290
DoD Information Technology Security Certification and Accreditation Process 291
National Information Assurance Certification and Accreditation Process 291
Defense Information Assurance Certification and Accreditation Process 291
Response to Suspected Threats or Intrusions 291
Obtaining Management Buy-In 293
Obtaining Technical Staff Buy-In 295
Establishing Points of Contact 296
Summary 298
Chapter 15: Scoping the Evaluation 301
Introduction 302
Focusing the Evaluation 302
The Power of Expectations 302
What Does the Customer Expect for Delivery? 303
Adjusting Customer Expectations 303
When Scoping Fails 304
"Scope Creep" and Time Lines 304
Restricting Scope Slippage in the Contract 304
Contracting Differences 305
Uneducated Salespeople 305
Evaluations 101 305
Bad Assumptions 306
Assumption Topic Areas 306
Poorly Written Contracts 307
Poor Scope Definition 307
Underbid or Overbid: The Art of Poor Cost Estimating 307
Identifying the Rules of Engagement 308
Customer Concerns 308
Stating the Evaluation Purpose 308
Customer Constraints 308
Impact Resistance and Acceptable Levels of Invasiveness 309
Identifying Scanning Times 309
Off-Limit Nodes 309
Evaluation Tool Limitations 310
Notification Procedures 310
Evaluation Addressing 310
Reporting Level of Detail 311
Clear and Concise Writing 311
Establishing the Evaluation Boundaries 311
Physical Boundaries 312
Logical Boundaries 312
Critical Path and Critical Components 313
Finding the Sources of Scoping Information 314
Customer 314
The Scoping Questionnaire 314
Information Gained from the Questionnaire 315
Value of the Questionnaire 317
Example Responses on a Scoping Questionnaire 317
Evaluation Requestor 320
Customer Senior Leadership 320
Administrative Customer Contact 320
Technical Customer Contacts 321
Evaluation Team 321
Evaluation Team Lead 321
Evaluation Team Members 321
Validating Scoping Information 321
Staffing Your Project 321
Job Requirements 322
Networking and Operating Systems 322
Hardware Knowledge 322
Picking the Right People 323
Matching Consultants to Customers 323
Personality Issues 323
Summary 324
Chapter 16: Legal Principles for Information Security Evaluations 327
Introduction 328
Uncle Sam Wants You: How Your Company's Information Security Can Affect U.S. National Security 328
Legal Standards Relevant to Information Security 333
Selected Federal Laws 333
Gramm-Leach-Bliley Act 333
Health Insurance Portability and Accountability Act 334
Sarbanes-Oxley 336
Federal Information Security and Management Act 336
FERPA and the TEACH Act 336
Electronic Communications Privacy Act and Computer Fraud and Abuse Act 337
State Laws 337
Unauthorized Access 337
Deceptive Trade Practices 338
Enforcement Actions 338
Three Fatal Fallacies 339
The "Single Law" Fallacy 339
The Private Entity Fallacy 339
The "Pen Test Only" Fallacy 340
Do It Right or Bet the Company: Tools to Mitigate Legal Liability 341
We Did our Best What is the Problem?
The Basis for Liability 342
Negligence and the "Standard of Care" 342
What Can Be Done? 343
Understand your Legal Environment 343
Comprehensive and Ongoing Security Assessments, Evaluations, and Implementation 343
Use Contracts to Define Rights and Protect Information 343
Use Qualified Third-party Professionals 344
Making Sure Your Standards-of-care Assessments Keep Up with Evolving Law 345
Plan for the Worst 345
Insurance 346
What to Cover in IEM Contracts 346
What, Who, When, Where, How, and How Much 347
What 347
Description of the Security Evaluation and Business Model 347
Definitions Used in the Contract 348
Description of the Project 348
Assumptions, Representations, and Warranties 348
Boundaries and Limitations 349
Identification of Deliverables 350
Who 350
Statement of Parties to the Contractual Agreement 350
Authority of Signatories to the Contractual Agreement 350
Roles and Responsibilities of Each Party to the Contractual Agreement 351
Non-disclosure and Secrecy Agreements 351
Assessment Personnel 352
Crisis Management and Public Communications 352
Indemnification, Hold Harmless, and Duty to Defend 352
Ownership and Control of Information 352
Intellectual Property Concerns 353
Licenses 353
When 353
Actions or Events that Affect Schedule 353
Where 354
How 354
How Much 355
Fees and Cost 355
Billing Methodology 355
Payment Expectations and Schedule 355
Rights and Procedures to Collect Payment 355
Insurance for Potential Damage During Evaluation 356
Murphy's Law (When Something Goes Wrong) 356
Governing Law 356
Acts of God, Terror Attacks, and other Unforeseeable Even 356
When Agreement is Breached and Remedies 356
Liquidated Damages 356
Limitation on Liability 357
Survival of Obligations 357
Waiver and Severability 357
Amendments to the Contract 357
Where the Rubber Meets the Road: The LOA as Liability Protection 358
Beyond You and Your Customer 359
Software License Agreements 359
Your Customer's Customer 359
The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish 360
Attorney-client Privilege 361
Advice of Counsel Defense 362
Establishment and Enforcement of Rigorous Assessment, Interview, and Report-writing Standards 363
Creating a Good Record for Future Litigation 363
Maximizing Ability to Defend Litigation 364
Dealing with Regulators, Law Enforcement, Intelligence, and Homeland Security Officials 364
The Ethics of Information Security Evaluation 366
Chapter 17: Building the Technical Evaluation Plan 367
Introduction 368
Purpose of the Technical Evaluation Plan 368
The IEM TEP as an Agreement 369
The TEP as Road Map 370
Building the Technical Evaluation Plan 371
Source of the Technical Evaluation Plan Information 371
TEP Section I: Points of Contact 372
Evaluation Team Contacts 372
Customer Contacts 372
TEP Section II: Methodology Overview 373
Purpose of the IEM 373
Description of the IEM 373
Evaluation Tools to Be Used 373
TEP Section III: Criticality Information 374
Organizational Criticality Matrices 374
System Criticality Information 375
TEP Section IV: Detailed Network Information 376
TEP Section V: Customer Concerns 377
TEP Section VI: Customer Constraints 378
TEP Section VII: Rules of Engagement 378
Evaluation Team Requirements 378
External Requirements 378
Internal Requirements 379
Customer Requirements 379
TEP Section VIII: Coordination Agreements 379
Level of Detail of Recommendations 379
List of Agreed-On Deliverables 380
The Coordination Agreements Section: A Catchall 380
TEP Section IX: Letter of Authorization 380
TEP Section X: Timeline of Events 380
Customizing and Modifying the Technical Evaluation Plan 381
Modifying the Ten NSA-Defined Areas 381
Level of Detail 382
Format 382
Getting the Signatures 382
Customer Approval 382
Evaluation Team Approval 383
Summary 384
Chapter 18: Starting Your Onsite Efforts 385
Introduction 386
Preparing for the Onsite Evaluation Phase 386
Scheduling 387
Day One Accomplishments 387
Day Two Accomplishments 387
Day Three Accomplishments 388
Day Four Accomplishments 388
Day Five Accomplishments 388
Flexibility and Adaptation 389
Administrative Planning 389
Technical Planning 389
IAM vs. IEM 390
Vulnerability Definitions 391
Onsite Evaluation Phase Objectives 391
Verification of "Known" and "Rogue" Components 392
Discovery of Technical Vulnerabilities 392
Validation = Value Add? 393
IEM Baseline Activities 394
Port Scanning 395
SNMP Scanning 395
Enumeration and Banner Grabbing 396
Wireless Enumeration 396
Vulnerability Scanning 397
Host Evaluation 398
Network Device Analysis 398
Password Compliance Testing 398
Application-Specific Scanning 399
Network Sniffing 399
Other Activities 399
The Role of CVE and CAN 400
The In-Brief 401
Presenting the TEP 401
Cultural Sensitivity 404
Summary 406
Chapter 19: Network Discovery Activities 407
Introduction 408
Goals and Objectives 408
Results as Findings and Evaluation Task Attributes 409
System Mapping 410
Tool Basics 411
Expected Usage and Requirements 411
Port Scanning 412
Nmap 413
NMAP Options 414
TCP SYN 414
UDP Scanning 415
Ping Scanning 416
Basic Nmap Options 417
SuperScan 418
ScanLine 422
SolarWinds 423
Port Scan System Mapping 424
SNMP Scanning 424
SolarWinds 425
SNMPSweep 426
MIB Walk 426
MIB Browser 428
SNScan 429
WS_Ping Pro-Pak 430
SNMP Scan System Mapping 431
Enumeration and Banner Grabbing 432
Nmap 433
THC-Amap 435
NBTScan 436
SuperScan 437
WS_Ping Pro-Pak 440
UNIX Enumeration 441
Telnet 442
DNS Queries 443
Enumeration and Banner-Grabbing System Mapping 444
Wireless Enumeration 445
Wireless Enumeration Obstacles 446
Kismet 447
NetStumbler 448
Wireless Encryption Evaluation 450
Wireless Enumeration System Mapping 450
Summary 452
Chapter 20: Collecting the Majority of Vulnerabilities 453
Introduction 454
Vulnerability and Attack Trends 455
Vulnerability Scanning's Role in the IEM 458
Conducting Vulnerability Scans 460
Breaking Out the Scanning Tools 461
Vulnerability Scanners: Commercial and Freeware 462
Conducting Host Evaluations 472
Host Evaluation Example Tools and Scripts 473
Benchmark Scripts and Custom Scripts 474
Host Evaluations: What to Look For 477
Auditing 477
File/Directory Permissions 478
OS and Application Services 480
User Rights Assignments 481
Patch Management 481
Mapping the Findings to the IEM Process 482
Vulnerability Scans and Host Evaluations: Correlating the Data 482
Summarize and Validate Findings 485
Summary 486
Chapter 21: Fine-Tuning the Evaluation 487
Introduction 488
Network Device Analysis 488
Approaches Used in Network Device Analysis 488
Evaluating the Perimeter Design and Defenses 489
Evaluating Network Device Configurations 490
Password-Compliance Testing 492
Password-Compliance Testing Methods 492
Methods of Obtaining the Password File 493
Password-Compliance Testing Tools 495
Application-Specific Scanning 497
The DMZ 498
Types of Applications to Be Scanned 498
Network Protocol Analysis 501
Why Perform Network Protocol Analysis? 501
Introducing Network Protocol Analyzers 501
Summary 505
Chapter 22: The Onsite Closing Meeting 507
Introduction 508
Organizing the Meeting 508
Time and Location 508
Evaluation Team and Customer Involvement 509
The Customer 509
The Evaluation Team 510
Presentation Needs 510
The Agenda 511
TEP Overview 511
The Evaluation Process 512
How Was Information Collected? 512
The Tools 512
Customer Documentation 512
Customer Concerns 513
What Is Driving the Evaluation? 513
Customer Constraints 513
Protecting Testing Data 514
Setting Timelines 514
Important Events During Testing 514
Final Report Delivery 515
Overview of Critical Findings 515
How Does the Vulnerability Impact the System? 516
What Is the Likelihood That a Threat Will Exploit the Vulnerability? 516
Mapping to Business Mission and Objectives 516
Positive vs. Negative Findings 516
Points of Immediate Resolution 517
Short Term vs. Long Term 517
What Do You Do With the Information That You Have Collected? 517
Summary 518
Chapter 23: Post-Evaluation Analysis 519
Introduction 520
Getting Organized 520
Analysis Needs 520
Reporting Needs 522
Categorization, Consolidation, Correlation, and Consultation 523
False Positives and False Negatives 523
Evaluation Perspectives 524
External Exposures 524
Internal Exposures 525
System Boundaries 525
Conducting Additional Research 525
Resources 526
Consulting Subject Matter Experts 527
Other Team Members 527
External Resources 528
Analyzing Customer Documentation 528
INFOSEC Policies and Proceures 528
Previous Evaluations/VA/Penetration-Testing Results 529
Developing Practical Recommendations 530
Level of Detail 530
Finding 531
Description 531
References 531
Criticality Rating 531
Business Impact 532
Threat Likelihood 532
Recommendations 533
Tying in Regulations, Legislation, Organizational Policies, and Industry Best Practices 534
Summary 535
Chapter 24: Creating Measurements and Trending Results 537
Introduction 538
The Purpose and Goal of the Matrixes 538
Information Types 539
Common Vulnerabilities and Exposures 542
NIST ICAT 543
Developing System Vulnerability Criticality Matrixes 544
Developing Overall Vulnerability Criticality Matrixes 552
Using the OVCM and SVCM 553
Summary 555
Chapter 25: Trending Metrics 557
Introduction 558
Metrics and Their Usefulness 558
Return on Investment 558
How Do We Compare? 559
The INFOSEC Posture Profile 559
Defense in Depth 560
Adversaries or Threats 560
Protect 560
Detect 561
Respond 561
Sustain 561
People 561
Technology 561
Defense in Multiple Places 562
Layered Defenses 562
Specify the Security Robustness 562
Robust Key Management 562
Event Correlation 562
Operations 563
Developing the INFOSEC Posture Profile 563
The INFOSEC Posture Rating 569
Value-Added Trending 570
Summary 572
Chapter 26: Final Reporting 575
Introduction 576
Pulling All the Information Together 576
The Team Meeting 577
Research 577
The SVCM and OVCM 578
Review 578
Making Recommendations 578
Findings 579
Recommendations 582
Creating the Final Report 583
Organizing the Data 583
Discussion of Findings 583
Final Report Delivery Date 583
The Cover Letter 583
The Executive Summary 583
The INFOSEC Profile 584
The Introduction 584
INFOSEC Analysis 585
Technical Areas 586
High-Criticality Findings 586
Medium-Criticality Findings 587
Low-Criticality Findings 588
The Conclusion 589
Posture Description 589
Posture Profile 589
Security Practices 590
Presenting the Final Report 591
Summary 592
Chapter 27: Summing Up the INFOSEC Evaluation Methodology 593
Introduction 594
The Pre-Evaluation Phase 595
The Onsite Evaluation 596
The Post-Evaluation Phase 597
Examples of INFOSEC Tools by Baseline Activity 597
Port Scanning 598
SNMP Scanning 599
Enumeration and Banner Grabbing 601
Wireless Enumeration 603
Vulnerability Scanning 605
Host Evaluation 607
Network Device Analysis 609
Password-Compliance Testing 609
Application-Specific Scanning 611
Network Protocol Analysis 614
Technical Evaluation Plan Outline and Sample 616
Sample Technical Evaluation Plan 618
Evaluation Points of Contact 618
Methodology Overview 619
Organizational and System Criticality Information 619
The OUCH Mission 619
OUCH Impact Definitions 620
OUCH Organizational Criticality 620
System Information Criticality 621
Detailed Network Information 621
Customer Concerns 622
Customer Constraints 622
Rules of Engagement 623
Internal and External Customer Requirements 623
Coordination Agreements 623
Level of Detail of Recommendations 624
Deliverables 624
Other Agreements 624
Letter of Authorization 624
Timeline of Evaluation Events 624
Part 3: Business Continuity & Disaster Recovery
Chapter 28: Business Continuity and Disaster Recovery Overview 627
Introduction 628
Business Continuity and Disaster Recovery Defined 629
Components of Business 630
People in BC/DR Planning 631
Process in BC/DR Planning 632
Technology in BC/DR Planning 634
The Cost of Planning versus the Cost of Failure 635
People 638
Process 639
Technology 640
Types of Disasters 641
Natural Hazards 641
Cold Weather Related Hazards 642
Warm Weather Related Hazards 642
Geological Hazards 643
Human-Caused Hazards 643
Accidents and Technological Hazards 644
Electronic Data Threats 646
Personal Privacy 646
Privacy Standards and Legislation 647
Gramm-Leach-Bliley Act (GLBA) 647
Health Insurance Portability and Accountability Act (HIPAA) 648
Social Engineering 649
Fraud and Theft 649
General Business Fraud 649
Managing Access 652
Business Continuity and Disaster Recovery Planning Basics 652
Project Initiation 654
Risk Assessment 655
Business Impact Analysis 655
Mitigation Strategy Development 655
Plan Development 655
Training, Testing, Auditing 656
Plan Maintenance 656
Summary 657
Chapter 29: Project Initiation 659
Introduction 660
Elements of Project Success 661
Executive Support 661
User Involvement 664
Experienced Project Manager 665
Clearly Defined Project Objectives 665
Clearly Defined Project Requirements 666
Clearly Defined Scope 667
Shorter Schedule, Multiple Milestones 667
Clearly Defined Project Management Process 668
Project Plan Components 669
Project Definition 671
Problem and Mission Statement 671
Potential Solutions 671
Requirements and Constraints 672
Success Criteria 673
Project Proposal 673
Estimates 674
Project Sponsor 674
Forming the Project Team 675
Organizational 676
Technical 677
Logistical 677
Political 678
Project Organization 678
Project Objectives 678
Business Continuity Plan 679
Continuity of Operations Plan 679
Disaster Recovery Plan 679
Crisis Communication Plan 679
Cyber Incident Response Plan (CIRP) 680
Occupant Emergency Plan 680
Project Stakeholders 681
Project Requirements 682
Project Parameters 683
Project Infrastructure 686
Project Processes 687
Team Meetings 688
Reporting 688
Escalation 688
Project Progress 689
Change Control 689
Quality Control 690
Project Communication Plan 690
Project Planning 692
Work Breakdown Structure 692
Critical Path 692
Project Implementation 693
Managing Progress 694
Managing Change 694
Project Tracking 695
Project Close Out 695
Key Contributors and Responsibilities 696
Information Technology 697
Experience Working on a Cross-Departmental Team 697
Ability to Communicate Effectively 697
Ability to Work Well with a Wide Variety of People 698
Experience with Critical Business and Technology Systems 698
IT Project Management Leadership 699
Human Resources 699
Facilities/Security 699
Finance/Legal 700
Warehouse/Inventory/Manufacturing/Research 701
Purchasing/Logistics 702
Marketing and Sales 702
Public Relations 703
Project Definition 705
Business Requirements 706
Functional Requirements 708
Technical Requirements 709
Business Continuity and Disaster Recovery Project Plan 710
Project Definition, Risk Assessment 711
Business Impact Analysis 711
Risk Mitigation Strategies 711
Plan Development 711
Emergency Preparation 711
Training, Testing, Auditing 712
Plan Maintenance 712
Summary 714
Chapter 30: Risk Assessment 715
Introduction 716
Risk Management Basics 717
Risk Management Process 719
Threat Assessment 720
Vulnerability Assessment 721
Impact Assessment 721
Risk Mitigation Strategy Development 722
People, Process, Technology, and Infrastructure in Risk Management 722
People 722
Process 723
Technology 723
Infrastructure 724
IT-Specific Risk Management 724
IT Risk Management Objectives 724
The System Development Lifecycle Model 725
Risk Assessment Components 728
Information Gathering Methods 729
Natural and Environmental Threats 730
Fire 731
Floods 732
Severe Winter Storms 733
Electrical Storms 735
Drought 737
Earthquake 738
Tornados 740
Hurricanes/Typhoons/Cyclones 740
Tsunamis 741
Volcanoes 742
Avian Flu/Pandemics 742
Risk Assessment Components 728
Human Threats 745
Fire 745
Theft, Sabotage, Vandalism 745
Labor Disputes 746
Workplace Violence 746
Terrorism 747
Chemical or Biological Hazards 748
War 749
Cyber Threats 749
Cyber Crime 751
Loss of Records or Data-Theft, Sabotage, Vandalism 753
IT System Failure-Theft, Sabotage, Vandalism 754
Infrastructure Threats 754
Building Specific Failures 754
Public Transportation Disruption 755
Loss of Utilities 755
Disruption to Oil or Petroleum Supplies 755
Food or Water Contamination 756
Regulatory or Legal Changes 756
Looking Back 757
Threat Checklist 757
Threat Assessment Methodology 761
Quantitative Threat Assessment 761
Qualitative Threat Assessment 765
Vulnerability Assessment 769
People, Process, Technology, and Infrastructure 770
People 770
Process 771
Technology 771
Infrastructure 771
Vulnerability Assessment 772
Summary 775
Chapter 31: Business Impact Analysis 777
Introduction 778
Business Impact Analysis Overview 778
Upstream and Downstream Losses 780
Understanding the Human Impact 781
Key Positions 781
Human Needs 782
Understanding Impact Criticality 783
Criticality Categories 783
Mission-Critical 783
Vital 784
Important 784
Minor 784
Recovery Time Requirements 785
Identifying Business Functions 790
Facilities and Security 791
Finance 792
Human Resources 792
IT 793
Legal/Compliance 793
Manufacturing (Assembly) 793
Marketing and Sales 794
Operations 794
Research and Development 794
Warehouse (Inventory, Order Fulfillment, Shipping, Receiving) 795
Other Areas 795
Gathering Data for the Business Impact Analysis 796
Data Collection Methodologies 797
Questionnaires 797
Interviews 798
Workshops 799
Determining the Impact 800
Business Impact Analysis Data Points 801
Understanding IT Impact 806
Example of Business Impact Analysis For Small Business 807
Preparing the Business Impact Analysis Report 814
Summary 815
Chapter 32: Mitigation Strategy Development 817
Introduction 818
Types of Risk Mitigation Strategies 819
Risk Acceptance 819
Risk Avoidance 820
Risk Limitation 820
Risk Transference 821
The Risk Mitigation Process 822
Recovery Requirements 822
Recovery Options 822
As Needed 824
Prearranged 824
Preestablished 824
Recovery Time of Options 825
Cost versus Capability of Recovery Options 825
Recovery Service Level Agreements 827
Review Existing Controls 827
Developing Your Risk Mitigation Strategy 828
Sample 1: Section from Mitigation Strategy for Critical Data 829
Sample 2: Section from Mitigation Strategy for Critical Data 830
People, Buildings, and Infrastructure 832
IT Risk Mitigation 833
Critical Data and Records 833
Critical Systems and Infrastructure 833
Reviewing Critical System Priorities 834
Backup and Recovery Considerations 834
Alternate Business Processes 834
IT Recovery Systems 835
Alternate Sites 836
Fully Mirrored Site 836
Hot Site 836
Warm Site 836
Mobile Site 837
Cold Site 837
Reciprocal Site 837
Disk Systems 837
RAID 837
Remote Journaling 837
Replication 838
Electronic Vaulting 838
Standby Operating Systems 838
Network-Attached Storage (NAS) 838
Storage Area Network (SAN) 838
Desktop Solutions 838
Software and Licensing 840
Web Sites 840
Summary 841
Chapter 33: Business Continuity/Disaster Recovery Plan Developmen 843
Introduction 844
Phases of the Business Continuity and Disaster Recovery 845
Activation Phase 845
Major Disaster or Disruption 846
Intermediate Disaster or Disruption 846
Minor Disaster or Disruption 846
Activating BC/DR Teams 847
Developing Triggers 847
Transition Trigger-Activation to Recovery 849
Recovery Phase 849
Transition Trigger-Recovery to Continuity 849
Business Continuity Phase 850
Maintenance/Review Phase 851
Defining BC/DR Teams and Key Personnel 851
Crisis Management Team 852
Management 852
Damage Assessment Team 852
Operations Assessment Team 852
IT Team 853
Administrative Support Team 853
Transportation and Relocation Team 853
Media Relations Team 854
Human Resources Team 854
Legal Affairs Team 854
Physical/Personnel Security Team 854
Procurement Team (Equipment and Supplies) 855
General Team Guidelines 855
BC/DR Contact Information 857
Defining Tasks, Assigning Resources 859
Alternate Site 859
Selection Criteria 860
Contractual Terms 860
Comparison Process 860
Acquisition and Testing 860
Contracts for BC/DR Services 861
Develop Clear Functional and Technical Requirements 861
Determine Required Service Levels 861
Compare Vendor Proposal/Response to Requirements 862
Identify Requirements Not Met by Vendor Proposal 862
Identify Vendor Options Not Specified in Requirements 862
Communications Plans 864
Internal 864
Employee 864
Customers and Vendors 865
Shareholders 865
The Community and the Public 865
Event Logs, Change Control, and Appendices 866
Event Logs 866
Change Control 867
Distribution 868
Appendices 869
Additional Resources 870
What's Next 870
Summary 871
Chapter 34: Emergency Response and Recovery 873
Introduction 874
Emergency Management Overview 874
Emergency Response Plans 875
Emergency Response Teams 877
Crisis Management Team 878
Emergency Response and Disaster Recovery 878
Alternate Facilities Review and Management 879
Communications 879
Human Resources 879
Legal 880
Insurance 880
Finance 880
Disaster Recovery 881
Activation Checklists 881
Recovery Checklists 881
IT Recovery Tasks 881
Computer Incident Response 882
CIRT Responsibilities 883
Monitor 883
Alert and Mobilize 884
Assess and Stabilize 884
Resolve 884
Review 884
Business Continuity 885
Summary 887
Chapter 35: Training, Testing, and Auditing 889
Introduction 890
Training for Disaster Recoveryand Business Continuity 890
Emergency Response 891
Disaster Recovery and Business Continuity Training Overview 891
Training Scope, Objectives, Timelines, and Requirements 892
Performing Training Needs Assessment 893
Developing Training 893
Scheduling and Delivering Training 895
Monitoring and Measuring Training 895
Training and Testing for Your Business Continuity and Disaster Recovery Plan 896
Paper Walk-through 898
Develop Realistic Scenarios 898
Develop Evaluation Criteria 899
Provide Copies of the Plan 899
Divide Participants by Team 900
Use Checklists 900
Take Notes 900
Identify Training Needs 900
Develop Summary and Lessons Learned 900
Functional Exercises 901
Field Exercises 902
Full Interruption Test 902
Training Plan Implementers 902
Testing the BC/DR Plan 903
Understanding of Processes 903
Validation of Task Integration 904
Confirm Steps 904
Confirm Resources 904
Familiarize with Information Flow 905
Identify Gaps or Weaknesses 905
Determines Cost and Feasibility 905
Test Evaluation Criteria 908
Recommendations 908
Performing IT Systems and Security Audits 908
IT Systems and Security Audits 908
Summary 911
Chapter 36: BC/DR Plan Maintenance 913
Introduction 914
BC/DR Plan Change Management 914
Training, Testing, and Auditing 915
Changes in Information Technologies 915
Changes in Operations 916
Corporate Changes 917
Legal, Regulatory, or Compliance Changes 917
Strategies for Managing Change 917
Monitor Change 918
People 919
Process 919
Technology 919
Evaluate and Incorporate Change 919
BC/DR Plan Audit 921
Plan Maintenance Activities 921
Project Close Out 922
Summary 924
Chapte 37: BC/DR Checklists 927
Risk Assessment 928
Threat and Vulnerability Assessment 928
Business Impact Analysis 928
Mitigation Strategies 929
Crisis Communications Checklist 929
Communication Checklist 929
Message Content 930
Business Continuity and Disaster Recovery Response Checklist 931
Emergency and Recovery Response Checklist 931
Activation Checklists 931
Initial Response 932
Damage and Situation Assessment 932
Disaster Declaration and Notification 932
Emergency Response Checklists 933
Emergency Checklist One-General Emergency Response 933
Emergency Checklist Two-Evacuation or Shelter-in-Place Response 933
Emergency Checklist Three-Specific Emergency Responses 934
Emergency Checklist Four-Emergency Response Contact List, Maps, Floor Plans 934
Emergency Checklist Five-Emergency Supplies and Equipment 935
Recovery Checklists 935
Recovery Checklist One-General 935
Recovery Checklist Two-Inspection, Assessment, and Salvage 936
Business Continuity Checklist 937
Resuming Work 937
Resuming Work 937
Human Resources 938
Insurance and Legal 939
Manufacturing, Warehouse, Production, and Operations 939
Resuming Normal Operations 940
Existing Facility 940
New Facility 941
Transition to Normalized Activities 941
IT Recovery Checklists 942
IT Recovery Checklist One-Infrastructure 942
Recovery Checklist Two-Applications 943
Recovery Checklist Three-Office Area and End-User Recovery 943
Recovery Checklist Four-Business Process Recovery 944
Recovery Checklist Five-Manufacturing, Production, and Operations Recovery 945
Training, Testing, and Auditing Checklists 946
Training and Testing 946
IT Auditing 946
BC/DR Plan Maintenance Checklist 947
Change Management 947
Index 949