Disaster Recovery Information Security Policies Discussion Help

User Generated

fvqfvquh

Computer Science

Description

Using a Web browser, search for any information security policies used at any academic institution. Compare them to the ones discussed in this chapter. Are there sections missing? If so, which ones?

Requirements:

  • Type your responses with proper headings in a word document.
  • Detailed and significant scholarly answers will be graded with full point value. Incomplete, inaccurate, or inadequate answers will receive less than full credit depending on the answers provided.

Unformatted Attachment Preview

About the Presentations • The presentations cover the objectives found in the opening of each chapter. • All chapter objectives are listed in the beginning of each presentation. • You may customize the presentations to fit your class needs. • Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc. Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 01 An Overview of Information Security and Risk Management Objectives • Define and explain information security • Identify and explain the basic concepts of risk management • List and discuss the components of contingency planning • Describe the role of information security policy in the development of contingency plans Principles of Incident Response and Disaster Recovery, 2nd Edition 3 Introduction • Contingency planning – Being ready for incidents and disasters • Example: 1/10 of one percent of online users – Allows for two and a half million potential attackers • Example: World Trade Center (WTC) organizations – Had contingency plans due to February 1993 attack • Example: 2008 Gartner report – 2/3 of organizations invoked plans in prior two years • Information security includes contingency planning – Ensures confidentiality, integrity, availability of data Principles of Incident Response and Disaster Recovery, 2nd Edition 4 Information Security • Committee on National Security Systems (CNSS) information security definition – Protection of information and its critical elements • Includes systems and hardware storing, transmitting information – Part of the CNSS model (evolved from C.I.A. triangle) • Conceptual framework for understanding security • Information security (InfoSec) – Protection of confidentiality, integrity, and availability of information • In storage, during processing, and during transmission Principles of Incident Response and Disaster Recovery, 2nd Edition 5 Key Information Security Concepts • Threat: object, person, other entity posing potential risk of loss to an asset • Asset: organizational resource being protected – Logical or physical • Attack: attempt to cause damage to or compromise information of supporting systems – Arises from a threat; intentional or unintentional • Threat-agent: threat instance – Specific and identifiable; exploits asset vulnerabilities Principles of Incident Response and Disaster Recovery, 2nd Edition 6 Key Information Security Concepts (cont’d.) • Vulnerability – Flaw or weakness in system security procedures, design, implementation, internal controls • Results in security breach or security policy violation – Well-known or latent – Exercised accidently or intentionally • Exploit: caused by threat-agent – Can exploit system or information through illegal use – Can create an exploit to target a specific vulnerability • Control/safeguard/countermeasure: prevent attack Principles of Incident Response and Disaster Recovery, 2nd Edition 7 Key Information Security Concepts (cont’d.) Principles of Incident Response and Disaster Recovery, 2nd Edition 8 Key Information Security Concepts (cont’d.) • Trespass – Broad category of electronic and human activities • Can breach information confidentiality • Leads to unauthorized real or virtual actions • Results in unauthorized access to premises or system • Software attacks – Malicious code, malicious software, malware – Designed to damage, destroy, deny service to the target systems – Example: hackers Principles of Incident Response and Disaster Recovery, 2nd Edition 9 Key Information Security Concepts (cont’d.) – Common malicious code instances • Viruses and worms, Trojan horses, logic bombs, bots, rootkits, back doors, denial-of-service (DoS) attack, distributed DoS (DDoS) attack – Malicious code threats: sources of confusion • Method of propagation, payload, vector of infection – Viruses • Segments of code that perform malicious actions • Macro virus: embedded automatically in macrocode • Boot virus: infects key operating systems files Principles of Incident Response and Disaster Recovery, 2nd Edition 10 Key Information Security Concepts (cont’d.) – Worms • Replicate themselves constantly • No other program needed • Can replicate until available resources filled – Back doors and trap doors • Installed by virus or worm payload • Provides at will special privilege system access – Polymorphism • Threat changes apparent shape over time • Elude antivirus software detection Principles of Incident Response and Disaster Recovery, 2nd Edition 11 Key Information Security Concepts (cont’d.) – Propagation vectors • Manner by which malicious code spreads can vary • May use social engineering: Trojan horse looks desirable, but is not • May leverage open network connection, file shares or software vulnerability – Malware hoaxes • Well-meaning people send random e-mails warning of fictitious dangerous malware • Wastes a lot of time and energy Principles of Incident Response and Disaster Recovery, 2nd Edition 12 Key Information Security Concepts (cont’d.) • Human error or failure – Introduces acts performed by an authorized user • No malicious intent or purpose – Human error • Small mistakes produce extensive damage with catastrophic results – Human failure • Intentional refusal or unintentional inability to comply with policies, guidelines, and procedures, with a potential loss of information Principles of Incident Response and Disaster Recovery, 2nd Edition 13 Key Information Security Concepts (cont’d.) • Theft – Illegal taking of another’s property • Property: physical, electronic, intellectual • Includes acts of espionage and breach of confidentiality – Methods • Competitive intelligence or industrial espionage – Theft or loss of mobile devices • Phones, tablets, and computers • Stored information more important than devices Principles of Incident Response and Disaster Recovery, 2nd Edition 14 Key Information Security Concepts (cont’d.) • Compromises to intellectual property – FOLDOC intellectual property (IP) definition • The ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person’s intellectual property may or may not involve royalty payments or permission but should always include proper credit to the source – Includes • Trade secrets, copyrights, trademarks, patents • Exfiltration, or unauthorized removal of information • Software piracy Principles of Incident Response and Disaster Recovery, 2nd Edition 15 Key Information Security Concepts (cont’d.) • Sabotage or vandalism – Destroys asset or damages an organization’s image • Assault on an organization’s Web site • Cyberterrorism (more sinister hacking) • Technical software failures or errors – Software with unknown hidden faults • Code sold before security-related bugs detected • Trap doors – Helpful Web sites • Bugtraq and National Vulnerability Database Principles of Incident Response and Disaster Recovery, 2nd Edition 16 Key Information Security Concepts (cont’d.) • Technical hardware failures or errors – Equipment distributed with known or unknown flaw – System performs outside expected parameters – Errors can be terminal or intermittent • Forces of nature – Known as force majeure, or acts of God – Pose most dangerous threats imaginable • Occur with very little warning Principles of Incident Response and Disaster Recovery, 2nd Edition 17 Key Information Security Concepts (cont’d.) • Deviations in quality of service by service providers – Product or service not delivered as expected • Support systems interrupted by storms, employee illnesses, unforeseen events • Technological obsolescence – Antiquated or outdated infrastructure • Leads to unreliable and untrustworthy systems • Risk loss of data integrity from attacks Principles of Incident Response and Disaster Recovery, 2nd Edition 18 Key Information Security Concepts (cont’d.) • Information extortion – Attacker or trusted insider steals information from a computer system • Demands compensation for its return or for an agreement to not disclose the information – Common in credit card number theft • Other threats – See Table 1-2 Principles of Incident Response and Disaster Recovery, 2nd Edition 19 Principles of Incident Response and Disaster Recovery, 2nd Edition 20 Overview of Risk Management • Risk management process – Identifying and controlling information asset risks – Security managers play the largest roles – Includes contingency planning • Risk identification process – Examining, documenting, and assessing the security posture of an organization’s IT and the risks it faces • Risk control process – Applying controls to reduce the risks Principles of Incident Response and Disaster Recovery, 2nd Edition 21 Overview of Risk Management (cont’d.) Principles of Incident Response and Disaster Recovery, 2nd Edition 22 Overview of Risk Management (cont’d.) • Risk management redefined – Process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” - Chinese General Sun Tzu Source: Oxford University Press Principles of Incident Response and Disaster Recovery, 2nd Edition 23 Overview of Risk Management (cont’d.) • Know yourself – Identify, examine, and understand the information and systems currently in place – Asset: information and systems that use, store, and transmit information – Question to ask when protecting assets • What are they? • How do they add value to the organization? • To which vulnerabilities are they susceptible? – Have periodic review, revision, and maintenance of control mechanisms Principles of Incident Response and Disaster Recovery, 2nd Edition 24 Overview of Risk Management (cont’d.) • Know the enemy – Identify, examine, and understand threats – Determine threat aspects affecting the organization and the security of the assets • List threats prioritized by importance – Conduct periodic management reviews • • • • • Verify completeness and accuracy of asset inventory Review and verify identified threats and vulnerabilities Review current controls and mitigation strategies Review cost effectiveness and deployment issues Verify ongoing effectiveness of every control Principles of Incident Response and Disaster Recovery, 2nd Edition 25 Risk Identification • Identify, classify, and prioritize information assets • Threat identification process begins afterwards – Asset examined to identify vulnerabilities – Controls identified – Controls assessed • Regarding capability to limit possible losses should attack occur Principles of Incident Response and Disaster Recovery, 2nd Edition 26 Principles of Incident Response and Disaster Recovery, 2nd Edition 27 Asset Identification and Value Assessment • Iterative process of identifying assets and assessing their value • Information asset classification – Classify with respect to security needs – Components must be specific for the creation of various priority levels – Components ranked according to criteria established by the categorization – Use comprehensive and mutually exclusive categories – Establish clear and comprehensive category sets Principles of Incident Response and Disaster Recovery, 2nd Edition 28 Asset Identification and Value Assessment (cont’d.) • Information asset valuation – Is this asset the most critical to the organizations’ success? – Does it generate the most revenue? – Does it generate the most profit? – Would it be the most expensive to replace? – Will it be the most expensive to protect? – If revealed, would it cause the most embarrassment or greatest damage? – Does the law or other regulation require us to protect this asset? Principles of Incident Response and Disaster Recovery, 2nd Edition 29 Asset Identification and Value Assessment (cont’d.) • Answers determine weighting criteria – Used for asset valuation and impact evaluation • Must decide criteria best suited to establish the information asset value • Perform weighted factor analysis – Calculates relative importance of each asset – Assign score from 0.1 to 1.0 for each critical factor – Assign each critical factor a weight from 1 to 100 • Identify, document and add company-specific criteria Principles of Incident Response and Disaster Recovery, 2nd Edition 30 Asset Identification and Value Assessment (cont’d.) Principles of Incident Response and Disaster Recovery, 2nd Edition 31 Data Classification and Management (cont’d.) • Data classification schemes – Procedures requiring organizational data to be classified into mutually exclusive categories – Based on need to protect data category confidentiality • Military specialized classification ratings – “Public” to “For Official Use Only” to “Confidential“ to “Secret” to “Top Secret” Principles of Incident Response and Disaster Recovery, 2nd Edition 32 Data Classification and Management (cont’d.) • Alternative information classification scheme – Public: for general public dissemination – For official use: Not particularly sensitive but not for public release – Sensitive: important to the business and could cause embarrassment or loss of market share if revealed – Classified: requires utmost security; disclosure could severely impact the organization • Personnel information security clearances – On a need-to-know basis Principles of Incident Response and Disaster Recovery, 2nd Edition 33 Threat Identification • Conduct a threat assessment – Which threats present a danger to the organization’s assets in the given environment? – Which threats represent the most danger to the organization’s information? – Which threats would cost the most to recover from if there was an attack? – Which threats require the greatest expenditure to prevent? Principles of Incident Response and Disaster Recovery, 2nd Edition 34 Vulnerability Identification • Review each asset and each threat it faces – Create list of vulnerabilities • Examine how each threat could be perpetrated • List organization’s assets and its vulnerabilities • Notes – Threat may yield multiple vulnerabilities – People with diverse backgrounds should participate Principles of Incident Response and Disaster Recovery, 2nd Edition 35 Risk Assessment • Process of assigning a risk rating or score to each information asset • Goal – Determine relative risk of each vulnerability using various factors • Likelihood – Probability that a specific vulnerability will be successfully attacked – Many asset/vulnerability combinations have external references for likelihood values Principles of Incident Response and Disaster Recovery, 2nd Edition 36 Valuation of Information Assets • Assign weighted scores for the value to the organization of each information asset • Re-ask questions described in the “Threat Identification” section – Which of these questions is most important to the protection of the organization’s information? • Examine how current controls can reduce risk faced by specific vulnerabilities • Impossible to know everything about each vulnerability Principles of Incident Response and Disaster Recovery, 2nd Edition 37 Risk Determination • Risk = (likelihood of vulnerability x value) – percent of risk currently controlled + uncertainty of assumptions • Qualitative Risk Management – General categories and ranking used to evaluate risk – Factor Analysis of Information Risk (FAIR) strategy • Promoted by CXOWARE – Residual risk • Remaining risk after control applied Principles of Incident Response and Disaster Recovery, 2nd Edition 38 Identify Possible Controls • Controls, safeguards, and countermeasures – Represent security mechanisms, policies, and procedures that reduce risk • Three types of security policies – Enterprise information security policy – Issue-specific policies – Systems-specific policies • Programs – Activities performed within the organization to improve security Principles of Incident Response and Disaster Recovery, 2nd Edition 39 Risk Control Strategies • Defense approach (preferred approach) • Attempts to prevent vulnerability exploitation • Risk defense methods – Defense through application of policy – Defense through training and education programs – Defense through technology application • Usually requires technical solutions • Eliminate asset exposure – Attempt to reduce risk to an acceptable level Principles of Incident Response and Disaster Recovery, 2nd Edition 40 Risk Control Strategies (cont’d.) • Implement security controls and safeguards – Deflect attacks to minimize the successful probability • Transference – Attempts to shift risk to other assets, processes, organizations • • • • • Rethink how services offered Revise deployment models Outsource to other organizations Purchase insurance Implement service contracts with providers Principles of Incident Response and Disaster Recovery, 2nd Edition 41 Risk Control Strategies (cont’d.) • Mitigation – Attempts to reduce impact caused by the vulnerability exploitation • Through planning and preparation – Includes contingency planning • • • • Business impact analysis Incident response plan Disaster recovery plan Business continuity plan – Requires quick attack detection and response – Relies on existence and quality of the other plans Principles of Incident Response and Disaster Recovery, 2nd Edition 42 Risk Control Strategies (cont’d.) • Acceptance – Do nothing to protect an information asset • Accept the outcome of its potential exploitation – Only valid when the organization has: • • • • • • Determined the level of risk Assessed the probability of attack Estimated potential damage that could occur Performed a thorough cost-benefit analysis Evaluated controls Decided asset did not justify the cost of protection Principles of Incident Response and Disaster Recovery, 2nd Edition 43 Risk Control Strategies (cont’d.) • Termination – Difference from acceptance • Remove asset from the environment representing risk – Two main reasons • Cost of protecting an asset outweighs its value • Too difficult or expensive to protect asset compared to value or advantage asset offers – Termination must be a conscious business decision • Not simple asset abandonment Principles of Incident Response and Disaster Recovery, 2nd Edition 44 Contingency Planning and Its Components • Contingency plan – Used to anticipate, react to, and recover from events threatening events – Restores organization to normal modes of business operations • Four subordinate functions – – – – Business impact assessment (BIA) Incident response planning (IRP) Disaster recovery planning (DRP) Business continuity planning (BCP) Principles of Incident Response and Disaster Recovery, 2nd Edition 45 Business Impact Analysis • Business impact analysis (BIA) – Investigation and assessment of the impact of attacks – Adds detail to prioritized threat and vulnerability list created in the risk management process – Provides detailed scenarios of potential impact of each type of attack Principles of Incident Response and Disaster Recovery, 2nd Edition 46 Incident Response Plan • Incident – Any clearly identified attack on assets • Incident response plan (IRP) – Deals with the identification, classification, response, and recovery from an incident – Assesses the likelihood of imminent damage – Informs key decision makers – Enables the organization to take coordinated action Principles of Incident Response and Disaster Recovery, 2nd Edition 47 Disaster Recovery Plan • Preparation for and recovery from natural or manmade disaster • Includes: – Preparations for the recovery process – Strategies to limit losses during the disaster – Detailed steps to follow after immediate danger • Focus – Preparation before the incident – Actions taken after the incident Principles of Incident Response and Disaster Recovery, 2nd Edition 48 BCP and BRP • Business continuity plan (BCP) – Expresses how to ensure critical business functions continue at an alternate location • After catastrophic incident or disaster – Used when DRP cannot restore primary site operations – Most strategic and long-term plan • Business resumption plan (BRP) – Emerging new concept in contingency planning – Merges the DRP and BCP into a single process Principles of Incident Response and Disaster Recovery, 2nd Edition 49 Contingency Planning Timeline • Steps in contingency planning – IR plan focuses on immediate response • May move to DRP and BCP if disastrous – DR plan focuses on restoring systems at original site – BC runs concurrently with DRP • When major or long-term damage occurs – IRP, DRP, and BCP distinction • When each comes into play during the incident Principles of Incident Response and Disaster Recovery, 2nd Edition 50 Principles of Incident Response and Disaster Recovery, 2nd Edition 51 Principles of Incident Response and Disaster Recovery, 2nd Edition 52 Contingency Planning Timeline (cont’d.) • Seven steps in NIST SP 800-34, Revision 1 Principles of Incident Response and Disaster Recovery, 2nd Edition 53 Role of Information Security Policy in Developing Contingency Plans • Policy needs to enforce information protection requirements – Before, during, and after incident • Quality security programs – Begin and end with policy • Information security – A management problem • Difficulties in shaping policy – Must never conflict with laws; must stand up in court if challenged; must be properly administered Principles of Incident Response and Disaster Recovery, 2nd Edition 54 Key Policy Definitions • Policy – Plan or course of action • Conveys instructions from senior management to those who make decisions, take action, perform duties – Organizational law • Dictates acceptable and unacceptable behavior • Defines penalties for violations • Standard – Detailed statement of what must be done to comply • De facto standard (informal standard) • De jure standard (formal standard) Principles of Incident Response and Disaster Recovery, 2nd Edition 55 Principles of Incident Response and Disaster Recovery, 2nd Edition 56 Key Policy Definitions (cont’d.) • Mission – Written statement of an organization’s purpose • Vision – Written statement about organization’s goals • Strategic planning – Process of moving organization toward its vision • Information security policy – Provides rules for protecting information assets • Enterprise information security policy, issue-specific security policy, systems-specific security policy Principles of Incident Response and Disaster Recovery, 2nd Edition 57 Enterprise Information Security Policy • Enterprise information security policy (EISP) – Based on and directly supports the mission, vision, and direction of the organization – Executive-level – Sets strategic direction, scope, and tone for all security efforts • Contains requirements to be met • Defines purpose, scope, constraints, and applicability • Assigns responsibilities – Addresses legal compliance Principles of Incident Response and Disaster Recovery, 2nd Edition 58 Issue-Specific Security Policy • Issue-specific security policy (ISSP) – Addresses specific areas of technology • Three common approaches to creating ISSPs – Independent ISSP documents, each tailored to a specific issue – A single comprehensive ISSP document covering all issues – Modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements Principles of Incident Response and Disaster Recovery, 2nd Edition 59 Principles of Incident Response and Disaster Recovery, 2nd Edition 60 Issue-Specific Security Policy (cont’d.) • Statement of policy – Defines scope, responsibility for implementation, technologies and issues being addressed • Authorized access and usage of equipment – Addresses who can use technology and for what it can be used – Defines “fair and responsible use” – Addresses key legal issues • Prohibited usage of equipment – Outlines what technology cannot be used for Principles of Incident Response and Disaster Recovery, 2nd Edition 61 Issue-Specific Security Policy (cont’d.) • Systems management – Focuses on users’ relationship to management • Violations of policy – Specifies penalties and how to report violations • Policy review and modification – Procedures and a timetable for periodic review so users do not circumvent it as it grows obsolete • Limitations of liability – States company will not protect user and is not liable for their actions Principles of Incident Response and Disaster Recovery, 2nd Edition 62 Systems-Specific Policy • Systems-specific security policies (SysSPs) – Standards and procedures used when configuring or maintaining systems – Access control lists (ACLs) • Govern rights and privileges of particular users to particular systems – Configuration rules • Specific configuration codes entered into security systems Principles of Incident Response and Disaster Recovery, 2nd Edition 63 Systems-Specific Policy (cont’d.) • ACL policies – Translated into configuration sets • Controls access to systems – Regulate the who, what, when, and where of access – ACL rules • Known as capability tables, user profiles, user policies • Specify what a user can and cannot do with resources • Rule policies – More specific than ACLs – May or may not deal with users directly Principles of Incident Response and Disaster Recovery, 2nd Edition 64 Policy Management • Policies – Constantly changing and growing – Must be properly disseminated – Security policies must have the following • Individual responsible for creation, revision, distribution, and storage • Schedule of reviews • Mechanism for recommendations for revisions • Policy/revision date; possibly “sunset” expiration date • Policy management software (optional) Principles of Incident Response and Disaster Recovery, 2nd Edition 65 Summary • Information security protects information and its critical elements • C.I.A. triangle: basis for CNSS model • Threat: entity posing potential for loss to an asset • Asset: has value to the organization • Vulnerability: weakness in protection mechanisms • Risk management process: identify vulnerabilities and taking steps to protect assets Principles of Incident Response and Disaster Recovery, 2nd Edition 66 Summary (cont’d.) • Risk identification: process of identifying risks • Risk control: applying controls to reduce risk • Contingency planning: avoidance, transference, mitigation, acceptance strategies • Business impact analysis: assess attack type impact • Incident response plan: actions taken when an incident in progress • Disaster recovery plan: preparation for and recovery from a disaster Principles of Incident Response and Disaster Recovery, 2nd Edition 67 Summary (cont’d.) • Business continuity plan: ensures critical business functions continue after a disaster • Policies: organizational laws dictating behavior • Enterprise information security policy: sets strategic scope, direction, tone • Issue-specific security policy: addresses specific areas of technology • Systems-specific security policy: used when configuring or maintaining systems Principles of Incident Response and Disaster Recovery, 2nd Edition 68
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running Head: CASH FLOW

1

Cash flow
Institutional Affiliation
Date

CASH FLOW

Every business requires a summary report of how funds have been used and its current
financial position. To define this situation three financial statements are used. The balance sheet
shows the net worth, assets, and liabilities. The income statement which shows the net income
over a period of time also known as the profit and loss account, and the cash flow which shows
the in and outflow of cash in a company. A cash flow statement is simply a form of a financial
statement that shows how the balance sheet changes, how income and equivalents affect cash
and break down the cash analysis into three parts; operating, this is cash used in the daily
running of the business activities like buying and selling of products. Investing, these are the
gains ...


Anonymous
Awesome! Perfect study aid.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags