Business Continuity and Disaster Recovery for InfoSec Managers Computer Security and Computer Forensic Related Book Titles: Rittinghouse & Hancock, Cybersecurity Operations Handbook, ISBN 1-55558-306-7, 1336pp, 2003. Rittinghouse & Ransome, Instant Messaging Security, ISBN 1-55558-338-5, 432pp, 2005. Rittinghouse,Wireless Operational Security, ISBN 1-55558-317-2, 496pp, 2004. Ransome & Rittinghouse, VoIP Security, ISBN 1-55558-332-6, 450pp, 2005. De Clercq, Windows Server 2003 Security Infrastructures: Core Security Features, ISBN 1-55558-283-4, 752pp, 2004. Erbschloe, Implementing Homeland Security for Enterprise IT, ISBN 1-55558-312-1, 320pp, 2003. Erbschloe, Physical Security for IT, ISBN 1-55558-327-X, 320pp, 2005. Speed & Ellis, Internet Security, ISBN 1-55558-298-2, 398pp, 2003. XYPRO, HP NonStop Server Security, ISBN 1-55558-314-8, 618pp, 2003. Casey, Handbook of Computer Crime Investigation, ISBN 0-12-163103-6, 448pp, 2002. Kovacich, The Information Systems Security Officer’s Guide, ISBN 0-7506-7656-6, 361pp, 2003. Boyce & Jennings, Information Assurance, ISBN 0-7506-7327-3, 261pp, 2002. Stefanek, Information Security Best Practices: 205 Basic Rules, ISBN 0-878707-96-5, 194pp, 2002. For more information or to order these and other Digital Press titles, please visit our website at www.books.elsevier.com/digitalpress! At www.books.elsevier.com/digitalpress you can: •Join the Digital Press Email Service and have news about our books delivered right to your desktop •Read the latest news on titles •Sample chapters on featured titles for free •Question our expert authors and editors •Download free software to accompany select texts Business Continuity and Disaster Recovery for InfoSec Managers John W. Rittinghouse, Ph.D., CISM James F. Ransome, Ph.D., CISM, CISSP AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Elsevier Digital Press 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA Linacre House, Jordan Hill, Oxford OX2 8DP, UK Copyright © 2005, John W. Rittinghouse and James F. Ransome. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: [email protected]. You may also complete your request on-line via the Elsevier homepage (http://elsevier.com), by selecting “Customer Support” and then “Obtaining Permissions.” Recognizing the importance of preserving what has been written, Elsevier prints its books on acid-free paper whenever possible. Library of Congress Cataloging-in-Publication Data Application Submitted. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN-13: 978-1-55558-339-2 ISBN-10: 1-55558-339-3 For information on all Elsevier Digital Press publications visit our Web site at www.books.elsevier.com 05 06 07 08 09 10 9 8 7 6 5 4 3 2 1 Contents Foreword xv Foreword by Mr. Paul Kurtz xv Introduction xix Introduction: Business Security 101 xix The State of the BCP and Network Disaster Recovery Industry: Where Are We and Why? xx Threats to Personal Privacy xxiii Fraud and Theft xxiv Internet Fraud xxiv Employee Sabotage xxvii Infrastructure Attacks xxvii Malicious Hackers xxvii Malicious Coders xxviii Industrial Espionage xxix Social Engineering xxxi Educate Staff and Security Personnel xxxiii Crafting Corporate Social Engineering Policy xxxv Privacy Standards and Regulations xxxv NAIC Model Act xxxvi Gramm-Leach-Bliley Act (GLBA) xxxvii HIPAA xxxviii Managing Access xli Physical Access xli Access Control xlii Purpose of Access Control xlii Access Control Entities xlii Fundamental Concepts of Access Control xliii Establishment of a Security Policy xliii v vi Contents Accountability xliii Assurance xliii Access Control Criteria xliv Access Control Models xliv Mandatory Access Control Model xlv Data Categorization xlvi Discretionary Access Control Model xlvii Nondiscretionary Access Control Model xlviii Uses of Access Control xlix Access Control Administration Models l Techniques Used to Bypass Access Controls lvii Password Management lvii SmartCards lviii Biometric Systems lviii Characteristics of Good Passwords lix Password Cracking lix Windows NT L0phtCrack (LC5) lx Password Cracking for Self-Defense lxi John the Ripper lxii Password Attack Countermeasures lxiii Security Management Practices lxiii Chapter Summary lxiv Endnotes lxv Acknowledgments lxix 1 Contingency and Continuity Planning 1 1.1 Business Continuity Planning 2 1.1.1 Building the Business Continuity Plan 3 1.1.2 Types of Contingency Plans 5 1.1.3 Preparing Plans 8 1.1.4 BCP Planning and the Systems Development Life Cycle (SDLC) 8 1.2 BCP Standards and Guidelines 11 1.2.1 Industry-Specific Standards and Regulations 12 1.2.2 Finance Sector Requirements 13 1.2.3 Health Sector Requirements 14 1.2.4 Telecommunications Sector Requirements 14 1.3 BCP Project Organization 14 1.3.1 Scope of Responsibilities 14 Contents vii 1.3.2 Team Composition 15 1.3.3 Project Kick-off Meeting 16 1.3.4 Establish Project Objectives and Deliverables 17 1.3.5 Set Milestones 18 1.3.6 Establish Reporting Requirements 19 1.3.7 Establish Documentation Requirements 19 1.4 Chapter Summary 20 1.5 Endnotes 21 2 Assessing Risk 23 2.1 Determining Threats 23 2.1.1 Risk Certification 26 2.1.2 Accreditation 27 2.2 Risk Management 27 2.3 The Risk Manager 28 2.4 Risk Assessment 28 2.4.1 Basics Elements of the Risk Assessment Process 28 2.4.2 Risk Assessment Models 29 2.5 Emergency Incident Assessment 30 2.5.1 Environmental Disasters 31 2.5.2 Organized or Deliberate Destruction 42 2.5.3 Loss of Utilities or Service 54 2.5.4 Equipment or System Failure 56 2.5.5 Information Security Incidents 59 2.5.6 Other Emergency Situations 61 2.5.7 Nonemergency Factors 63 2.6 Business Risk Assessment 65 2.6.1 Asset Characterization 65 2.6.2 Risk Benefit (Likelihood) Analysis Statement 66 2.6.3 Risk Level Matrix 68 2.6.4 Risk Assessment Report 68 2.7 Business Impact Analysis (BIA) 69 2.7.1 Identification of Key Business Processes 70 2.7.2 Establishing Requirements for Business Recovery 71 2.7.3 BIA Questionnaire Development 72 2.7.4 BIA Report Format 74 2.7.5 Fine-Tuning Priorities 74 2.7.6 Determining Resource Dependencies 74 2.7.7 Organizing and Tabulating the Results 81 2.7.8 Determining Impact on Operations 82 Contents viii Contents 2.7.9 Prioritization and Classification of Business Functions 83 2.7.10 Establish Time Frames for Service Interruption Measurement 84 2.7.11 Determine Financial and Operational Impact 84 2.8 Information Security, IT and Communications 86 2.8.1 The OCTAVE Methodology 88 2.8.2 Specify IT/Communications Systems and Dependencies 88 2.8.3 Identify Key IT, Communications, and Data Systems 89 2.8.4 Key IT Personnel and Emergency Contact Information 89 2.8.5 Key IT Suppliers and Maintenance Engineers 90 2.8.6 Review Existing IT Recovery Procedures 90 2.9 Chapter Summary 93 2.10 Endnotes 94 3 Mitigation Strategies 97 3 Migration Strategies 97 3.1 Preventative Measures for Information Security Managers 100 3.1.1 VPNs and Remote Access 100 3.1.2 Firewalls 103 3.1.3 Encryption 104 3.1.4 Intrusion Detection and Prevention Systems 105 3.1.5 Antivirus, Anti-Spyware, and Anti-Spam Software 105 3.1.6 Theft Prevention for Proprietary/Intellectual Property 107 3.2 Information Security Preventative Controls 107 3.2.1 Restarting or Recovering Your System 107 3.2.2 Backing up Data on Portable Computers 108 3.2.3 Managing Backup and Recovery Procedures 108 3.2.4 Offsite Storage of Backup Media and System Documentation 109 3.2.5 Archiving Information 109 3.2.6 Archiving Electronic Files 110 3.2.7 Recovery and Restoring of Data Files 110 3.3 Other Preventative Controls 110 3.4 Summary of Existing Emergency Procedures 115 3.5 Key Personnel for Handling Emergency Procedures 115 3.5.1 Functional Organization Chart 116 Contents ix 3.5.2 Appointment Letters for Key Personnel 116 3.5.3 Key Personnel and Emergency Contact Information 118 3.5.4 Key Suppliers and Vendors, and Emergency Contact Information 118 3.5.5 Manpower Recovery Strategies 118 3.5.6 Establishing the Disaster Recovery Team 119 3.5.7 Business Recovery Team Mobilization Instructions 120 3.5.8 Constituting a Recovery Team 120 3.6 External Emergency Services 129 3.7 Premises Issues 131 3.8 Chapter Summary 131 3.9 Endnotes 132 4 Preparing for a Possible Emergency 133 4.1 Backup and Recovery Procedures 133 4.1.1 Alternate Business Process Handling 133 4.2 IT Systems Recovery 136 4.2.1 High Availability/Fault Tolerance 136 4.2.2 Backup and Recovery Processes 137 4.2.3 Storage Solutions 137 4.2.4 Network Solutions 146 4.2.5 Desktop Computers 146 4.2.6 Software and Licenses 148 4.2.7 LAN 149 4.2.8 Servers 149 4.2.9 Web Sites 150 4.2.10 Premises and Essential Equipment Backup and Recovery 150 4.2.11 Customer Service Backup and Recovery 150 4.2.12 Administration and Operations Backup and Recovery 151 4.2.13 Key Business Information and Documentation Backup and Recovery 151 4.2.14 Insurance Coverages and Claims Process 152 4.3 Key BCP Personnel and Supplies 152 4.4 Key Documents and Procedures 152 4.5 Chapter Summary 153 4.6 Endnotes 153 Contents