Week1 F2F

T7183
IT Risk Management and

Disaster Recovery
(3 Credits)

Benfano Soewito
benfano@gmail.com
0858-8374-7492

Graduate Program in Information Technology
Binus University
Book
Whitman, M.E., Mattoro, H.J. (2007). Principles of
Incident Response and Disaster Recovery.

Jone, A, Ashenden D. (2005). Risk Management
For Computer Security. Protecting Your
Network and Information Assets. Elsevier
Butterworth-Heinemann
BFS - Binus March 2011 2
Objectives
Define and explain information security
Define and explain the basic concepts of risk
management
Identify and define the components of contingency
planning
Know and understand the role of information security
policy in the development of contingency plans

Introduction
The 9/11 disaster required many companies to put
their disaster recovery plans into action
In February 1993, a car bomb exploded beneath
one of the WTC towers.
Information Week report (2004):
Almost 80% of businesses affected by a major
incident either never reopen or close within 18
months
Introduction (continued)
Companies must create, implement, and test effective
plans to deal with incidents and disasters
Information security: an umbrella term for many
programs and activities that assure availability of
information in organizations
Information security: Confidentiality, Integrity, Availability
An overview of the entire field, understanding of the
major components, and overall strategic plan.
Risk management process to guide managerial and
technical controls.

Information Security
Information security:
Defined by Committee on National Security Systems
(CNSS) as the protection of information and its
critical elements, including systems and hardware
Based on the C.I.A. triangle concept
C.I.A. triangle concept: based on three critical
characteristics of information that give it value:
Confidentiality
Integrity
Availability
Information Security (continued)
Confidentiality:
When disclosure or exposure to unauthorized
individuals or systems is prevented
Ensures that only those with rights and privileges to
access the information are able to do so
Breaches of confidentiality may threaten the
integrity of the information
Integrity:
Prevention of corruption, damage, destruction, or
other disruption of information
Information Security (continued)
Availability:
Enables authorized users or systems to access
information without interference or obstruction, in the
required format
Information Security (InfoSec):
The protection of the confidentiality, integrity, and
availability of information in storage, during
processing, or in transmission
Key Information Security Concepts
Threat: a category of objects, persons, or other
entities that pose a potential risk of loss to an asset
Asset: an organizational resource that is being
protected
Logical asset: Web site, information, or data
Physical asset: person, computer system, other
tangible object
Attack: an intentional or unintentional attempt to
cause damage or otherwise compromise
information
(continued)
Vulnerability: a weakness or fault in the protection
mechanisms for information assets
Well-known vulnerabilities: vulnerabilities that
have been examined, documented, and published
Exploit:
Illegal use of a system or information asset
A targeted solution to misuse a specific hole or
vulnerability
(continued)
Control, safeguard, or countermeasure: security
mechanisms, policies, or procedures to successfully
counter attacks, reduce risk, resolve vulnerabilities,
and improve security

(continued)
Threat Categories
Acts of human error or failure:
Acts performed without intent or malicious purpose by
authorized users
Compromises to intellectual property (IP):
Breaches in the controls placed around IP such as
copyrights, trade secrets, trademarks, patents
Most common IP breach: software piracy
Deliberate acts of trespass: unauthorized individual
gains access to information being protected
Hacker: uses software to gain access to information
illegally
Threat Categories (continued)
Deliberate acts of information extortion:
Demanding compensation for the return or
nondisclosure of information obtained by attacker or
trusted insider
Deliberate acts of sabotage or vandalism:
Attempts to destroy an asset or damage the image of
an organization
Cyberterrorist: hacks systems to conduct terrorist
activities through network or Internet pathways
Deliberate acts of theft:
Illegal taking of anothers property
Deliberate Software Attacks:
Malware:
Malicious code or malicious software components
designed to damage, destroy, or deny service to the
target system
Includes viruses, worms, Trojan horses, logic bombs,
backdoors, denial of service (DoS), and distributed
denial of service (DDoS) attacks
Viruses:
Segments of code that perform malicious actions
Attached to existing programs
Macro virus: embedded in automatically executing
macrocode; common in word processing documents,
spreadsheets, database applications
Boot virus: infects key operating system files
Worms:
Malicious programs that replicate themselves without
requiring another program
Can replicate through email, Web servers, network
shares
Backdoors and Trapdoors:
A payload carried by a virus or worm that installs on a
system allowing penetration and control of the system
remotely
Examples: Subseven, Back Orifice
Polymorphism:
Virus or worm that evolves, changing its size and
appearance over time

Propagation Vectors:
Ways that malicious code is spread from one system to
another
Trojan: a common propagation method in which the
infected program appears to be a desirable program
Social engineering: getting the user to perform an
action that enables the attack or infection
Virus and Worm Hoaxes:
Require as much time and effort to combat as real
virus and worm threats
Forces of Nature (force majeure):
Unexpected and often unpredictable
Includes fire, flood, earthquake, lightning,
hurricanes, volcanic eruption, insect infestation
Often affect personnel as well as equipment
Deviations in Quality of Service, by Service
Providers:
Products or services not delivered (electricity, water,
network bandwidth, etc.)
Technical Hardware Failures or Errors:
Defects that cause a system to perform outside of
expected parameters
Causes unreliable service or lack of availability
Errors can be intermittent or terminal
Technical Software Failures or Errors:
Includes bugs and untested failure conditions
May include intentional shortcuts left by
programmers for benign or malicious reasons
Technical Obsolescence:
Antiquated or outdated infrastructure leads to
unreliable and untrustworthy systems
Overview of Risk Management
Risk Management:
Formal process of identifying and controlling risks to
an organizations information assets
Risk Identification:
Process of examining and documenting the security
posture of an organizations information technology
Risk Control:
Process of applying controls to reduce the risks to
data and information systems
(continued)
(continued)
Risk management:
Process of identifying vulnerabilities and taking
carefully reasoned steps to ensure the confidentiality,
integrity, and availability of the information system

If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every battle.
- Chinese General Sun Tzu
Know Yourself
Know Yourself:
Identify, examine, and understand the information
and systems currently in place
Assets = information and systems that use, store,
and transmit information
What are they?
How do they add value to the organization?
To which vulnerabilities are they susceptible?
Have periodic review, revision, and maintenance of
control mechanisms

Know the Enemy
Know the Enemy:
Identify, examine, and understand the threats facing
the organization
Conduct periodic management reviews to create an
asset inventory
Identify current controls and mitigation strategies,
including cost effectiveness and deployment issues

Risk Identification
Identify, classify, and prioritize information assets
Goal: protect assets from threats
Identify threats
Identify vulnerabilities of each asset
Identify controls that will limit possible losses in the
event of attack
Risk Identification (continued)
Asset Identification and Valuation:
Identify each asset and assess its value
Include people, procedures, data and information ,
software, hardware, and networking elements
Classify and categorize the assets
Information Asset Classification:
Classify the sensitivity and security priority of the data
and devices that store, transmit, or process the data
Classify the personnel security clearance structure
who is authorized to view what data
Categories must be comprehensive and mutually
exclusive
Information Asset Valuation:
Determine the criteria for valuation of assets or
impact evaluation
Which asset is most critical to the success of the
organization?
Which asset generates the most revenue? Most
profitability?
Which asset is most expensive to replace? To protect?
If revealed, which asset would be most embarrassing
or cause greatest liability?
Calculate the relative importance of each asset
using weighted factor analysis
Weighted factor analysis:
Assign each asset a score from 0.1 to 1.0 for each
critical factor
Assign each critical factor a weight from 1 to 100
Data Classification and Management:
Public: information for general public dissemination
For official use: information that is not particularly
sensitive but is not for public release
Sensitive: information important to the business that
could cause embarrassment or loss of market share if
revealed
Classified: information that requires utmost security;
disclosure could severely impact the organization
Personnel security clearances for information should
be on a need-to-know basis
Threat Identification:
Conduct a threat assessment
Which threats present a danger to the assets in the
given environment?
Which threats represent the most danger?
What is the cost to recover from a successful attack?
Which threats require the greatest expenditure to
prevent?
Vulnerability Identification:
Examine each threat and list the assets and their
vulnerabilities
A threat may yield multiple vulnerabilities
Diverse members of the organization should
participate in this activity

Risk Assessment
Risk assessment:
Process of assigning a risk rating or score to each
information asset
Goal is to determine the relative risk of each
vulnerability using various factors
Likelihood:
Probability that a specific vulnerability will be
successfully attacked
Many asset/vulnerability combinations have external
references for likelihood values

Risk Assessment (continued)
Valuation of Information Assets:
Assign weighted scores to each assets value to the
organization
Which threats present a danger to the organizations
assets in the given environment?
Which threats represent the most danger?
What is the cost to recover from a successful attack?
Which threats require the greatest expenditure to
prevent?
Which of the above questions is most important?
Risk Determination:
Risk = [likelihood of vulnerability x value] x [1 - % risk
already controlled + uncertainty]

For Example: information asset A has a value score 50
and has one vulnerability that has a likelihood of 1.0
with no current control, and the estimate is that
assumptions and data are 90% accurate.

Identify Possible Controls:
Create a list of control ideas
Residual risk: risk that remains after a control has
been applied
Three general categories of controls:
Policies
Programs
Technologies
Policies:
Documents that specify an approach to security
3 types of policies:
Enterprise information security policy
Issue-specific policies
Systems-specific policies
Programs: activities performed within the
organization to improve security
Security technologies: implementations of policies
using technology-based mechanisms
Risk Control Strategies
Four basic strategies:
Avoidance: Apply safeguards that eliminate or
reduce the remaining uncontrolled risks
Transference: Transfer the risk to other areas or to
outside entities
Mitigation: Reduce the impact should the
vulnerability be exploited
Acceptance: Understand the consequences and
accept the risk without controls or mitigation

Risk Control Strategies (continued)
Avoidance:
Attempts to prevent the exploitation of the
vulnerability
Preferred approach
Methods of avoidance:
Application of policy
Training and education
Application of technology
Transference:
Attempts to shift the risk to other assets, processes,
or organizations
Methods of transference:
Rethink how services are offered
Revise deployment models
Outsource to other organizations
Purchase insurance
Implement service contracts with providers

Mitigation:
Attempts to reduce the impact caused by exploitation
of a vulnerability through planning and preparation
Methods of mitigation:
Contingency planning, which includes:
Business impact analysis
Incident response plan
Disaster recovery plan
Business continuity plan
Requires:
Early detection that an attack is in progress
Ability to respond quickly, efficiently, and effectively
Acceptance:
The choice to do nothing to protect a vulnerability and
to accept the outcome of its exploitation
Only valid when the organization has:
Determined the level of a risk
Assessed the probability of attack
Estimated the potential damage that could occur
Performed a thorough cost-benefit analysis
Evaluated controls
Decided that the asset did not justify the cost of
protection
Contingency Planning and its
Components
Contingency plan:
Is prepared to anticipate, react to, and recover from
events that threaten assets
Focuses on steps required to restore normal
operations
Four subordinate functions in a contingency plan:
Business impact assessment
Incident response planning
Disaster recovery planning
Business continuity planning

Contingency Planning Timeline
(continued)
Components (continued)
Business Impact Analysis (BIA):
Investigation and assessment of the impact of attacks
Adds detail to the prioritized list of threats and
vulnerabilities created in the risk management
process
Provides detailed scenarios of potential impact of
each type of attack
Components (continued)
Incident Response Plan (IRP):
Deals with the identification, classification, response,
and recovery from an incident
Details the specific steps to be taken when
responding to a specific type of attack
Incident: any clearly identified attack on assets
Absence of an IR plan can lead to:
Extensive damage to data, systems, and networks
Additional damage due to uneducated staff
Negative exposure in the news media
Possible legal liability
Contingency Planning and its Components
(continued)
Disaster Recovery Plan (DRP):
Deals with preparation for and recovery from a natural
or man-made disaster
Can include strategies to limit losses before and during
the disaster
Includes:
Preparations for the recovery process
Strategies to limit losses during the disaster
Detailed steps to follow when immediate danger has
passed
DRP focuses on preparation actions after the
incident; IRP focuses on actions during the incident
Contingency Planning and its Components
(continued)
Business Continuity Plan (BCP):
Expresses how to ensure that critical business
functions continue at an alternate location after a
catastrophic incident or disaster
Used when the DRP cannot restore operations at the
primary site
Is the most strategic and long-term plan
Business Resumption Plan (BRP):
Emerging new concept in contingency planning
Merges the DRP and BCP into a single process

Steps in Contingency Planning:
IRP focuses on immediate response; if attack is
disastrous, the process moves to the DRP and BCP
DRP focuses on restoration at the original site
BCP runs concurrently with DRP when damage is
major or long-term, or requires an alternate site
Can distinguish the IRP, DRP, and BCP by
examining when each comes into play during the life
of an incident

(continued)
(continued)
(continued)
7 steps in NIST-sanctioned contingency planning:
1. Develop the contingency planning policy statement
2. Conduct the business impact analysis (BIA)
3. Identify preventative measures and controls
4. Develop recovery strategies
5. Develop an IT contingency plan
6. Plan testing, training, and exercises
7. Plan maintenance
(continued)
Information Security Policy in
Developing Contingency Plans
Policy is needed to enforce requirements for
protection of information before, during, and after an
incident
Information security is primarily a management
problem, not a technical one
Shaping policy is difficult because :
It must never conflict with laws
It must be properly administered
Key Policy Definitions
Policy:
A plan or course of action used to convey instructions
from senior management to those who make
decisions, take actions, and perform duties
An organizational law that dictates acceptable and
unacceptable behavior, and defines penalties for
violations
Standard:
Detailed statement of what must be done to comply
with policy
De facto standard informal standard
De jure standard formal standard
Key Policy Definitions (continued)
Key Policy Definitions (continued)
Mission: written statement of an organizations
purpose
Vision: written statement about organizations goals
Strategic planning: process of moving the
organization toward its vision
Information security policy: provides rules for the
protection of information assets
3 types of security policy:
Enterprise information security policy
Issue-specific security policies
Systems-specific security policies
Enterprise Information Security Policy
Enterprise Information Security Policy (EISP):
Also called general security policy, IT security policy,
or information security policy
An executive-level document that sets the strategic
direction, scope, and tone for all security efforts
Contains the requirements to be met
Assigns responsibilities for areas of security
Addresses legal compliance
Issue-Specific Security Policy
Issue-Specific Security Policy (ISSP):
Addresses specific areas of technology
3 common approaches to creating ISSPs:
Independent ISSP documents, each tailored to a
specific issue
Single comprehensive ISSP document covering all
issues
Modular ISSP document that unifies policy creation
and administration while maintaining each specific
issues requirements
(continued)
(continued)
Statement of Policy: defines scope, who is
responsible for implementation, and the
technologies and issues being addressed
Authorized Access and Usage of Equipment:
defines who can use the technology and how it can
be used
Prohibited Usage of Equipment: defines what the
technology cannot be used for
Systems Management: defines what
responsibilities belong to management and to
users
(continued)
Violations of Policy: specifies penalties and how
to report suspected violations
Policy Review and Modification: procedures and
timetable for periodic review to keep it relevant
Limitations of Liability: indicates that the
company will not protect nor be liable for users
unauthorized use of equipment
Systems-Specific Policy
Systems-Specific Security Policies (SysSPs):
Standards and procedures to be used when
configuring or maintaining systems
Two general groups:
Access control lists (ACLs): define rights and
privileges of a particular user to a particular system
Configuration rules: specific configuration codes
entered into security systems
Systems-Specific Policy (continued)
ACL Policies:
Are translated into sets of configurations to control
access to systems
Regulate who, what, when, and where access can
occur
Also called capability tables, user profiles, or user
policies
Rule Policies:
Specific to the operation of a system, such as
configuration for firewalls, intrusion detection
systems, and proxy servers
Policy Management
Policies are dynamic documents that change and
grow, and must be disseminated in the
organization
Security policies must contain:
Individual responsible for the policy
Schedule of reviews to ensure currency and
accuracy
Mechanism for revision recommendations to be
made (preferably anonymously)
Optionally, policy management software to manage
creation, revision, and dissemination of policy

Summary
Information security: protection of information and its
critical elements
C.I.A. triangle: confidentiality, integrity, availability
Threat: object or person that poses a potential for
loss to an asset
Asset: tangible or intangible object that has value to
the organization
Vulnerability: weakness or fault in protection
mechanisms
Risk management: process of identifying
vulnerabilities and taking steps to protect assets
Summary (continued)
Risk identification: process of identifying risks
Risk control: process of applying controls to reduce
risk
Contingency planning: includes avoidance,
transference, mitigation, and acceptance strategies
Business impact analysis: assesses the impact of
various types of attacks
Incident response plan: actions that should be taken
when an incident is in progress
Disaster recovery plan: preparation for and recovery
from a disaster
Summary (continued)
Business continuity plan: ensures that critical
business functions continue after a disaster
Policies: organizational laws that dictate acceptable
and unacceptable behavior
Enterprise information security policy: sets strategic
scope, direction, and tone for all security efforts
Issue-specific security policy: addresses specific
areas of technology
Systems-specific security policy: policy used when
configuring or maintaining systems
From week 1

Risk Management
Information asset classification
Information asset Valuation

Data classification and management

Threat assessment/identification
Vulnerability identification

Risk control strategies
Avoidance, transference, mitigation, acceptance
Weighted
Risk Assessment

Week1 F2F

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Week1 F2F

Uploaded by

Copyright:

Available Formats

T7183

IT Risk Management and

You might also like