QUESTION NUMBER 112-116
112. Explain the concept of Business Continuity Planning with its different phases
The need for business continuity planning has grown rapidly in the 21st century, driven by both the regulatory compliance requirements and the stakeholders’ demands. Requirements for business continuity suggest that organizations review plans and test results of those which they deem critical to their operational process. The objective is to minimize the disruptions in business in order to maintain high trust and confidence in the organization. Management should proactively incorporate business continuity considerations into the overall design of its business model to mitigate the risk of service disruptions.
Phase 1 - Initiation:
In phase one, an organization sets to the fullest extent practicable.” forth the overall goal for the BCP effort - validating the scope of the plan, and taking an inventory of the processes or business units needed for the project. It identifies key stakeholders in the process including executive sponsors, steering committee, and any other subject matter experts. This phase sets the parameters, and trains the team in the project objectives and methodology. .
Phase 2 - Business Impact Analysis and Risk Assessment:
The business impact analysis is the next step in creating a business continuity plan. This part of the process serves as the foundation of any viable recovery planning effort. It includes all the critical business functions and processes, along with their potential threats. Here risks are identified, prioritized, and managed; the various single points of failure for the business including external dependencies are identified; and the overall business impact of these risks and SPOF are calculated. Recovery Time Objectives, Recovery Point Objectives and Recovery Communication Objectives are also identified for each critical business process. This phase is also utilized to identify regulatory requirements and best practices or standards that need to be followed; and the time and effort required in implementation of the BCP. .
Phase 3 - Strategy Development:
Leveraging the information from the BIA and risk assessment, organizations determine which business functions are “core” or “mission-critical” and determine a strategy to manage the risks identified in the risk assessment process (address, mitigate, or accept). The critical time frames and impacts from the BIA are used to determine which contingency strategies are viable. The strategy alternatives must satisfy the BIA for both cost effectiveness and response times. The planners usually present three to four alternatives to management with the most cost effective alternative as the recommendation. .
Phase 4 - Business Continuity Plan Development:
On the basis of phases I, II and III, the Business Continuity plan is created. Being the main deliverable of the project, the BC plan includes department level DR plans, external supplier response plans, and the like. The BC Plan is updated regularly. The primary components of the BCP include, but are not limited to: .
• Communication/ Coordination Plan: Communication is the key in any crisis. The Communication and Coordination plan establishes the communication channels to be used during the execution of a BCP; determines a chain of command for coordination of the BC effort; defines authorized media contacts; and includes notification procedures for key suppliers, vendors and clients. .
• Emergency Response Plan: The Emergency Response Plan specifies responses to the emergency situations, which are defined as risks that pose a danger to life, property, or the environment. This includes Emergency Notification tools like Email, Phone, SMS, FAX or Pager. .
Phase 5 - Business Continuity Plan Testing:
In a quest to know whether their BCP is viable and usable, planners conduct thorough functional testing of their mission-critical applications and personnel to verify that all business processes work as expected. Plan testing is a regulatory requirement as well. It defines the methodology used to test the BCP, deciding on “how often do we test?”, “how much do we test?”, and “how do we judge the success or failure of the test?”. Once the test methodology is decided upon, business continuity plan is tested as an iterative task, at least twice annually. .
Phase 6 - Plan Maintenance:
An outdated plan is as good as no plan. Most organizations strive to keep their Business Continuity Plans up to date with the latest and most efficient recovery processes. Elements regarding Recovery time objectives, Recovery Point Objectives, are evaluated and included in the plan. Testing and managing of the recovery strategy is kept consistent with the latest changes to the enterprise. Education is ongoing to maintain awareness of responsibilities when an emergency strikes. .
113. Explain the concept of Business Continuity Planning and Recovery Plan in industry.
Business Continuity Planning: Business Continuity Planning (BCP) is the creation and validation of a practical logistical plan for how an enterprise will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan.
Planning is an activity to be performed before the disaster occurs otherwise it would be too late to plan an effective response. The resulting outage from such a disaster can have serious effects on the viabilityof a firm's operations, profitability, quality of service, and convenience. Business continuity covers the following areas: .
Business Resumption Planning:
This is the operation’s piece of business continuity planning. .
Disaster Recovery Planning :
This is the technological aspect of business continuity planning, the advance planning and preparation necessary to minimize losses and ensure continuity of critical business functions of the organization in the event of disaster. .
Crisis Management:
This is the overall co-ordination of an organization’s response to a crisis in an effective timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation or ability to operate. .
Objectives of Business Continuity Planning:
The primary objective of a business continuity plan is to minimize loss by minimizing the cost associated with disruptions and enable an organization to survive a disaster and to re-establish normal business operations. In order to survive, an organization must assure that critical operations can resume normal processing within a reasonable time frame. .
Developing a Business Continuity Plan:
The methodology for developing a business continuity plan can be sub-divided into eight different phases: Pre-Planning Activities (Business continuity plan Initiation), Vulnerability Assessment and General Definition of Requirements, Business Impact Analysis, Detailed Definition of Requirements, Plan Development, Testing Program, Maintenance Program, Initial Plan Testing and Plan Implementation. .
Types of Plans:
Various plans are as under: .
Emergency Plan:
The emergency plan specifies the actions to be undertaken immediately when a disaster occurs. Management must identify those situations that require the plan to be invoked e.g., major fire, major structural damage, and terrorist attack. The actions to be initiated can vary depending on the nature of the disaster that occurs. .
Back-up Plan:
The backup plan specifies the type of backup to be kept, frequency with which backup is to be undertaken, procedures for making backup, location of backup resources, site where these resources can be assembled and operations restarted, personnel who are responsible for gathering backup resources and restarting operations, priorities to be assigned to recovering the various systems, and a time frame for recovery of each system. .
Recovery Plan:
The backup plan is intended to restore operations quickly so that information system functions can continue to service an organization, whereas, recovery plans set out procedures to restore full information system capabilities. Recovery plan should identify a recovery committee that will be responsible for working out the specifics of the recovery to be undertaken. The plan should specify the responsibilities of the committee and provide guidelines on priorities to be followed. The plan might also indicate which applications are to be recovered first. .
Test Plan:
The final component of a disaster recovery plan is a test plan. The purpose of the test plan is to assure that the DR plan will work and to ident ify deficiencies in the emergency, backup, or recovery plans or in the preparedness of an organization and its personnel for facing a disaster. Periodically, test plans must be invoked.
114. Explain the various backup & recovery techniques for applications.
Types of Back-ups: Various types of back-ups are given as follows
Full Backup:
A full backup captures all files on the disk or within the folder selected for backup. With a full backup system, every backup generation contains every file in the backup set. However, the amount of time and space such a backup takes, prevents it from being a realistic proposition for backing up a large amount of data.
Incremental Backup:
An incremental backup captures files that were created or changed since the last backup, regardless of backup type. This is the most economical method, as only the files that changed since the last backup are backed up. This saves a lot of backup time and space
. Differential Backup:
A differential backup stores files that have changed since the last full backup. Therefore, if a file is changed after the previous full backup, a differential backup takes less time to complete than a full back up. Comparing with full backup, differential backup is obviously faster and more economical in using the backup space, as only the files that have changed since the last full backup are saved.
Mirror back-up:
A mirror backup is identical to a full backup, with the exception that the files are not compressed in zip files and they cannot be protected with a password. A mirror backup is most frequently used to create an exact copy of the backup data.
Alternate Processing Facility Arrangements:
Security administrators should consider the following backup options:
Cold site:
If an organisation can tolerate some downtime, cold-site backup might be appropriate. A cold site has all the facilities needed to install a system-raised floors, air conditioning, power, communication lines, and so on.
Hot site:
If fast recovery is critical, an organisation might need hot site backup. All hardware and operations facilities will be available at the hot site. In some cases, software, data and supplies might also be stored there. A hot site is expensive to maintain.
Warm site:
A warm site provides an intermediate level of backup. It has all cold-site facilities in addition to the hardware that might be difficult to obtain or install. For example, a warm site might contain selected peripheral equipment plus a small mainframe with sufficient power to handle critical applications in the short run.
Reciprocal agreement:
Two or more organisations might agree to provide backup facilities to each other in the event of one suffering a disaster. This backup option is relatively cheap, but each participant must maintain sufficient capacity to operate another’s critical system
115. Write a short note on logical security audit.
The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security:
Passwords:
Every company should have written policies regarding passwords, and employee’s use of them. Passwords should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. Also helpful are security tokens, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store cryptographic keys and biometric data. The most popular type of security token (RSA’s SecurID) displays a number which changes every minute. Users are authenticated by entering a personal identification number and the number on the token.
Termination Procedures:
Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for.
Special User Accounts:
Special User Accounts and other privileged accounts should be monitored and have proper controls in place. Remote Access: Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged.
116. Explain the system-level, application level and user audit trails.
System-Level Audit Trails
If a system-level audit capability exists, the audit trail should capture, at a minimum, any attempt to log on (successful or unsuccessful), the log-on ID, date and time of each log-on attempt, date and time of each log-off, the devices used, and the function(s) performed once logged on (e.g., the applications that the user tried, successfully or unsuccessfully, to invoke). System-level logging also typically includes information that is not specifically security-related, such as system operations, cost-accounting charges, and network performance. .
Application-Level Audit Trails
System-level audit trails may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager. In general, application-level audit trails monitor and log user activities, including data files opened and closed, specific actions, such as reading, editing, and deleting records or fields, and printing reports. Some applications may be sensitive enough from a data availability, confidentiality, and/or integrity perspective that a "before" and "after" picture of each modified record (or the data element(s) changed within arecord) should be captured by the audit trail. .
User Audit Trails
User audit trails can usually log: .
- all commands directly initiated by the user;
- all identification and authentication attempts; and
- files and resources accessed. .
It is most useful if options and parameters are also recorded from commands. It is much more useful to know that a user tried to delete a log file (e.g., to hide unauthorized actions) than to know the user merely issued the delete command, possibly for a personal data file.
No comments:
Post a Comment