A simulated disaster and comprehensive recovery test may involve many of an organization’s key personnel for several days: is this a reasonable burden to place on a busy, competitive company? How would you argue against the inevitable tendency to shortcut the procedure? 

350 -400 words .

Chapter 19: information security response

Security plans

Physical security

Logical security

Encryption

Proper disposal of assets

Policies and training to guide employees

What to protect
Information security protects three aspects of data systems – CIA
Confidentiality – only authorized access is permitted
Integrity – protect against unauthorized alteration
Availability – data systems and data are available
Ways to improve Availability: UPS, RAID, Clustering critical servers, install failover capability

Information security risks

Threats

Vulnerabilities

controls

threats

Malicious hackers

Bored students

Unhappy employees

Helpful employees

Thieves

Lazy engineers

Hardware failure

vulnerabilities

A Threat that exploits to attach your company

Gap in protection methods

Scan regularly for vulnerabilities

controls

Preventative actions taken to stop an attack

Warning sensors

Technical solutions

Administrative actions to reduce vulnerabilities

Physical security

Fence around company’s buildings

Locked doors

Locked door on data center

Technical security

User ID and passwords

Access control list (ACL)

Controls on routers and wireless access points

Change default passwords

Lock down equipment

Data security
Types of Data:
Personally identifiable information (PII)
Student records
Medical records
Credit card or check numbers

Data security – cont’d
Protect Data:
Encrypt all portable data
Incoming and outgoing data much be encrypted using a company-approved standard
Disable USB ports
All devices mush be physically destroyed
Company documents shredded
Implement a clean desk policy
Screen saver time-out and password protected

Social engineering
Phone call from someone claiming to be Help Desk asking for ID information
Official-looking person claiming to be repairman
Hacker who search online social media looking for IT people at certain company
Person walking behind an employee towards a security door
Caller pretending to be vendor
Person quietly watching over someone’s shoulder
Dumpster diver

Incident management
Details the initial action steps necessary to:
Stop the intrusion
Contain the damage
Gather evidence as to the source
Objectives
Actual impact

Plan contents

Confirm the incident is not a false positive

Activate the response team

Open the telephone bridge

Assess the situation

Incident management team checks rest of IT systems for potential break-ins

Incident after-action review

Conduct a review within a few days of incident

Format for review questions:

What happened?

What should have happened?

What went well?

What did not go well?

What will be done differently next time?

Testing the response plan

Test the plan with the team regularly

Testing updates to the procedures

Testing for new team members

Testing may help to determine false-positives

Preserving forensic evidence
Types of evidence to collect:
Photographs
Time difference on each device
Hash of every data set
System log files

Establishing policies

Typical policies include:

Incident response

Acceptable use

Acceptable use policy should address:

Social engineering

Password management

User ID

Data policy

Patching policy

Educating employees

Employees are the number-one security threat

Essential that all employees are trained

Users should understand the importance of proper data disposal

Ongoing user awareness program

Verify training through exams

summary

Information security is an important part of the BCP

Information security requires constant vigilance to prevent criminal activity

Incident response planning must be completed before it is needed

.MsftOfcThm_Accent1_Fill {
fill:#4472C4;
}
.MsftOfcThm_Accent1_Stroke {
stroke:#4472C4;
}