ISACA CISM – Domain 04 – Information Security Incident Management Part 11

62. Incident Management Response Teams

Now, when we look at the Incident Management Response Teams, there are responsibilities we have to assign. They are categorized. We have the emergency action team. These are the people that are going to pretty much be responsible for making sure everything is getting done. The evacuations kind of like the fire brigade. Now. From there, we have the damage assessment team. They’re going to probably go in after the fact to do just what it sounds like, look at the damage, determine what things are not recoverable, what things could be repaired. They’re going to make the assessment of what kind of equipment that’s going to be needed to bring things back up. The Emergency Management Team will pretty much take care of all the other logistics that deal with an emergency.

Which may be the contacting of responsible parties, of trying to make sure that if there’s medical attention needed, that that’s taken care of, search and rescue, those types of things. They’re there to manage and to make decisions. We obviously have to have a team that helps in the relocation, a security team. Because, let’s face it, when there’s this kind of major destruction as we’re describing here, like hurricanes and earthquakes, we need to have people that are responsible for making sure that folks aren’t just walking away with our servers and our hard drives and also making sure we are securely getting information to the relocation site. Now, the Incident Management Response has to have a bit of information with them.

Number one, of course, notification requirements. Many times we talk about creating a call tree where I might call three people. They’ll call three people. And so I don’t have to be stuck making 500 phone calls. I can call three folks, they each call three and eventually everybody will be notified. We need to understand how to get supplies. I need to know who our suppliers are, who our contractors or vendors are so that I can contact them to get those things moving. The same thing as well with communication networks. What are we using if we lost landlines? Do we have cellular, do we have satellite? What are we doing for communities communications? And not just for phone communications, but even for network communications.

63. Network Service High-availability

We have a lot of options when it comes to things we can do for network high service availability. One thing that we see often as we talk about using routers and so these little circles with X’s are my pictures of routers. And often we will set them up so that they can look to be the same router. Cisco has a protocol called the Hot Standby Routing Protocol that allows these two routers to pretty much imperfect snate, what they call a virtual router. So now over here, where I have all of these machines that are looking for their gateway to get out to the network, they’re going to address their traffic to this virtual router. And in reality, one of them is going to be the active part of this set and they’ll take care of forwarding traffic.

Now, the two routers talk to each other and if one of them fails, if this connection goes down, then automatically this one sends a gratuitous notification so that the network knows to reroute the traffic this way. So that way we have the redundancy. That is one solution to high availability or redundancy. All right, so we can also use alternate routes. Now, alternate routes would be where do I go after I take care of this kind of a local connection. So I’m just going to end that one as local before I kind of clear all that information off. Now, as we talk about alternate routes, if I’m down here in this local area network and I have that cool redundancy for traffic and I’m coming into the core of my network.

So we often describe the core here as having a series of devices that are redundantly connected, making little pictures of kind of look like, I guess we would call these multilayer switches. And they probably have multiple ways out. And so that as my traffic comes in, if any one link fails, there’s another path that I can take. And we see that in the service provider realm too. So that gives us an idea of this alternate route. Now, it might just be that if my connection to the Internet over here will make the Internet look happy should it go down, we may have alternate paths through other options to get out to the Internet. Sometimes that’s called dual homing. You might also call it diverse routing.

We may also instead have to take a wide area network connection, maybe not so good, but to another part of our facility where they can get out to the Internet world. Lots of clouds there. Now that would be my diverse routing and of course, a long haul diversity, the last mile, circuit protection. We see that a lot in phone traffic. So if I create a new diagram here for us real quick and I have this beautiful office building, lots of floors and windows. So just so you know, it’s not a big box, it’s my office building. And don’t worry, I’m not going to populate every single floor. At some point they are connected to the Telco telephone company and they get to be a cloud too. And the last mile is this connection that is connecting to my facilities.

And if that goes down, somebody with a backhoe, I want to know that I have circuit protection to be able to still get through the Telco. And of course, circuits can also describe the path through the telephone company to be able to get to whatever the other side is that you’re trying to call. We can also see that with voice recovery as well. I might choose instead to send my calls through my wide area network because I’m using voice over IP to get to some of these other facilities of mine. And if that connection goes down, then I may consider using that telco as my backup or recovery plan for high availability. So all of these really come down to trying to design our networks around, avoid avoiding a single point of failure, whether it’s through any of these means. But that is kind of the goal.

64. Storage High-availability

When it comes to storage, one of the things we talk about are things like Raid, the redundant array of independent disks. Some people call it inexpensive disks. One of the easiest versions of Raid, raid number one is simply saying that as I store something on this hard drive I’m going to put a copy of it on the other hard drive but they’re going to appear to me as a single hard drive. So if any one of those drives fails, I still have access to my, my information. Again, avoiding a single point of failure. Now, this same device that is running Raid may be out on the network that we call a storage area network and through having again this idea of a bunch of fiber channel switches or whatever the technology may be for communications to our servers.

That if this is my server and I’m getting access to information on the sand, that if any one connection goes down, I can still find another path to be able to get to the storage area network. That gets us back into kind of the networking idea. But that’s a way that we can talk about the storage area network now we can move that idea up into the cloud. We talk about cloud storage. And the idea there is that there’s always a way to get to the cloud storage, to the Internet with, again, multiple paths. Another option we might have with storage is realizing that, number one, I have too many customers, that any one server that I have can’t handle the traffic. So let’s say that I have to have three web servers to handle the traffic I have for the amount of customers coming in and we’ll synchronize between ourselves the information about what’s going on so that we always have a copy.

But now what happens is that as people are leaving the Internet and coming into my network, they really can only talk to one of these servers at a time. And the idea is that we use kind of a device called a network load balancer. And what that load balancer does is it keeps track of how busy each of these servers are and it will take turns in some fashion or another whether it’s just a pure round robin or based on load or processing capability. But it’s going to help balance the load. So where’s the redundancy? Well, if I lose one of the servers, the network load balancer just says oh, I can only balance between two but they still have that information available. Another option that I have, I like drawing servers. I’m sure Visio would do a better job at it than me.

Another option I have is kind of like the routers where I can make these two appear as one virtual server but it’s really two servers running. Now they often share a common hard drive so they have the same data information. But to everybody on the outside that’s connecting. They think they’re just connecting to one computer so that, again, if one goes down, the other one can still handle all of the capabilities of the processing. We call that clustering. And finally, all of these require electricity. And so many times what we’ll do is we’ll put some sort of battery, hopefully that looks like a battery connection to these, which we call an uninterruptible power supply. And depending on the size and capabilities of that battery, it will keep devices running until power can be restored.

If it takes too long for power to get restored, the batteries eventually would die. So often we have these UPS’s that keep power going until some generator can boot up, get running and supply the backup power. Again, our goal is to not have an interruption in power because we know what a server is like. As soon as it loses power, man, it’s like it’s gone. And so, by the way, the main power, then it usually has to route through the ups to get to these devices so the main power goes down. The ups is still supplying power and these machines don’t see a disruption of power because one disruption just means the thing shuts down. And again, it does that until the generator comes back online.

65. Risk Transference

Now, one of the means that an organization can deal with risk is to actually look at risk transference, meaning we’re going to move it to a third party. It’s often found in the form of insurance. Some of the typical types of insurance coverages we might see, of course, are the obvious things for the equipment and facilities for the media reconstruction. Now what that really means is about what would it take to recover information that we had to recreate eight by hand should the media, the storage that is, become unavailable have been damaged or destroyed, any added expenses we might have in the process of doing recovery. Business interruption.

I talked about that casino or several of them in the bulk area that had a business interruption insurance because literally their casinos were walked out into sea and they were still able to pay their employees and still be rebuilding. Of course, valuable papers and records could be a very big issue for some organizations. As for me, with the consulting with the errors and emissions is a big part of that as well. Should my advice go bad and cause the company to lose a lot of money, at least in the world of it? Not if I give you the lottery numbers or something like that. I am liable for that bad advice. And so I have to have coverage for that as well. Fidelity coverage for your stuff, some of the some specific types of stocks and bonds even for media protection.

66. Other Response Recovery Plan Options

Now, of course every organization, even departments are going to undergo some change. And because of those changes we need to make sure that we are up to date on our business continuity disaster recovery plans. Because changes adding new business features, new functions, new media, new storage, new services might change what is really critical to the way in which business is done. If the business objectives change, then the assets that are critical will change. Which leads us to a new business assessment as far as the business impact and it also leads us to say wow, we have a lot of things we have to move or alter so that our goal still is the recovery that is in alignment with the business objectives.

Now, we also want to be able to document the response recovery practices. That would include some other things that we can get into our recovery plan, such as meetings with emergency management, federal, state, local officials. Talk to the government agencies and find out what their capabilities are, what can they provide for emergency services, for facilities, if any. Certainly we see a lot of that these days. A lot of discussions ever since many natural disasters have hitting around the world, including in the United States and the type of response as far as housing and capability of dealing with even food supplies. Again, depending on the type of emergency, those very well may be issues that we want to address.

67. Lesson 10: Testing Response and Recovery Plans

We’re going to take a look at testing the response and recovery plans. Now, with any plan, of course, you should have a thorough test. It’s conducted to make sure that all the factors have been considered to be able to actually achieve the goal, which for us is always a successful recovery. Now, the purpose of testing is to help you discover things like a gap analysis. In other words, if I’m going through the procedures of this recovery, I see that the responsibilities I have and the actions I’m supposed to follow are not complete. If they’re kind of leaving some gaps in between where I am and the next step, there could be some questions about whether or not I’m going to take the right set of choices to leap over that gap. So we might have a gap analysis that we need to look at. Now, we may make some assumptions about what’s happening when we create this plan.

So we’re going to test those assumptions. We might make assumptions perhaps that we are capable of transferring or transporting backup tapes from an offsite facility into the new site. But then again, if we’re testing for something like an earthquake or a hurricane, we might have learned that that type of a backup might not be possible just because of the weather or the damage to the roads. So it helps us to understand that oh, well, maybe we might have to have remote journaling through network connectivity or some other method. Or look at other alternatives besides the actual physical transportation timeline analysis. Right. Looking at the order in which the procedures are running and the different parts or phases of the test.

How good are the strategies? That’s where we’re going to come out when we start doing these different types of testing. And maybe people have better ideas as they’re going through the process and on their way there, they realize, hey, if we changed a few steps it might be even better. Of course, it’ll also help confirm the personnel’s response, making sure they understand their roles and responsibilities and what their actions are supposed to be. And overall, it’s just to look at the accuracy of this plan. Now, one of the problems though, in depending on the type of test is that you might actually interrupt regular business. So we want to take care that while we’re doing this test and while we’re testing things that we try not to interfere with business or have as little impact on the organization as possible.

68. Periodic Testing

Of course we want periodic testing. We’re not just going to test it once and then shelve the idea and come back to it ten years from now. Whenever the structure of that test, whatever makes up that response recovery plan, the security information manager needs to make certain that the plan is going to always be tested up to the point of the actual disaster declaration. Now, at minimum, you’ll see people do full interruption tests every year. Year we’ll talk about those test options. But going through that periodic test is another great way to see if there really are things that need to be changed. I mean, if you consider that perhaps you were dependent on certain personnel having roles and responsibilities.

When the test was created or the plan was created and those people are no longer with the company, well, that’s an obvious need to be able to make sure we have the right roles and responsibilities assigned. Now, some of the goals, of course, is going to be of the testing, is to have test objectives. What are we trying to do by doing conducting the test? What’s our goal? What are we examining or looking at? Of course, then we want to execute and evaluate the test. And from that, if there are recommendations, we’ll make those for the improvement. But we are also responsible for following up to make sure that those recommendations in the those updates were made to the test.

• Category: Uncategorized