ISACA CISM – Domain 04 – Information Security Incident Management Part 12

69. Analyzing Test Results Part1

Now, as the Information Security Manager, you need to be certain that your technology and architecture are a part of the recovery plan that’s going to be tested. It’s important because in today’s world, the It infrastructure is a large part of most of the organizations. You might not have the most critical aspect of that company, but most often all communications of any sort are going to move through the It department to the It infrastructure, let alone data storage and things that people are going to use to make decisions with though. So hopefully I’ve made an argument that says we’re important enough in It that we have to be a part of these tests. Now what kind of tests do you take? Well, you could do the easy checklist where in reality you have the list and you literally say, check.

I understand this step. Yeah, check. I got this step. And you’re just going through making sure you understand what the test is saying. Some may do a structured walk through where I might literally say, go get fire extinguisher. I’m going to walk and make sure I know where the fire extinguisher is, maybe even while I’m there. Check. To make sure that it’s up to date and not expired. And I’ll just go through that almost like the checklist. But I’m going to get a little exercise through this process. The simulation simulations, we hear about people doing this all the time. Fire departments love to do this, right? Sometimes they simulate house fires by having a real fire. To me, that’s kind of like a full interruption test.

But I see them at airports with empty fuselages. They put on airplane fuel and they work and they practice at having those types of tests. Well, we can do the same thing as well. Parallel test. A parallel test may very well be running the test in a lab facility that looks like the real thing. And of course, my favorite, the one part, and I just got through telling you that when you’re doing the test, you want to try to have as little interruption in business as possible until I tell you about this one, the full interruption test. The full interruption test is just what it sounds like. You’re going to pull the switch and kill the power to everything and see if it works.

70. Analyzing Test Results Part2

Now, after the test is over, we want to analyze the results. I mean, there was a reason we ran the test, right? And some of the things we were looking for at the minimum usually is to say things like, all right, just how complete or precise was our plan? We want to verify that. Now, of course, that means that we’re going to be looking at every step, analyzing the outcomes, getting people’s feedback. From that feedback, we can also say, all right, well, now we have ideas where we can make improvements. But while we’re doing that, we also want to know how well do the people perform on the test? I mean, were they ready? If we were producing a movie, I could just simply say, did they know their lines? Well, that’s an important aspect, right? We want to make sure everybody understood what their duties were.

And this is a perfect time that if they’re not sure what they’re supposed to do, that they learn it next time it comes. Hopefully never real, but the next time they have to go through this process, they have a better idea of what the outcome should be. That means as we’re looking at their performance, of course, what I just said is we also looked at their awareness of the different levels of what their responsibilities are. We also want to make sure, hey, did your backups work adequately? I mean, were you able to actually restore them? Did you get what you expected out of them? Were the vital records able to be retrieved, those things that are even the highest of the priorities? And was the quality of that restoration from the backups something that you can use?

How easy was it, number one, to get it to the recovery site? And once there, how easy was it to restore? And once restored, how good was that restoration? This is the time that you want to try to do this during testing, so you don’t learn it though, the wrong way or the hard way in a real time type of disaster recovery that it’s not working. All right, now before you start the test, you should probably have some different plans about the test phases. Of course, we got the pretest. All right, so the pretest, what are we talking about? We’re talking about preparation for the test, getting things in order. I mean, we’re not going to do a pop quiz and just suddenly surprise everybody by turning out the lights and see if they panic or if they actually remember what they’re supposed to do.

We want to have that kind of coordination. And of course, we then have the test, different types of tests. Remember, we’ve already talked about the checklist, the structured walk through all the way up to a full interruption. We have the post test. Now, it is possible we can use a paper test where we are really just testing people’s knowledge about what they’re supposed to be doing. We could have a preparedness test. It’s kind of like, to me, a preparedness test is sometimes not exactly the same, but kind of like the idea of a fire drill. People take their time, they sign off on their applications, they finish their email, and then eventually we all muster into our designated meeting spaces.

And hopefully the person whose responsibility is to make sure we’re all accounted for is there and not finishing lunch. And then, of course, we also have a full operation test. Now, that’s like a precursor to the full interruption test. The full interruption test is where we do the real thing. The full operation is where we might simulate it up to the point of creating some local failures and some local recoveries. And in fact, the preparedness test is kind of in that same aspect too, right? We had some interruption in my example of the fire alarm. We left the building. We’re going to do some things to get ready for a full blown test because sometimes it’s nice to practice parts of the full interruption before you do it.

71. Measuring the Test Results

Well as every element of information security has had so far. Measuring metrics. How do we verify that it was working, that we met some of our certain goals or our performances? Well, what are we going to do? We’re going to look at measurements of things like the elapsed time, maybe for the entire test itself and for different portions of it. How much work had to be done at the backup site? In other words, was the backup site sufficiently prepared to the state we expected it to be?Or was there more work that we had to do or maybe less work? What is the percentage of completeness for the backups and restores? Were you able to get all of that information restored? Could you get all of the backups there as needed? And of course, what was the accuracy of the data at that recovery site? So that we understand, basically, did we score well, did we score score poorly? Because poor scores means we have to figure out ways to repair or fix or revamp our test.

72. Lesson 11: Executing the Plan

Of course, we can also look at executing the plan. All right? Sometimes the best conditions to test the recovery plan is to test it in a realistic condition. When I talked about the firefighters using plane fuselages and real airplane fuel and catch it on fire, or sometimes the firefighters actually burn a house down and practice putting it out. Putting it in real situations is an important aspect of doing the exams. Or I should say, executing these tests of our disaster recovery. Because during those realistic situations, we can introduce real chaos. Now, I’m not saying we’re going to really shake the ground and have an earthquake. I’m not saying we’re going to really catch our facilities on fire, but we can try our best to put this into a real situation. Because one thing we know is that if we didn’t have this practiced and people didn’t at least in some aspect, be able to stop, think through the chaos and say, okay, this is what I’m supposed to do, I better get busy doing it without it, then we would just have an absolute riot going on here.

People would be running around and there’d be too much confusion and we wouldn’t get any good responses out of our disaster recovery. We see that all the time. That’s why we see all sorts of practice runs of different things, is because we want it to become an instinctual type of response rather than stopping, pulling out the papers and really, like I said, trying to focus on what’s happening. Now during an actual test, we have to make sure that everybody understands what their roles and responsibilities are, to make sure we have people that are in charge of coordinating the events. That’s what they’re supposed to do is coordinate, not train somebody about what they’re supposed to do. At that point, that training should have been done through the practice exams. And at this point, they’re just saying, okay, Ken, your job is retrieve the tapes. And so we go and we take care of those things.

73. Updating the Plan

Of course, like any security strategy, there are going to be times when we update, as again, we mentioned, if we introduce change in the architecture, then the recovery plan is going to have to undergo a review. Now, you may have to make an update based on things like organizational changes. Again, if there’s a change in the way in which the company does business, if they’ve got a new business strategy, new products, new services, we may after we looking at some changes, new applications that might be running that we haven’t accounted for before, that may have big importance. If you have an updated business strategy, as I just talked about before, changes within the It infrastructure, certainly.

Again, adding new services, new network equipment, new storage area networks. Maybe we just went to virtualization. There’s a whole new the world we got to deal with. And of course, any changes in the physical or environmental circumstances. Maybe we’ve relocated to new facilities. Perhaps we have actually relocated to new cities or new power grids. Maybe we have a new backup generator we didn’t have before. We ought to put that into part of our plan so all of those things could be well enough that we want to say, okay, are we up to date with our plan versus what we have in real life? Bye.

74. Intrusion Detection Policies

Now, your intrusion detection policies are things you want to think about, some basic requirements for these policies. And you got to be careful with intrusion detection. Number one, it can really eat up a lot of services. It can really eat up a lot of bandwidth throughput overhead memory. And people say, then why do you want it? Well, because it does a good job. I don’t know if I’ve said this already before, and I’m sure I have, but you know, when traffic gets through a firewall, it’s actually quite easy because the firewall lets it come in. All the firewall does is stop the 95% to 99% of traffic that we don’t want to see. But it lets something come in. And that’s all it says. It says, oh, you want to go to the web server? Fine, on your way. Even if it’s carrying a payload that’s going to destroy that web server. The firewall says, yeah, go ahead, that’s fine, you go to the firewall or go to the web server.

Whereas intrusion detection then says, okay, hold on, I’m going to patch it down. I’m going to look inside the data field and see, is this an actual attack? So they do more work, and that kind of inspection takes more time, more processing power. But you know what, they really protect the system. Now, systems that are running intrusion detection, one of the things we know is that they should probably be fault tolerant. And that’s an important aspect because if one of the systems, he gets hit with something that looks like an attack and IBS says, hey, let’s shut it down, we want the other one. And the costs are to come back up online and say, okay, we can keep running. Oh, here’s a big one. One of the biggest reasons people or companies choose not to use intrusion detection is because of how much training it takes to use them.

75. Who to Notify about an Incident

Now a security incident is quite important that we have some sort of notification, kind of like a game plan that says if we notice that there is some issue that should be looked into that we want to report it immediately. Now, when we think about it, there are many different functions that may have to get involved with the types of incidences that could occur really depending on, I suppose the type of security and who might have been involved. As far as the brief reaches that you see, obviously risk management should know about it because they’re going to have to factor in the new risk that was found through the security incident.

Your human resources people may also have to be notified, especially if it involves an internal employee, because at that point we also have to worry not only about the security incident itself, but potentially taking some sort of action against a person who’s employed by the company. And if done improperly, of course, that could lead to a lot of different civil liabilities that you have to deal with. That also means that legal should not be notified about it. Now, when I say legal, I am talking about the potential of not just your legal department, but also depending on the type of incident and regulations that require reporting of these types of things to a law enforcement investigation as well.

Now, if it’s a big breach, if you’re one of these companies who recently have been hacked by the group Anonymous or all these other groups out there and are posting all your customers information, your credit card numbers and the rest of it, that’s probably not going to look good for your company. So you may also want to make sure that you talk to public relations so that they can begin to try to soften the blow that could be bad press for your company. And obviously, if we’re dealing with an It world, the network operations should also be alerted to any type of security incident so they know what to look for, hopefully be able to figure out what they can do to stop or avoid that from happening again in the future.

76. Recovery Operations

Now, when we talk about the recovery operations, what we’re talking about is a way of being able to get back to a place that was safe. In other words, when we talk about the whole realm of business continuity, that’s to be able to make sure that you can survive types of failures, we use terms like single point of failure that we want to avoid one cable being cut and everything being down. We want to find other ways to be able to keep this business running and that also can be part of the disaster recovery as well. Now, when we talk about those things, part of that whole merging of business continuity and disaster recovery comes to things like having a way or a plan, number one, of having a secondary site.

Now, if you go off to a secondary site because something’s happened to the primary site, part of your recovery operations is to have a plan on how to return to that primary site. Often the reason we want to return to the primary site is because it is a better solution than a secondary site. Often secondary sites, although it can keep a business running, probably not up to the same efficiency, to the same service level agreements that you’ve guaranteed to your customers as you had at the primary sites. We want to get back there.

But you also might have to consider the fact that depending on the type of incident that might have caused you to move from primary to secondary, such as a natural disaster, hurricanes, tornadoes, those types of things, you may have to also make sure you have contingency plans about how to replace that primary site. And along with that, of course, the ideas of the relocation strategies. Remember, relocation strategies is not just from a primary site to a secondary or redundant site, but also the fact that you may have to worry about personnel. If that secondary site is, you know, more than 50 miles away from the primary, you may have an issue of staffing that location with people who are no longer able to get those distances.

• Category: Uncategorized