Contingency Planning

The overall planning for unexpected events is called contingency planning (CP). It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets. The main goal is the restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event.

NIST (National Institute of Standard and Technology) describes the need for this type of planning as: “These procedures (contingency plans, business interruption plans, and continuity of operations plans) should be coordinated with the backup, contingency, and recovery plans of any general support systems, including networks used by the application. The contingency plans should ensure that interfacing systems are identified and contingency/disaster planning coordinated.”

 

Contingency Planning Components

  • Incident response planning (IRP) focuses on immediate response
  • Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur
  • Business continuity planning (BCP) facilitates establishment of operations at an alternate site
  • The CP team should include:
    • Champion
    • Project Manager
    • Team Members
      • Business managers
      • Information technology managers
      • Information security managers

Business Impact Analysis

  • Provides the CP team with information about systems and the threats they face
  • First phase in the CP process
  • A crucial component of the initial planning stages
  • Provides detailed scenarios of the impact each potential attack can have
  • BIA provides information about systems and threats and provides detailed scenarios for each potential attack
  • BIA is not risk management, which focuses on identifying threats, vulnerabilities, and attacks to determine controls
  • BIA assumes controls have been bypassed or are ineffective, and attack was successful

The CP team conducts the BIA in the following stages:

  1. Threat attack identification
  • An organization that uses a risk management process will have identified and prioritized threats
  • These organizations update threat list and add one additional piece of information: the attack profile
  • An attack profile is a detailed description of activities that occur during an attack
  1. Business unit analysis

The second major BIA task is the analysis and prioritization of business functions within the organization

  1. Attack success scenarios

Next create a series of scenarios depicting impact of successful attack on each functional area

Attack profiles should include scenarios depicting typical attack including:

  • Methodology
  • Indicators
  • Broad consequences

More details are added including alternate outcomes—best, worst, and most likely

  1. Potential damage assessment

From detailed scenarios, the BIA planning team must estimate the cost of the best, worst, and most likely outcomes by preparing an attack scenario end case

This will allow identification of what must be done to recover from each possible case

  1. Subordinate plan classification
  • Once the potential damage has been assessed, and each scenario and attack scenario end case has been evaluated, a related plan must be developed or identified from among existing plans already in place
  • Each attack scenario end case is categorized as disastrous or not
  • Attack end cases that are disastrous find members of the organization waiting out the attack, and planning to recover after it is over

Incident Response Planning

  • Planning requires a detailed understanding of the information systems and the threats they face
  • The IR planning team seeks to develop predefined responses that guide users through the steps needed to respond to an incident
  • Predefining incident responses enables rapid reaction without confusion or wasted time and effort

Incident Detection

  • The challenge is determining whether an event is routine system use or an actual incident
  • Incident classification is the process of examining a possible incident and determining whether or not it constitutes an actual incident
  • Initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators are all ways to track and detect incident candidates
  • Careful training allows everyone to relay vital information to the IR team

 

Leave a Reply