Chapter 1: Security and Risk Management Flashcards
NIST Document for Disaster Recovery
800-34
BCP
sustaining operation & more business than IT long term “the sky is fallen” now what do we do… umbrella term
DRP
part of the BCP plan.
Life Safety
1 Priority
Categories of Disaster
Non-disaster, urgent, disaster, catastropheemergency - an immediate event.
warm site
office furniture general equipment
hot site
ready to go in 24hrs
cold site
empty building
4 steps of BCP
project scope and planning, biz impact assessment, continuity planning, and approval and implementation
MTD
max tolerable downtime = WRT x RTO
bridges gap between BIA and BCP
strategy development task.
provision and process phase
BCP team designs procedures to mitigate risk
BCP Coordinator
only he can declare disaster.
wrt
CONFIGURE!!!! work recovery time to configure a recovered system (WRT) describes the time required to configure a recovered system.
mtbf
mean time between failures
BRP
provides plans to recover business after a disaster
RPO
Max amount of data loss a organization can withstand -recovery point objective example: how much time to go without a backup.
rto
RECOVER SYSTEM!!! max about of time to recover a biz system —-recovery time objective—–
WRT
work recovery time X RPO
Threat
Anything that can cause harm to an asset
Vulnerability
a weakness that allows a threat to cause harm.
Risk
Threat x Vulnerabilityadded variable called impact which addresses severity in dollars
EF
Exposure Factor is the percentage of value an asset lost due to an incident.
SLE
AV x EF
ARO
annual rate of occurence number of losses you suffer per year
ALE
annual loss expectancey SLE x ARO
OCTAVE
Operationally Critical Threat Asset and Vulnerability evaluation . risk management framework from carnegie mellon. three phase process for managing risk
ISO 17799 and ISO2700 series
17799 was re-numbered to ISO27002 a broad based approach for information security code of practice by the International organization for standardization TEchniquesISO27001 is a related standard describing a process for auditing…Requirements.
COBIT/COSO
Secure Governance goals for IT orgs. best practices
ITIL
framework for providing best services in IT service management.
accreditation
is the data owners acceptance of the risk represented by that system.
certification
is a detailed inspection that verifies whether a system meets the documented security requirements.
BCP Planning Stages
- Select Individual to interview for data gathering
- create data-gathering techniques
- id company’s cirital biz fuctions
- id the resources these functions depend upon
- Calculate how long these functinos can survive without resources.
- ID vulnerablilites an threats to these functions
- Caluclate Ricks for each different biz funcion
- document findings report to management.
Software Escrow involves how many parties
3 company, client and a trusted 3 rd party for escrow.
formula for calulating risks
P * M = C
Probability of harm (P) : the chance that a damaging event will occur
Magnitude or Harm (M): the amount of financial damage that would occur should a disaster happen
A tip to use to remember this is: “A Project Manager (PM) cries many times when he thinks of the cost “ (P * M = C)
