Domain 2 Flashcards
What is Business Continuity Planning (BCP)?
Set of controls designed to keep a business running in the face of adversity, whether natural or man-made
- Process of creating long-term strategic business plans, policies, and procedures for continued operations after a disruptive event
- Lists range of disaster scenarios and the steps the organization must take in any particular scenario to return operations
Also known as Continuity of Operations Planning (COOP)
What does defining the BCP scope involve?
Determining what business activities the plan will cover, what systems will be included, and what type of controls will be considered.
What is Business Impact Analysis?
Impact assessment that begins by identifying the organization’s mission-essential functions and traces those backwards to identify the critical IT systems that support those processes.
How does a Cloud-Centric Environment affect BCP?
BCP becomes a collaboration between cloud service provider (CSP) and the customer.
What is the purpose of redundancy in BCP?
Protects against the failure of a single component.
What is Single Point of Failure (SPOF) Analysis?
Identifies and removes SPOFs until the cost of addressing risks outweighs the benefits.
What are some IT Contingency Scenarios?
- Sudden bankruptcy of a key vendor
- Insufficient storage or compute capacity
- Failure of utility service
What is High Availability (HA)?
Uses multiple systems to protect against service failure.
What does Fault Tolerance do?
Makes a single system resilient against technical failures.
What is Load Balancing?
Uses multiple systems to spread demands across systems.
What are common points of failure in a system?
- Power supply
- Storage media
- Networking components
What are Power Supplies known for?
Contain moving parts, have high failure rates, can be redundant, and may use multiple power sources.
What is the function of Uninterruptible Power Supplies (UPS)?
Supply battery power to devices during brief disruptions.
What do Power Distribution Units (PDU) do?
Manage the power within a rack, ensuring power delivered to devices is clean and managed.
What is a Redundant Array of Inexpensive Disks (RAID)?
Technology to protect against failure of a single storage device.
What are the two types of RAID?
- Mirroring
- Striping
What is Disk Mirroring?
RAID level 1 where a server contains two disks with identical contents.
What is Disk Striping with parity?
RAID Level 5 that uses 3 or more disks to store data and parity information.
What is NIC teaming?
Using two or more Network Interface Cards (NIC) for redundancy.
What is Network Redundancy?
Involves multiple ISPs, NIC teaming, and multipath networking.
What is Disaster Recovery?
Subset of business continuity activities designed to restore a business to normal operations as quickly as possible following a disruption.
What is a Disaster Recovery Plan (DRP)?
Immediate measures that get operations working again temporarily.
What is the purpose of Initial Response in disaster recovery?
Designed to contain the damage to the organization and recover whatever capacity may be immediately restored.
What is essential for Communication during a disaster recovery?
Must have a secure, reliable means to communicate with each other and the organization’s leadership.
What is involved in Assessment during disaster recovery?
To triage the damage to the organization and implement functional recovery plans.
What does Recovery Time Objective (RTO) refer to?
Targeted amount of time that it will take to restore a service to operation following a disruption.
What does Recovery Point Objective (RPO) indicate?
Maximum time period from which data may be lost as a result of a disaster.
What does Recovery Service Level (RSL) measure?
Percentage of a service that must be available during a disaster.
What is the purpose of Training and Awareness in disaster recovery?
All personnel involved should receive periodic training about their role in the plan.
What are the types of Backup Media?
- Tape Backups
- Disk Backups
- Cloud Backups
What are Tape Backups known for?
Linear Tape-Open (LTO) commonly used, difficult to manage.
What are Disk Backups?
Write data from primary disk to special disks set aside for backup purposes.
What are Cloud Backups?
Writing backups directly to storage provided by cloud computing vendors.
What are the types of Backup?
- Full
- Differential
- Incremental
What does a Full Backup include?
Includes everything on the media being backed up.
What is a Differential Backup?
Creates a copy of only the data that has changed since the last full backup.
What is an Incremental Backup?
Includes only those files that have changed since the most recent full or incremental backup.
What are Disaster Recovery Sites?
Alternate processing facilities designed for shifting computer functions from primary data center.
What are Hot Sites?
Fully operational data centers that have all equipment and data required to handle operations ready to run.
What are Cold Sites?
Used to restore operations eventually but require significant investment of time.
What are Warm Sites?
Have hardware and software but are not kept running in a parallel fashion.
What is Site Resiliency?
Storing backups in a secure facility that’s geographically distant from the primary facility.
What is the goal of a Disaster Recovery Test?
To validate that the plan functions correctly and identify necessary updates.
What are the 5 major types of disaster recovery tests?
- Read-throughs
- Walk-throughs
- Simulations
- Parallel tests
- Full interruption tests
What are Read-Throughs in disaster recovery testing?
Simplest form of test involving a checklist review.
What are Walk-throughs in disaster recovery testing?
Involves getting everyone together to review the plan.
What are Simulations in disaster recovery testing?
Involves the disaster recovery team discussing responses to a specific scenario.
What are Parallel tests in disaster recovery testing?
Activates the DR plan in response to a simulated disaster.
What are Full interruption tests in disaster recovery?
Simulates disaster by shutting down the primary operating environment.
What are the phases of Incident Response according to NIST SP 800-61?
- Preparation
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity
What does Preparation involve in Incident Response?
Activities used to put together an incident response plan and team.
What is involved in Detection and Analysis in Incident Response?
Identifies that an incident is taking place and determines its impact.
What is the goal of Containment, Eradication and Recovery in Incident Response?
Limits the damage caused by an incident and restores normal operations.
What occurs during Post-Incident Activity?
Analyzes the response process and identifies lessons learned.
What are the elements of an Incident Response Plan?
- Statement of purpose
- Clear strategies and goals
- Approach to incident response
- Communication within the team
- Approval of Senior Management
Who typically composes an Incident Response Team?
- Management
- Information Security Personnel
- Physical Security Team members
- Technical subject matter experts
- Legal counsel
- Public relations and marketing staff
- Human resources team members
What is the importance of Training and Testing in Incident Response?
Conduct regular training and testing to ensure readiness.
What does the Incident Communication Plan cover?
Covers both internal and external communications.
What is involved in Internal Communications during an incident?
Incident notification and escalation procedures.
What is crucial about External Communication during an incident?
Be aware of what’s being communicated outside to protect investigation integrity.
What is Secure Communication?
Established before an incident to share information confidentially.
What are some information sources for identifying and analyzing security incidents?
- Intrusion Detection and Prevention Systems
- Firewalls
- Authentication systems
- System integrity monitors
- Vulnerability scanners
- System event logs
- NetFlow connection records
- Antimalware packages
What is Security Information and Event Management (SIEM)?
Centralized log repository and analysis solutions that detect possible incidents.
Related Plans describes what?
Our BCP being the overarching plan also contains our other plans
Continuity of Operations Plan (COOP) is what?
How we keep operating in a disaster
Crisis Communications Plan is what?
How we communicate internally and externally during a disaster
Subplan of the CMP.
Cyber Incident Response Plan
How we can respond in cyber events
Occupant Emergency Plan (OEP)
How do we protect our facilities, our staff and environment in a disaster event
Business recovery Plan (BRP)
Lists the steps we need to take to restore normal business operations after recovering from a disruptive event
Continuity of Support Plan
Focuses narrowly on support of specific IT systems and applications
Crisis Management Plan (CMP)
Gives us effective coordination among the management of the organization in the event of an emergency or disruptive event
NIST 800-34: Framework for building our BCP/DRP
Project initiation
Scope the project
Business Impact analysis
Identify preventative Controls
ISO 22301
Business Continuity Management Systems
Supported by ISO 27031: Advise on how to work with business continuity management
Business Continuity Institute
6-step process called Good Practice Guidelines -GPG, focuses on Business continuity
Project
Clearly defined start and end
Moving forward
Operations
Conducting the same tasks over and over again to keep things functional
Keeps status quo
Steps as a framework for building BCP/DRP from the Older versions of NIST 800-34
Projection Initiation
Scope the Project
Business Impact Analysis
Identify Preventative Controls
Recovery Strategies
Plan Desin and Development
Implementation, Training, and Testing
BCP/DRP Maintenance
3 Disaster Categories
Natural
Human
Environmental (Not to be confused with natural disasters)
Natural Disaster
Anything caused by nature
Human Disaster
Anything caused by humans
Environmental Disaster
Anything in our environment
Plans need to be continually updated. How?
Plans should be reviewed and updated at least every 12 months
Changed major components of our systems
We had a disaster, and we had a lot of gaps in our plans
Significant part of senior leadership has changed
DRP should answer what 3 questions?
What is the objective and purpose?
Who will be the people or teams who will be responsible in case any disruptions happen?
What will these people do (our procedures) when the disaster hits?
What is the lifecycle of the DRP?
Mitigation
Preparation
Response
Recovery
Mitigation is what in the DRP lifecycle?
Reduces the impact, and likeliness of a disaster
Preparation is what in the DRP lifecycle?
Builds programs, procedures and tools for response
What are some simulated tests within the DRP?
DRP Review: Team members who are part of the DRP team review the plan quickly looking for glaring omissions, gaps, or missing sections in the plan
Read-Through (Checklist): Managers and functional areas go through the plan and check a list of components needed for in the recovery process.
Walk/Talk-through (Tabletop or structured Walkthrough): Group of managers and critical personnel sit down and talk through the recovery process
Simulation Test (Walkthrough Drill): Team simulates a disaster and teams respond with their pieces from the DRP
Response is what in the DRP lifecycle?
How we react in a disaster, following the procedures
Recovery is what in the DRP lifecycle?
Reestablish basic functionality and get back to full production
MTD is what?
Maximum Tolerable Downtime
The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD
MTD >= RTO + WRT
WRT is what?
Work Recovery Time (software): how much time is required to configure a recovered system.
MTBF is what?
Mean Time Between Failure: How long a new or repaired system to fail
MTTR is what?
How long it will take to recover a failed system
Minimum Operating Requirements (MOR) is what?
Minimum environmental and connectivity requirements for our critical systems to function.
Redundant site is what ?
Completed identical site to our production, receives a real time copy of our data.
A Reciprocal Agreement Site is what?
Organization has a contract with another organization that they will give space in their data center in a disaster event and vice versa.
Subscription/Cloud Site
Pay someone else to have a minimal or full replica of the production environment up and running within a certain number of hours (SLA)
Mobile Site
Data center on wheels, often a container or trailer that can be moved wherever by a truck.
What happens in the Lessons Learned phase?
Often overlooked. We removed the problem, we have implemented new controls and safeguards.
We only use our BCP/DRP when?
When other countermeasures have failed
What are some common pitfalls we want to avoid when making and maintaining the BCP/DRP?
Lack of senior leadership support
Too Narrow Scope
Not keeping the BCP/DRP plans up to date
Incident Management involves what?
Monitoring and detection of security events on our systems, and how we react in those events
What is an event in relation to Incident Management?
An observable change in state
What is an alert in relation to Incident Management?
Triggers warning if certain event happens
What is an Incident in relation to Incident Management?
Multiple adverse events happening on our systems or networks
What is a problem in relation to Incident Management?
Incidence with an unknown cause.
What is inconvenience in relation to Incident Management?
(Non-disasters): Non-disruptive failures
What is an emergency in relation to Incident management?
Crisis: Urgent
What is a disaster in relation to Incident Managemnt?
Entire facility is unusable for 24 hours or longer
What is a catastrophe in relation to Incident Management?
Facility is destroyed
What is NIST 800-61?
Incident Response Life Cycle
What is the CIRT?
Computer/Cyber Incident Response Team.
Consists of:
Senior management
Incident manager
Technical leads and team
IT Security
PR, HR, and legal
Auditors IT/financial
Provide the incident Life Cycle (ILC)
Preparation
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons Learned
ILC - Preparation
All steps taken to prepare for incidences
ILC - Detection
Events analyzed to determine if they might be a security incident
ILC - Response
IRT begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident
ILC - Mitigation
Understanding the cause of the incident so that the system can be reliably cleaned and resorted to operational status later in the recovery phase
ILC - Reporting
Report throughout the process beginning with the detection.
ILC - Recovery
Carefully restore the system or systems to operational status
ILC - Remediation
Happens during the mitigation phase
ILC - Lessons Learned
Often overlooked. Removed problem, implemented new controls and safeguards
What is the Root-Cause Analysis in relation to Incident Management?
Attempt to determine the underlying weakness or vulnerability that allowed the incident to happen
