Content Area 5-6

Information Security Management

What is security?

Security is “the quality or state of being secure – to be free from danger”. That
means to be protected from challenges, from those who would do harm, intentionally or
otherwise.

A successful organization should have the following multiple layers of security in

place to protect its operation.

• Physical Security
• Personal security
• Operations security
• Communications security
• Network security
• Information security

What is Information security?

“Information security is the protection of information and the systems and

hardware that use, store and transmit that information. But to protect the information and
its related systems from danger, such tools as policy, awareness, training and education
and technology are necessary.

One of the important factors in the protection of Information System assets is

laying a foundation for effective information security management. Recent developments
in information technology like e-commerce and Internet and reliance on Information
technology and Information Systems by the organizations has urged the Information
System specialists to address Information System security more aggressively.

Information System security administrators are responsible for ensuring that

Information Systems assets are secure. Assets are secure when the expected losses
that will occur from threats arising over a period of time are at an acceptable level. There
are three important points in this definition of security:
i. We accept that some losses will occur (eliminating all possible losses
is either impossible or too costly);
ii. We specify some acceptable level of losses (this level is bottom line of
security investments);
iii. We must choose a time period (we determine what level of loss we
would be willing to bear during this time period).

The Information System assets we must protect via security measures can be
divided into two segments:
 Assets

Physical
Personnel
Hardware
Logical
Mainframe, minis, micros
Data/Information
Peripherals: online/offline
Software
Storage media
System
Network
Application
Facilities
Documentation
Supplies

Security failures can be costly to business. Losses may be suffered as a result of

the failure itself or costs may be incurred when recovering from the incident,
followed by more costs to secure systems and prevent further failure. A well-
defined set of security policies and procedures can prevent losses and save
money.

Key Elements of Information Security Management

For security to be implemented and maintained, essential elements to

Information Security management must be established and communicated clearly to all
appropriate parties. Key elements of information security management are as follows:

Policies and procedures

Information security management policy must be initiated from the top
management and it must include following:
 Importance of assets
 Need for security
 Definition of sensitive and critical assets
 Accountabilities

After the approval of the security policy it is necessary to develop the standards,
measures, practices and procedures.

Organization
It is necessary to formulate a proper organization for information security
management. The Information Security policy should provide general guidance on the
allocation of security roles and responsibilities in the organization. This should also be
supplemented with more detailed guidance for specific sites, systems or services. Local
responsibilities for individual physical and information assets and security processes,
such as business continuity planning should be defined clearly.

All the responsibilities regarding information security management must be well

defined documented and communicated to all concerned which includes information
security management personnel and management. Following responsibilities could be
assigned to different levels of management in the organization:

Executive management
Executive management in the organization is responsible for overall information
system asset protection. Executive management has to show commitment for
information security management by providing budgets and have follow-ups on
information security management policies and plans.

Security committee
The policies and procedures developed for information security management in
the organization affect the whole organization. Hence it is important to have support from
all stakeholders of the organization regarding information security management policies.
In order to implement the security policies and procedures in the organization a security
committee may be formulated. Formal terms of references may also be formulated for
this committee and recommendation be adopted by the organization.

Data owners
Data owners have the responsibility of maintaining accuracy, completeness and
integrity of data relating to different organizational business processes.

Process owners

Process owner have to ensure that the processes running on computer systems
are secure and are in-line with the procedures defined in the scope of security policies of
the organization.

IT developers

IT developers are responsible for implementing the security policy in the

organization.

Security specialists/Advisors

Organizations may hire security specialists/advisors in order to disseminate and

assist the management and IT developers to design and implement organizational
security policy, standards and procedures.

Users
IT/IS users of the organization are responsible for having full knowledge of all
policies and procedures developed within organization. Users also have a heavy
responsibility of protecting individual Logon ID’s and Passwords to ensure security of
assets. They also maintain physical security of organizational assets.
IS Auditors

Information System Auditors are responsible for providing independent

assurance o management regarding aptness and effectiveness of Information security
objectives and it’s implementation in the organization.

Computer Crime Issues and Exposures

As discussed earlier, heavy reliance on Information System and IT resources by

the organizations has also increased the threats of crimes and security exposures to the
organizations. Computer systems can be used to steal money, goods, software or
organizational information. Simplest of all the methods is to steal computer equipments.
Theft of data and other important corporate information is the biggest threat in the world
today. These crimes can lead to damage the organizational repute or can cause
financial loss to the organization. Threats to the business include the following:
i. Financial loss
ii. Legal repercussions
iii. Loss of organizational goodwill
iv. Leakage of critical information
v. Sabotage

Intruders of the computer crimes have different categories including the following:

i. Hackers
A hacker is a person who attempts to invade the privacy of a system. Hackers
are normally skilled programmers, and have been known to crack system
passwords with consummate ease. The fact that billions of bits of information can
be transmitted in bulk over the public telephone network has made it hard to
trace individual hackers, who can therefore make repeated attempts to invade
systems. Hackers, in the past, have mainly been concerned to copy information,
but a recent trend has been their desire to corrupt it. The Computer Misuse Act
1990 addresses the problems of hacking, but clearly cannot prevent it.

The Computer Misuse Act 199C

The Computer Misuse Act 1990 was enacted to respond to the growing threat of
hacking to computer systems and data. There was some dispute as to whether
hacking was a crime. For example, if you had illegally copied data, this could not
be classified as theft, as the original data was not stolen. To a certain degree the
law of copyright could be used. The Act has created three new criminal offences.

ii. Employees
Organizational employees are another source of threat to the organizational
information assets. These employees may include both authorized and un-
authorized. Un-authorized employees intentionally attempt to break the security
implementations within the organization and try to gain access to organizational
information assets. While authorized employees, may cause loss to assets
intentionally or by mistake.
 iii. IS personnel
These have the easiest access to organizational information, since they are the
custodians of information assets. Good segregation of duties apart from checks
like logical access controls will ensure reduction in attacks on assets from this
category of personnel.

iv. Outsiders
This may include the organized criminals like hackers, competitors or crackers
(paid hackers)

Physical Exposures and Controls

1. Fire Damage

Fire is often the most serious threat to physical security of information system
assets. A well designed fire-protection plan should be made in the organization.
Features of such like plan may include the following:
i. Both automatic and manual fire alarms are placed in the computer
rooms etc.
ii. Automatic fire extinguishers are placed at strategic places in the
organization.
iii. When a fire alarm is activated, a signal is sent automatically to a
control station that is always staffed.
iv. To minimize the risk of extensive damage from electrical fires,
electrical wiring should be placed in fire resistant panels and conduit.
Security administrators should arrange regular inspections and test of all dire-
protection system and ensure that they are properly serviced. Periodic trainings
of the staff to use such like equipments should also be arranged.

2. Water Damage

Water damage to information system assets might result in due to a fire (e.g. a
water based fire extinguisher is used which cause outflow of water in computer rooms
etc.). However water damages can also happen due to other natural disasters like floods
or torrential rains. To protect assets from water damages following measure could be
adapted:

i. Installation of water proof ceilings and walls.

ii. Ensure that a proper drainage system exist in the organizational
premises.
iii. Installation of alarms where material information system assets are
located.
iv. In flood areas, all material information system assets be placed above
water levels (2nd or 3rd floor etc.).
v. Cover hardware devices with protective covers when not in use.

3. Energy Variations

Energy variations occur in two major forms:

 i. Increase in power (surges or spikes)
ii. Decrease in power (sags or brownouts)
iii. Loss of power (blackouts).

They can not only disrupt hardware operations in the organization but also
disturb the environmental factors (air-conditioning etc). Thus careful assessment
of the likelihood of energy failures is required to be made in the organization to
ensure continuous operations.

To protect hardware against power increase (temporary or continuous) voltage

regulators and circuit breakers may be used in the organizations. To avoid
blackouts it is always better to use two different sources of power apart from
installation of UPS (Uninterruptible Power Supply) in the computer rooms.

4. Terrorist activity
Political terrorism is the main risk, but there are also threats from individuals with
grudges. In some cases there is very little that an organisation can do: its
buildings may just happen to be in the wrong place and bear the brunt of an
attack aimed at another organisation or intended to cause general disruption.
There are some avoidance measures that should be taken, however.
Physical access to buildings should be controlled.

5. Accidental damage
People are a physical threat to computer installations: there can be few of us who
have not at some time spilt a cup of coffee over a desk covered with papers, or
tripped and fallen doing some damage to ourselves or to an item of office
equipment.
Combating accidental damage is a matter of:
i. Sensible attitudes to office behaviour.
ii. Good office layout.

LOGICAL THREATS

VIRUSES
Computer viruses are currently the case of much concern. A virus is a piece of
software which infects programs and data and which replicates itself. There are a
number of elements of design which may encourage the presence of a virus, including
the Trojan, the worm, the trap door, the logic bomb and the time bomb. The features of
these are described below.
Viruses need an opportunity to spread. The programmers of viruses therefore place
viruses in the kind of software which is most likely to be copied. This includes:
(a) free software (for example from magazine covers and bulletin boards);
 (b) pirated software (cheaper than original versions); and
(c) games software (wide appeal).
The attractions of free or 'interesting' software are obvious. The dangers are not so
obvious. A popular computer game of the late 1980's, Leisure Suit Larry the Lounge
Lizard, has been reported as carrying a virus in pirated editions. This would appear to
be an extreme form of copyright protection, for if a user of a pirated version
successfully completed the game, his or her hard disk would be completely 'wiped'.
The problem has been exacerbated by the portability of computers and disks. Many
employees take disks home and may work on them on their own personal PCs. Office
PCs may be taken home and the opportunity taken to try out games or other software.
It is consequently very difficult to keep control over what disks are inserted into an
organisation's computers and similarly what computers may be used to retrieve data
from or store data to office disks.

Trojans
A Trojan is a program that while visibly performing one function secretly carries out
another. For example, a program could be running a computer game, while
simultaneously destroying a data file or another program. A Trojan's work is
immediate, and obvious. They are easy to avoid as they do not copy themselves onto
the target disk.

A classic example is a Trojan horse in the payroll calculating program that shaves
a barely noticeable amount off each paycheck and credits it to the perpetrator's
payroll account. Another example is a web application with a Trojan horse that
enables a perpetrator to execute arbitrary operating system commands in gaining
unauthorized access to a web server.

Worms
Whereas a Trojan attacks from without, a worm, which is a type of virus, attacks from
within. A worm is a program that survives by copying and replicating itself inside the
computer system it has entered, without necessarily altering that system. Other viruses
attach themselves to a program. When the host program is run, the virus attaches
itself to another program, so that if undetected every program in the system will be
infected. Viruses live anywhere, including the bootstrap program, and are designed to
remain hidden as long as possible.

Trap doors
A trap door is an undocumented entry-point into a computer system. It is not to be
found in design specifications but may be put in by software developers to enable
them to bypass access controls while working on a new piece of software. Because it
is not documented, it may be forgotten and rediscovered, by a hacker perhaps, at a
later date.
Logic bombs
A logic bomb is a piece of code triggered by certain events. A program will behave
normally until a certain event occurs, for example when disk utilisation reaches a
certain percentage. A logic bomb, by responding to set conditions, maximises damage.
For example, it will be triggered when a disk is nearly full, or when a large number of
users are using the system.

Time bombs
A time bomb is similar to a logic bomb, except that it is triggered at a certain date.
Companies have experienced virus attacks on April Fool's Day and on Friday 13th
These were released by time bombs.

Protection against Virus activities

To reduce expected losses from viruses, security administrator can

implement the following types of controls:

Type of Control Examples

Preventive  Use only “clean” certified copies of software files.
 Do not use public domain/shareware software or files unless
that have been checked for viruses.
 Check new software with antivirus software before it is
installed.
 Check new files with antivirus software before these are used.
 Educate users about the dangers of viruses and the ways to
prevent infection.
Detective  Regularly run antivirus software to detect infections. Carry out
file size comparisons to check whether the size of programs
has changed.
 Undertake date/time stamp comparisons to determine whether
unauthorized modifications have been made to software.
Corrective  Ensure clean backup is maintained.
 Have a documented plan for recovery from virus infection.
 Run antivirus software to remove infections.

Rounding Down

Rounding down-Involves drawing off small amounts of money from a

computerized transaction or account and rerouting this amount to the
perpetrator's account. The term rounding down refers to rounding small fractions
of a denomination down and transferring these small fractions into the
unauthorized account. Since the amounts are so small, they are noticed rarely.
Controls

Two types of controls are exercised to avoid any serious loss to

organizational assets generated from either of threats mentioned above.
i. Physical Access Controls
ii. Logical Access Controls

A. Physical Access Controls

Physical access controls are designed to prevent intruders getting access

to physical assets of the organization like computer equipments and storage
media etc. Following are the areas which should be protected physically from
intruders:

 Programming areas
 Computer room
 Operator console
 Tape library, tapes, disks, magnetic media
 Storage rooms and supplies
 Offsite backup facilities
 Microcomputers
 Power sources
 Telecommunication
 Printing facilities
 LANs

Door locks

Conventional door locks are of great value in most of the circumstances,

particularly where users are required to pass through the door a couple of times
in a day. However recent developments in the ‘door’s technologies’ has made it
more easier for the organizations to put either the combination lock on the door
or electronic doors. Spying cameras can also be put on the main entrances to the
computer rooms in the organization to monitor the access of people within the
organization.

Access Logging

Organizations can record the entry/exits of authorized personal to the

computer facilities in the organization by the following methods:
i. Manual logging
ii. Electronic logging

Card Entry Systems

 Card entry systems are a more sophisticated means of control than the
use of door lock, as cards can be programmed to allow access to certain parts of
building only, between certain times.

Cards allow a high degree of monitoring of staff movements; they can for
example be used instead of clock cards to record details of time spent on site.
Such cards can be incorporated into identity cards, which also carry the
photograph and signatures of the user and which must be displayed at all times.

Biometric access

Another development of recent times is placement of biometric devices at

entrance points. These devices are replacements of cards etc. devices include
thumb impression devices, eye color recognizers and voice recognizers.
However the use of these devices is restricted to the organizations with lesser
number of employees with restricted movements during the working hours.

B. Logical Access Controls

Logon IDs and Passwords

This two-phase user identification/authentication process based on

something you know can be used to restrict access to computerized information,
transactions, programs and to the computer system itself. The computer can
maintain an internal list of valid logon-IDs and a corresponding set of access
rules for each logon ID. These access rules identify the computer resources the
user of the logon ID can access and constitute the user's authorization. As a
minimum, access rules usually are specified at the operating system level
(controlling access to files) or within individual application systems (controlling
access to menu functions and types of data).

The logon ID provides individual identification. Each user gets a unique

logon ID that can be identified by the system. The format of logon IDs is typically
standardized.

The password provides individual authentication. Identification/authentication is

a two-step process by which the computer system first verifies that the user has a
valid logon ID (user identification) and then requires the user to substantiate his/her
validity via a password.

Password policies

A password should be easy for the user to remember but difficult for
perpetrator to guess. Initial passwords may be allocated by the security
administrator or generated by the system itself. When the user logs on for the
first time, the system should force a password change to improve confidentiality.
Initial password assignments should be randomly generated and assigned,
where possible, on an individual, and not a group, basis.

Accounts never used with or without an initial password assignment

should be removed from the system. If the wrong password is entered a
predefined number of times, typically three, the logon ID should be automatically
and permanently deactivated (or at least for a significant period of time).

Security administrators in the IS/IT organization must develop some rules

for password to be followed strictly by all users. These rules may include but not
limited to the following:

i. Ideally, passwords should be five to eight characters in length.

Anything shorter is too easy to guess. Anything longer is too hard to
remember.

ii. Passwords should allow for a combination of alpha, numeric, upper

and lower case and special characters.

iii. Passwords should not be particularly identifiable with the user (such as
first name, last name, spouse name, pet's name, etc.). Some
organizations prohibit the use of vowels, making word
association/guessing of passwords more difficult.

iv. The system should not permit previous password(s) to be used after
being changed.

v. Logon IDs not used after a number of days should be deactivated to

prevent possible misuse. This can be done automatically by the
system or manually by the security administrator.

vi. The system should disconnect a logon session automatically if no

activity has occurred for a period of time (one hour). This reduces the
risk of misuse of an active logon session left unattended, because the
user went to lunch, left for home, went to a meeting or otherwise forgot
to logoff. This is often referred to as a time out.

Biometric Access

Biometric access controls are the best means of authenticating a user's

identity based on a unique, measurable aspect for verifying the identity of a
human being. This control confines computer access, based on a physical or
behavioral characteristic of the user. By tradition, biometric systems have been
used very little as an access control technique. However, due to advances in
hardware efficiencies and storage, biometric systems are becoming a more
feasible option as an access control mechanism.
 Using a biometric generally involves use of a reader device that interprets
the individual's biometric features before permitting authorized access. However,
this is not a foolproof process because certain biometric features can change
(e.g., scarred fingerprints, signature irregularities, change in voice, etc.). For this
reason, biometric access control systems are not very effective. Biometric
controlled access includes options such as finger prints, thumb impressions,
voice recognition, signature verification, face recognition and eye recognition.

Single Sign-on (SSO)

Users normally require access to a number of resources during performing

the daily routine jobs. For example, users would first log into an operating system
and subsequently into various applications. For each operating system
application or other resource in use, the user is required to provide a separate
set of identification to gain access. This results in a situation where the users are
likely to forget their ID's/passwords.

To address a situation where users have to remember an increasing

number of passwords, pass codes, etc., the concept of single sign-on was
developed. Single sign-on (SSO) generally is the process for the consolidation of
enterprise platform-based administration, verification, and authorization functions
through a single sign-on product that interfaces with:

 Server security
 Workstation security
 Client-server and distributed systems
 Mainframe applications
 Network security including remote access

The first instance where the user identification are entered is called the
primary domain. Every other resource, application or platform that uses those
identification is called a secondary domain. With a single user ID/password, a
user can log in to the enterprise network and access all network services,
databases, and applications that they need to perform their jobs. This eliminates
the need for users to have multiple user names and passwords.

Advantages of Single-sign on

 Users select stronger passwords, since the need for multiple passwords
and change synchronization is avoided.

 Inactivity timeout and attempt thresholds are applied uniformly closer to

user points of entry.
  It improves the effectiveness/timeliness of disabling all network/computer
accounts for terminated users.

 It improves an administrator's ability to manage users and user

configurations to all associated systems.

 It reduces administrative overhead in resetting forgotten passwords over

multiple platforms and applications.

 It provides users with the convenience of having to remember only a

single set of credentials. This also improves security as users find it easier
to remember their credentials and do not have to write them down,
allowing for a more efficient user logon process.

 It reduces the time taken by users to log into multiple applications and
platforms.

Disadvantages of Single-Sign on

 Using only one SSO server can introduce a single point of network failure.

 Few software solutions accommodate all major operating system

environments; a mix of solutions must be tailored to the enterprise's IT
architecture and strategic direction.

 Substantial interface development and maintenance may be necessary,

especially in the absence of industry-based standards.

 The SSO server and other host security must be hardened since
Weaknesses can now be exploited across the enterprise.

 Most SSO-software packages include additional access control features

for which purchaser is charged even if they are redundant of any existing
controls.

CONDUCTING A SECURITY PROGRAM

A security program is a series of ongoing, regular, periodic reviews

conducted to ensure that assets associated with the information systems function
are safeguarded adequately. The first security review conducted is often a major
exercise. Security administrators have to consider an extensive list of possible
threats to assets associated with the information system function, prepare an
inventory of assets, evaluate the adequacy of controls over assets, and perhaps
modify existing controls or implement new controls.
 One outcome of this initial security review might be a security policy to
guide security practices within an organization and to provide a basis for
subsequent evaluation of these practices. Subsequent security reviews might
focus only on changes that have occurred for example addition of a new main
frame or mini frame computer or addition of more network sites, or emergence of
a new security threat. A security policy, might need to be reviewed and updated
based on these consequent reviews.
Following are the steps to conduct a security program.

Prepare a
project plan

Identify
Assets

Value
Assets

Identify
Threats

Assess
likelihood of
threats

Analyze
Exposures

Adjust
Controls

Prepare
Security
Report
Security Organization

Protecting the organizational information assets is expensive and intricate.

Therefore, organizations must not only use controls to prevent or detect security
problems, they must do so in an organized manner, assigning responsibilities
and authority throughout the organization. Any program that is adopted must be
supported by three organizational components:
i. People;
ii. Technology and
iii. Process
Security program must have six features:

Alignment: the program must be aligned with the organizational goals.

Enterprise wide: everyone in the organization must become part of the
security programs.
Continuity: the program must be operational continuously without any
disruption.
Validation: the security program must be tested and validated to ensure
its operability.
Proactive: organizations should not wait from something to happen rather
must use innovative, preventive and protective measures.
Formal: it must be a formal program with authority, responsibility and
accountability.

Corporate security plan.

Privacy Officer Asset Management

Security
Physical Security Officer

Continuity Planning Service Management

Planning Architecture Operations Monitoring

Business Request for proposal Incident response Auditing

requirements Standards & Access control Reporting
Education guidelines Investigations System monitoring
Formal Technical Standards Security testing
communications requirements deployment
Governance policies Technical security Training & awareness
Project management architecture Vulnerability
Risk assessment Technology solutions management
DISASTER RECOVERY PLAN

In spite of safeguard that might be implemented the information systems

still could suffer a disaster. A control might fail, or a threat might occur that
management has not considered or that management has decided to accept as
an exposure that cannot be covered via cost effective controls. When disaster
strikes, it still must be possible to recover operations and mitigate losses.
Organization are required to have a properly documented disaster recovery plan
at least to lessen the effect of such like disaster.

The purpose of a disaster recovery plan or contingency plan is to enable

the Information Systems function to restore operations in the event of some type
of disaster. The impact of a disaster might be localized; for example, the PC user
might accidentally delete critical data stored on a hard disk. The impact,
however, might be wide spread; for example, an organization’s main frame
computer installation might be destroyed by fire.

Periodically, surveys have been undertaken of organizations to assess the

adequacy of their disaster recovery plans. A common, recurring finding is that
the quality of disaster recovery plans, if an organization even has one, is low.
This situation exists even though other surveys report that on average the length
of time organizations can survive in the event their information processing
function is lost is decreasing. Perhaps these finding reflect that disaster recovery
plans are costly and difficult to prepare, maintain and test. In organizations that
have extensive decentralization and distribution of computing resources, for
example, disaster recovery planning will be an time-consuming activity. For a
start, security administrators are likely to have difficulty obtaining a commitment
form large nos. of microcomputer users to maintaining effective backup.

Auditors are concerned to see that the organizations audited have

appropriate, high quality disaster recovery plans in place. Because the
preparation, maintenance and ongoing testing of disaster recovery plans is often
costly, the plan should be appropriate to the needs of the organization. Clearly,
organizations that depend more on computers to support their operations will
have greater needs. External auditors will be specially interested in a client’s
ability to continue as a going concern in the event disaster strikes and recovery
cannot be effected quickly. They must also consider that contingent claims might
arise because contractual agreements the client has with other parties specify an
appropriate, high quality, regularly tested disaster recovery plan must be in place.
Indeed, in some cases, client might be governed by legislation that requires that
they have appropriate, high quality disaster recovery plans. Internal auditors will
have the same concerns. In addition, they might also evaluate whether
preparation, maintenance, and test of the plan is carried out efficiently.

Comprehensive disaster recovery plan comprise four parts:

 i. An emergency plan
ii. A backup plan
iii. A recovery plan
iv. A test plan

Emergency Plan

Test Plan Backup Plan

Disaster
Recovery
Plan

Recovery Plan

The plan lays down the policies, guidelines and procedures for all
personnel who have responsibility for the Information Systems function to follow.
For example, it specifies the daily backup procedures that micro computer users
should follow and the site where recovery of main frame operations is to be
effected in the event of a fire.

Emergency Plan

The emergency plan specifies the actions to be undertaken immediately

when a disaster occurs. Management must identify those situations that require
the plan to be invoked - for example, major fire, major structural damage, and
terrorist attack. The actions to be initiated can vary somewhat depending on the
nature of the disaster that occurs. For example, some disasters require that all
personnel leave the information systems facilities immediately; others require a
few select personnel remain behind for a short period to sound alarms, shut
down equipment, and so on.

If an organization undertakes a comprehensive security review program,

the threats identification and exposures analysis phases involve identifying those
situations that require the emergency plan to be invoked. Each situation will be
an exposure; that is, it will be: a threat that eventuates and brings about losses
because controls have failed or none exist to cover the threat.
 When the situations that evoke the plan have been identified, four aspects
of the emergency plan must. be articulated.

i. The plan must show who is to be notified immediately when the

disaster occurs management, police or fire department.
ii. The plan must show any actions to be undertaken, such as
shutdown of equipment, removal of files, and termination of power.
iii. Any evacuation procedures required must be specified.
iv. Return procedures (e.g.. conditions that must be met before the site
is considered safe) must be designated.

In all cases, the personnel responsible for the actions must be identified,
and the protocols to be followed must be specified clearly.

Backup Plan

The backup plan specifies the type of backup to be kept the frequency
with which backup is to be undertaken, the procedures for making backup, the
location of backup resources, the site where these resources can be assembled
and operations restarted, the personnel who are responsible for gathering
backup resources and restarting operations, the priorities to be assigned to
recovering the various systems, and a time frame in which recovery of each
system must be effected. For some resources, the procedures specified in the
backup plan might be straightforward. For example, microcomputer users might
be admonished to make backup copies of critical .files and store them off site. In
other cases, the procedures specified in the backup plan could be complex and
somewhat uncertain. For example, it might be difficult to specify exactly how an
organization's mainframe facility will be recovered in the event of a fire.

The backup plan needs continuous updating as change occurs. For

example, as personnel with key responsibilities in executing the plan leave the
organization, the plan must be modified accordingly. It is more practical to have
more than one person knowledgeable in a backup task in case someone is
injured when a disaster occurs. Similarly, lists of hardware and software must be
updated to reflect acquisitions and disposals.

The difficult part in preparing a backup plan is to ensure that all critical
resources are backed up. The following resources must be considered:

Resource Nature of Backup

Training and rotation of duties among information systems
staff
Personnel
so they can take the place of others. Arrangements with
another company for provision of staff.
Hardware Outsourcing arrangements for hardware provision.
Facilities Outsourcing arrangements for the provision of facilities.
 Inventory of documentation stored securely on site and off
Documentation
site.
Inventory of critical supplies stored securely on site and off
Supplies
site with list of vendors who provide all supplies.
Data/Information Inventory of files stored securely on site and off site.
Inventory of application software stored securely on site and
Application software
off site.
Inventory of system software stored securely on site and off
System software
site.

The selection of backup sites is an important decision. These sites must

be close enough to enable easy pickup and delivery of backup resources. They
must be sufficiently distant, however, so it is unlikely that both the organization's
information systems facilities and the backup-site facilities will be destroyed as
the result of a single disaster. In some cases, this objective might be difficult to
achieve. For example, if a major earthquake were to occur, nearby backup sites
might also be destroyed.

Provision of suitable backup for mainframe computers usually is a more

difficult task than provision of suitable backup for minicomputers and
microcomputers. Replacement minicomputers and microcomputers often can be
obtained quickly. Furthermore, usually they have minimum requirements in terms
of an appropriate operating environment. Mainframe computers, on the other
hand, typically require specialized operational facilities. Following are some
viable backup options security administrators should consider:

1. Cold site: If an organization can tolerate some downtime, cold-site

backup might be appropriate. A cold site has all the facilities needed to
install a mainframe system-raised floors, air conditioning, power,
communications lines, and so on. The mainframe is not present, however,
and it must be provided by the organization wanting to use the cold site.
An organization can establish its own cold site facility or enter into an
agreement with another organization to provide a cold site facility.

2. Hot site: If fast recovery is critical, an organization might need hot-site

backup.
All hardware and operations facilities will be available at the hot site. In
some cases, software, data, and supplies might also be stored there. Hot
sites are expensive to maintain. They usually are shared with other
organizations that have hot site needs.

3. Warm-site: A warm site provides an intermediate level of backup. It has

all cold site facilities plus hardware that might be difficult to obtain or
install. For example, a warm site might contain selected peripheral
equipment plus a small mainframe with sufficient power to handle critical
applications in the short run.
 4. Reciprocal agreement: Two or more organizations might agree to
provide backup facilities to each other in the event of one suffering a
disaster. This, backup option is relatively cheap, but each participant must
maintain sufficient capacity to operate another's critical systems.
Reciprocal agreements are often informal in nature.

If a third-party site is to be used for backup and recovery purposes,

security administrators must ensure that a contract is written to cover such issues
as:

i. How soon the site will be made available subsequent to a disaster.

ii. The number of organizations that will be allowed to use the site
concurrently in the event of a disaster.
iii. The priority to be given to concurrent users of the site in the event
of a common disaster.
iv. The period during which the site can be used.
v. The conditions under which the site can be used.
vi. The facilities and services the site provider agrees to make
available.
vii. What controls will be in place and working at the off-site facility.

These issues are often poorly specified in reciprocal agreements.

Moreover, they can be difficult to enforce under a reciprocal agreement because
of. the informal nature of the agreement.

The need for backup highlights the value of using hardware and system
software that conform to widely accepted standards and developing portable
application systems. Specialized hardware and software might be more effective
and more efficient, but they undermine an organization's ability to recover from a
disaster quickly.

The recovery component of the backup plan needs careful consideration.

In the event of a disaster, personnel will be responsible for tasks they undertake
occasionally. Furthermore, they might be working under stress in an strange
environment. The backup plan must assist them by providing concise, complete,
clear instructions on recovery procedures they must follow.

Recovery Plan

Whereas the backup plan is intended to restore operations quickly so the

information systems function can continue to service an organization, recovery
plans set out procedures to restore full information systems capabilities.
Recovery plans depend on the circumstances of the disaster. For example, they
will depend on whether the disaster is global or localized and, if. localized, the
nature of the machine (e.g., microcomputer, minicomputer, mainframe), the
applications, and the data to be recovered. In this light, recovery plans should
identify a recovery committee that will be responsible for working out the
specifics of the recovery to be undertaken. The plan should specify the
responsibilities of the committee and provide guidelines on priorities to be
followed. For example, certain members of the committee could be responsible
for hardware replacement. The plan might also indicate which applications are to
be recovered first.

Members of a recovery committee must understand their responsibilities.

Again, the problem is that they will be required to undertake unfamiliar tasks.
Periodically, they must review and practice executing their responsibilities so
they are prepared should a disaster occur. If committee members leave the
organization, new members must be appointed immediately and briefed as to
their responsibilities.

Test Plan

The final component of a disaster recovery plan is a test plan. The

purpose of the test plan is to identify deficiencies in the emergency, backup, or
recovery plans or in the preparedness of an organization and its personnel in the
event of a disaster. It must enable a range of disasters to be simulated and
specify the criteria by which the emergency, backup, and recovery plans can be
deemed satisfactory.

Periodically, test plans must be invoked; that is, a disaster must be

simulated and information systems personnel required to follow backup and
recovery procedures. Unfortunately, top managers are often unwilling to carry out
a test because daily operations are disrupted. They also fear a real disaster
could arise as a result of the test procedures.

To facilitate testing, a phased approach can be adopted. First, the disaster

recovery plan can be tested by desk checking and inspection and walkthroughs,
much like the validation procedures adopted for programs. A disaster can be
simulated at a convenient time for example, during a slow period in the day.
Anyone who will be affected by the test , (e.g. personnel and customers) also
might be given prior notice of the test so they are prepared. Finally, disasters
could be simulated without warning at any time. These are the acid tests of the
organization's ability to recover from a real disaster.
BUSINESS CONTINUITY PLANNING (BCP):

BCP is the act of proactively working out a way to prevent and manage the
consequences of a disaster, limiting it to the extent that a business can afford. Business
continuity planning determines how a company will keep functioning until its
normal facilities are restored after a disruptive event. This encompasses how
employees will be contacted, where they will go and how they will keep doing
their jobs.

Business Continuity is the exercise of recovering from an availability interruption

or disaster event in minutes instead of days. The chart below depicts the delta between
disaster recovery and business continuity

Availability Interruption or
Disaster Event

Traditional Disaster
Recovery Plan

Restore Data
Periodic Periodic from Backups
Resume
offsite offsite Processing
Backup Backup Identify & Enter
Lost Data

Time Minutes Hours Days

Business
Continuous Perform target
mirroring of data to takeover and resume
Continuity
remote site processing

There are two key performance indicators (KPIs) that measure across the
business continuity spectrum:
i. Recovery Point Objective (RPO) – The pre-incident point in time that data
must be recovered to resume business transactions (acceptable
transaction data loss).
ii. Recovery Time Objective (RTO) – The maximum elapsed time required to
recover data and processing capability.

Each of these KPIs craft the meaning and levels of service that organizations
must consider when accessing business impact.
Business Continuity describes the processes and procedures an organization puts in
place to ensure that essential functions can continue during and after a disaster.
Business Continuity Planning seeks to prevent interruption of mission-critical services,
and to reestablish full functioning as swiftly and smoothly as possible. There are
standard for step processes to make a BCP.

1. Business Impact Analysis (BIA)

Business impact analysis is performed to determine the impacts associated with

disruptions to specific functions or assets in a firm – these include operating impact,
financial impact, and legal or regulatory impact. For example, should billing, receivable,
and collections business functions be crippled by inaccessibility of information, cash flow
to the business will suffer. Additional risks are that lost customers will never return, the
business’ credit rating may suffer, and significant costs may be incurred for hiring
temporary help. Lost revenues, additional costs to recover, fines and penalties, overtime,
application and hardware, lost good will, and delayed collection of funds could be the
business impact of a disaster.

2. Risk Analysis

Risk analysis identifies important functions and assets that are critical to a firm’s
operations, and then subsequently establishes the probability of a disruption to those
functions and assets. Once the risk is established, objectives and strategies to eliminate
avoidable risks and minimize impacts of unavoidable risks can be set. A list of critical
business functions and assets should first be compiled and prioritized. Following this,
determine the probability of specific threats to business functions and assets. For
example, a certain type of failure may occur once in 10 years. From a risk analysis, a set
objectives and strategies to prevent, mitigate, and recover from disruptive threats should
be developed.

3. Disaster Recovery Plan (DRP)

Disaster recovery plan is an IT-focused plan designed to restore operability of the

target systems, applications, or computer facility at an alternate site after an emergency.
A DRP addresses major site disruptions that require site relocation. The DRP applies to
major, usually catastrophic, events that deny access to the normal facility for an
extended period. Typically, Disaster Recovery Planning involves an analysis of business
processes and continuity needs; it may also include a significant focus on disaster
prevention.

4. Disaster Tolerance

Disaster tolerance defines an environment’s ability to withstand major disruptions

to systems and related business processes. Disaster tolerance at various levels should
be built into an environment and can take the form of hardware redundancy, high
availability/clustering solutions, multiple data centers, eliminating single points of failure,
and distance solutions.
Bare Metal Recovery A bare metal recovery describes the process of restoring a
complete system, including system and boot partitions, system settings, applications,
and data to their original state at some point prior to a disaster.

High Availability describes a system’s ability to continue processing and

functioning for a certain period of time - normally a very high percentage of time,
for example 99.999%. High availability can be implemented in IT infrastructure by
reducing any single points-of-failure (SPOF), using redundant components.
Similarly, clustering and coupling applications between two or more systems can
provide a highly available computing environment.