ISC2---CyberSecurity Course Notes---Chapter 1 Security Rules, Chapter 2 BCP, DRP

16352858:

Chapter 1, Safety Rules

Module 1: Understanding security concepts of information assurance (D1.1)

CIA

Confidentiality Balancing is difficult when many system users are guests or customers, and it is not known whether they are accessing the system from a compromised machine or a vulnerable mobile application. Therefore, the obligation of security professionals is to regulate access—protect data that needs to be protected, but allow access to authorized individuals.

Personally Identifiable Information (PII) is a term related to the confidential field. It concerns any personal data that can be used to identify an individual. Other confidentiality-related provisions are protected health information (PHI) , which is information about a person's health status, and confidential or sensitive information , including trade secrets, research, business plans, and intellectual property.

Another useful definition is  sensitivity , which is a measure of the importance assigned to information by its owner, or the purpose for which it needs to be protected. Sensitive information is information that, if improperly disclosed (confidentiality) or modified (integrity), would harm an organization or individual. Sensitivity, in many cases, is related to harm to external stakeholders; that is, people or organizations that may not belong to the organization that processes or uses the information

Integrity measures how complete, whole, internally consistent, and correct something is. The concept of integrity applies to:

• information or data
• Systems and processes for business operations
• organize
• people and their behavior

Data integrity  is the assurance that data has not been altered in an unauthorized manner. This entails protecting data in systems and during processing to ensure that it is not subject to inappropriate modification, error or loss of information, and that it is recorded, used and maintained in a manner that ensures its integrity. Data integrity covers data in storage, in processing and in transit.

Information must be accurate, internally consistent and useful for its intended purpose. Internal consistency of information ensures that information is correct on all relevant systems so that it is displayed and stored in the same way on all systems. As part of data integrity, consistency requires that all instances of data be identical in form, content, and meaning.

System integrity refers to the maintenance of known good configurations and intended operational functions when systems process information. Ensuring integrity starts with understanding the state , which is the current state of the system. Specifically, this awareness involves the ability to record and understand the state of data or a system at a specific point in time, thereby creating a baseline. For example, a baseline can refer to the current state of information—whether it is protected or not. However, in order to maintain that state, the information must always continue to be protected through transactions.

From this baseline, the integrity of the data or system can always be determined by comparing the baseline to the current state. If the two match, the integrity of the data or system is intact; if they do not match, the integrity of the data or system has been compromised. Integrity is a major factor in information and system reliability.

The need to protect information and system integrity may be dictated by laws and regulations. Often, it depends on an organization's need to access and use reliable, accurate information.

Availability  can be defined as (1) the ability to access and use information in a timely and reliable manner, and (2) the ability for authorized users to access data and information services in a timely and reliable manner.

The core concept of usability is that authorized users can access data when and where they need it, in the form and format they want. This does not mean that data or systems are 100% available. Instead, systems and data meet business requirements for timely and reliable access.

Some systems and data are much more important than others, so security professionals must ensure appropriate levels of availability. This requires consultation with relevant businesses to ensure critical systems are identified and available. Availability is often associated with the term criticality , as it represents the degree to which an organization places importance on a data or information system in performing its operations or achieving its mission.

verify

When users identify themselves, it is necessary to verify that they are the rightful owner of that identity. This process of verifying or proving the identity of a user is called authentication . Simply put, authentication is the process of proving the identity of the requester.

There are three common authentication methods:

• Stuff you know: codes or paraphrases
• What you have: tokens , memory cards, smart cards
• What Are You: Biometrics , Measurable Characteristics

authentication method

There are two types of authentication. Using only one of the aforementioned authentication methods is called single-factor authentication (SFA) . The user is granted access only after successfully demonstrating or showing two or more of these methods, which is called multi-factor authentication ( MFA) .

A common best practice is to implement at least two of three common authentication techniques:

• knowledge-based
• token based
• feature based

Knowledge-based authentication uses passwords or passwords to distinguish authorized users from unauthorized users. If you choose a personal identification number (pin), create a password, or other secret value that only you know, then you experience knowledge-based authentication. The problem with using this type of authentication alone is that it is often vulnerable to various attacks. For example, a help desk might receive a call to reset a user's password. The challenge is ensuring that passwords are only reset for the correct user, and not someone else pretending to be that user. For better security, a second or third form of authentication based on tokens or characteristics is required before resetting the password. The combined use of a user ID and password consists of two things that are known, and since it does not satisfy the requirement to use two or more of said authentication methods, it is not considered MFA.

non-repudiation

Non-repudiation is a legal term defined as protection against an individual's false denial that a particular action has been performed. It provides the ability to determine whether a given individual has taken a particular action, such as creating a message, approving a message, or sending or receiving a message.

In today's world of e-commerce and electronic transactions, opportunities exist to impersonate someone else or to say no to an action, such as buying online and then saying no. It is important that all participants trust online transactions. Non-repudiation methods ensure that people are accountable for the transactions they make.

privacy

Privacy is the right of individuals to control the distribution of information about themselves. While both security and privacy focus on protecting personal and sensitive data, there are differences between them. As data is collected and digitally stored at an ever-increasing rate across all industries, the push for privacy legislation and compliance with existing policies has grown steadily. In today's global economy, privacy legislation and regulations regarding privacy and data protection can affect companies and industries regardless of their geographic location. Global privacy is a particularly important issue when considering requirements regarding the collection and security of personal information. There are several laws that define privacy and data protection, and these laws change regularly. Ensuring that protective security measures are in place is not enough to meet privacy regulations or protect companies from penalties or fines for mishandling, misusing, or improperly protecting personal or private information. An example of a law with transnational impact is the EU's General Data Protection Regulation (GDPR) which applies to all foreign or domestic organizations doing business in the EU or any individual in the EU. Companies operating or conducting business within the United States may also be subject to several state legislation governing the collection and use of consumer data and privacy. Likewise, EU member states enact laws that put the General Data Protection Regulation into practice, sometimes adding stricter requirements. These laws, including those at the national and state levels, mandate that any entity anywhere in the world that processes the private data of persons within a particular legal jurisdiction must comply with its privacy requirements. As a member of your organization's data protection team, you don't need to explain these laws, but you do need to understand how they apply to your organization.

Module 2: Understanding the Risk Management Process (D1.2)

risk assessment

Risk assessment  is defined as the process of identifying, estimating, and prioritizing risks to an organization's operations (including its mission, functions, image, and reputation), assets, individuals, other organizations, and even nations. The risk assessment should result in the alignment (or correlation) of each identified risk arising from the operation of an information system with the goals, objectives, assets or processes used by the organization, which in turn are aligned with or directly support the achievement of the organization's goals and objectives .

A common risk assessment activity identifies a building's fire risk. While there are many ways to mitigate this risk, the main goal of risk assessment is to estimate and prioritize. Fire alarms, for example, are the least expensive and can alert people to evacuate and reduce the risk of personal injury, but they won't stop the fire from spreading or cause more damage. Sprinkler systems cannot prevent fires, but they can minimize damage caused. However, while sprinklers in data centers limit the spread of fire, they will likely destroy all systems and data within them. Gas-based systems may be the best solution for protecting your system, but can be cost-prohibitive. Risk assessments allow these items to be prioritized to determine the most appropriate mitigation method for the asset being protected.

The results of the risk assessment process are usually documented in the form of reports or presentations to provide management with prioritization of identified risks. The report is submitted to management for review and approval. In some cases, management may indicate the need for a deeper or more detailed risk assessment by internal or external sources.

risk management

Risk treatment involves making decisions about the best course of action for identified and prioritized risks. Decisions made depend on management's attitude to risk and the availability and cost of risk mitigation. Options commonly used to address risk are:

Risk aversion is the decision to try to eliminate risk entirely. This may include ceasing operations for some or all of the organization's activities that are exposed to a particular risk. When the potential impact of a given risk is too high or the likelihood of its realization is too great, organizational leaders may choose to avoid the risk.

Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may choose to perform a risk-related business function without further organizational action because the impact or likelihood of occurrence is negligible, or because the benefits sufficiently outweigh the risks.

Risk mitigation , the most common type of risk management, involves taking actions to prevent or reduce the likelihood of a risk event or its effects. Mitigation may involve remedial measures or controls, such as security controls, establishing policies, procedures and standards, to minimize adverse risks. Risks cannot always be mitigated, but mitigations such as security measures should always be implemented.

Risk transfer is the practice of transferring risk to another party who will accept the financial impact of damages resulting from the realization of the risk in exchange for payment. This is usually an insurance policy.

risk priority

Once the risks have been identified, it can be done through qualitative risk analysis and/or quantitative risk analysis . This is necessary to identify root causes and narrow down apparent and core risks. Security professionals work with their teams to conduct qualitative and quantitative analysis.

Understanding the organization's overall mission and the functions that support it helps to contextualize risks, identify root causes and prioritize those items for evaluation and analysis. In most cases, management will provide guidance for using the results of the risk assessment to identify a prioritized set of risk responses.

An effective way to prioritize risks is to use a risk matrix, which helps to prioritize as the intersection of likelihood and impact. It also provides the team with a common language to use with management when determining final priorities. For example, a low likelihood and low impact might result in a low priority, while an event with a high likelihood and high impact would result in a high priority. Priority assignments may relate to business priorities, the cost of mitigating risk, or potential losses in the event of an incident.

Decision-making based on risk prioritization

When making decisions based on risk prioritization, organizations must evaluate the likelihood and impact of risks and their tolerance for different types of risks. Companies in Hawaii are more concerned about the risk of a volcanic eruption than companies in Chicago, but Chicago companies will have to prepare for the storm. In these cases, it is up to executive management and the board to determine risk tolerance. If a company chooses to ignore or accept risks, such as exposing workers to asbestos, this can expose the company to enormous liability.

Risk tolerance

Management's perception of risk is often compared to an entity's appetite for risk. How much risk are they willing to take? Does management welcome the risk or does it want to avoid it? Risk tolerance levels vary across organizations and even within : different departments may have different attitudes towards acceptable or unacceptable risks.

Understanding organizational and senior management attitudes toward risk is often the starting point for getting management to act on risk.

Executive management and/or the board determine the acceptable level of risk for the organization. The goal of security professionals is to keep the level of risk within management's risk tolerance.

Often, risk tolerance depends on geography. Companies in Iceland, for example, have plans for the risks a nearby volcano poses to their business. Companies located outside the lava flow's expected path would be at less risk than those located directly in the lava flow's path. Likewise, the possibility of power outages affecting data centers is a real threat in all regions of the world. In areas prone to thunderstorms, power outages may be more than once a month, while other areas may only have one or two outages per year. Calculating the likely downtime for different downtimes will help determine a company's risk tolerance. If a company has a low tolerance for the risk of downtime, they are more likely to invest in a generator to power critical systems. Companies with a lower tolerance for downtime will invest in multiple generators with multiple fuel sources to provide a higher level of assurance that power will not fail.

Module 3: Understanding Security Controls (D1.3)

What are Security Controls?

Security controls involve the physical, technical, and managerial mechanisms that act as safeguards or countermeasures specified for an information system to protect the confidentiality, integrity, and availability of the system and its information. The implementation of control measures should reduce the risk to an acceptable level.

• physical control

Physical controls address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security measures to be taken by people. They typically provide a means of controlling, directing, or preventing the movement of people and equipment within a specific physical location, such as an office, factory, or other facility. Physical controls also protect and control access to land around buildings, parking lots, or other areas within an organization's control. In most cases, physical controls are supported by technical controls as a means of integrating them into the overall security system.

For example, visitors and guests visiting a workplace must often enter the facility through designated entrances and exits, where they can be identified, the purpose of their visit assessed, and then allowed or denied entry. Employees may enter through other entrances, using company-issued badges or other tokens to claim their identity and gain access. These require technical controls to integrate badge or token readers, door release mechanisms, and identity management and access control systems into a more seamless security system.

• technical control

Technical controls (also known as logical controls) are security controls directly enforced on computer systems and networks. These controls provide automated protection against unauthorized access or misuse, facilitate security breach detection, and support application and data security requirements. Technical controls can be configuration settings or parameters stored as data, managed through a software graphical user interface (GUI), or hardware settings done through switches, jumper plugs, or otherwise. However, the implementation of technical controls always requires important operational considerations and should be consistent with the management of security within the organization. We'll look at many of these in more depth as we look at them later in this chapter and in subsequent chapters.

• administrative control

Administrative controls (also known as managerial controls) are instructions, guidelines, or recommendations for people within an organization. They provide the framework, constraints and standards for human behaviour, and should cover the entire range of an organization's activities and its interactions with external parties and stakeholders.

It is important to realize that administrative controls can and should be powerful, effective tools for achieving information security. Even the simplest security awareness policies can become effective controls if you help organizations fully implement them through systematic training and practice.

Many organizations are improving their overall security posture by integrating their administrative controls into the mission-level activities and operational decision-making processes that their employees use throughout the day. This can be done by providing them as reference and advisory resources prepared in context, or by linking them directly to training activities. These and other techniques bring policy to a more neutral level and away from decisions made only by senior executives. It also makes them instant, useful and actionable on a daily and per-task basis.

Module 4: Understanding Governance Elements (D1.5)

elements of governance

Any business or organization exists to fulfill a purpose, whether that is supplying raw materials to industry, manufacturing equipment used to build computer hardware, developing software applications, constructing buildings, or providing goods and services. Accomplishing goals requires making decisions, defining rules and practices, and developing policies and procedures to guide the organization in achieving its goals and mission.

Leaders and management are guided by laws and regulations created by governments to shape public policy as they implement the systems and structures that the organization will use to achieve its goals. Laws and regulations guide the formulation of standards, standards foster policies, and form procedures.

How are regulations, standards, policies and procedures related? It might be helpful to look at the list in reverse.

• Procedures are detailed steps for accomplishing tasks in support of departmental or organizational policy.
• Organizational governance, such as executive management, establishes policies to provide guidance in all activities to ensure that the organization supports industry standards and regulations.
• Standards are often used by governance teams to provide a framework for introducing policies and procedures that support regulations.
• Regulations are usually issued in the form of laws, usually from the government (not to be confused with governance), and usually have financial penalties for non-compliance.

regulations and laws

Regulations and associated fines and penalties may be imposed at national, regional or local levels of government. Since regulations and laws can be implemented and enforced differently in different parts of the world, here are some examples that relate the concepts to actual regulations.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an example of a law governing the use of protected health information (PHI) in the United States. Violations of HIPAA rules can result in fines and/or prison terms for individuals and companies.

The General Data Protection Regulation (General Data Protection Regulation) controls the use of its personally identifiable information (PII) by its citizens and EU citizens. It includes provisions for imposing financial penalties on companies that process the data of EU citizens and EU residents, even if the company has no physical presence in the bloc, giving the regulation international reach.

Finally, it is common to be regulated on multiple levels. In addition to multiple regions and cities, multinational organizations are also subject to regulations in multiple countries. Organizations need to consider the regulations that apply at all levels of their business (national, regional and local) and ensure that they comply with the most stringent regulations.

standard

Organizations use several standards as part of their information systems security programs, both as compliance documents and as recommendations or guidelines. Standards cover a wide range of issues and ideas, and provide assurance that organizations are operating using policies and procedures that support regulations and widely accepted best practices.

The International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical topics, including information systems and information security and encryption standards. ISO seeks input from a cloud of international expert communities to provide input on its standards prior to publication. Documents outlining ISO standards can be purchased online.

The National Institute of Standards and Technology (NIST) is a U.S. government agency under the Department of Commerce that publishes various technical standards in addition to information technology and information security standards. Many of the standards published by the National Institute of Standards and Technology are requirements for U.S. government agencies and are considered recommended standards by industry around the world. The NIST standard solicits and incorporates industry input and is available for free download from the NIST website.

Finally, think about how computers communicate with other computers around the world. People speak different languages ​​and don't always understand each other. How do computers communicate? By the standards, of course!

Thanks to the Internet Engineering Task Force (IETF) , standards in communication protocols can ensure that all computers can connect to each other across national borders, even if the operators don't speak the same language.

The Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications, computer engineering, and similar disciplines.

policy

Policies are based on applicable law and specify the standards and guidelines that an organization will follow. Policy is broad in scope but not detailed; it sets the context and sets strategic direction and priorities. Governance policies are used to regulate and control decision making, to ensure compliance where necessary, and to guide the creation and implementation of other policies.

Policies are often written at multiple levels throughout the organization. Senior management uses high-level governance policies to shape and control the decision-making process. Other high-level strategies guide the behavior and activities of the entire organization as it progresses toward specific or general goals and objectives. Functional areas such as human resource management, finance and accounting, and security and asset protection often have their own set of policies. Whether legal or contractual, the need for compliance may also require the development of specific high-level policies that are documented and evaluated for effective use by the organization.

Policies are executed or enforced by people; to do this, someone has to expand the policy from a statement of intent and direction to a step-by-step instruction or procedure.

program

A process defines the unambiguous, repeatable activities required to accomplish a specific task or set of tasks. They provide the supporting data, decision criteria, or other explicit knowledge needed to perform each task. Programs can handle one-time or infrequent behavior or common, recurring events. Additionally, procedures establish the metrics and methods used to determine whether a task has been successfully completed. Properly documenting procedures and training personnel on how to locate and follow them are necessary to get the maximum organizational benefit from the procedures.

Module 5: Understanding the ISC2 Code of Ethics (D1.4)

All ISC2-certified information security professionals recognize that certification is a privilege that must be earned and maintained. Every ISC2 member must commit to fully supporting the ISC2 Code of Ethics.

The Preamble states the purpose and intent of the ISC2 Code of Ethics.

• The safety and welfare of society and the common good, and our responsibilities to those in charge and to each other, require that we observe and be held to observe the highest standards of ethical conduct.
• Therefore, strict adherence to this Code is a condition of certification

Classics represent important beliefs shared by ISC2 members. Cybersecurity professionals who are members of ISC2 have responsibilities to the following four entities in the specification.

• Protect society, the common good, necessary public trust and confidence, and infrastructure.
• Act honorably, honestly, fairly, responsibly and lawfully.
• Provide diligent and competent service to the principal.
• Advance and protect the profession.

Module 6: Summary

In this chapter, we introduced security principles starting with the concept of information assurance. We emphasize the CIA triad as a major component of information assurance. The "C" stands for confidentiality; we must protect data that requires protection and prevents access by unauthorized individuals. "I" stands for integrity; we must ensure that data has not been altered in an unauthorized manner. The "A" stands for availability; we must ensure that authorized users can access data when and where they need it, in the form and format they want. We also discuss the importance of privacy, authentication, non-repudiation, and authorization.

You explored the safeguards and countermeasures prescribed for information systems to protect the confidentiality, integrity and availability of the system and its information. By applying risk management, we are able to assess and prioritize an organization's risks (asset vulnerabilities that can be exploited by threats). An organization can decide whether to accept the risk (ignore the risk and continue with the risky activity), avoid the risk (stop the risky activity to eliminate the possibility of the situation occurring), mitigate the risk (take steps to prevent or reduce the impact of the situation), or shift Risk (transfer of risk to third parties).

Then, you learned about the three types of security controls: physical, technical, and administrative. They act as safeguards or countermeasures prescribed for information systems to protect the confidentiality, integrity and availability of the system and its information. Implementation of security controls should reduce risk to, hopefully, acceptable levels. Physical controls address process-based security needs using physical hardware devices (such as badge readers), architectural features of buildings and facilities, and the specific security measures people take. Technical controls (also known as logical controls) are security controls directly enforced on computer systems and networks. Administrative controls (also known as managerial controls) are instructions, guidelines, or recommendations for people within an organization.

It then introduces you to organizational security roles and governance, and the policies and procedures that shape organizational management and drive decision-making. As discussed, we generally get procedures from policies, policies from standards, and standards from regulations. Regulations are usually issued in the form of laws, usually from the government (not to be confused with governance), and usually have financial penalties for non-compliance. Standards are often used by governance teams to provide a framework for introducing policies and procedures that support regulations. Organizational governance, such as executive management, establishes policies to provide guidance in all activities to ensure that the organization supports industry standards and regulations. Procedures are the detailed steps for accomplishing tasks in support of departmental or organizational policy.

Finally, we introduce the ISC2 Code of Ethics, which members of the organization pledge their full support to. At the end of the day, we must act legally and ethically in the field of cybersecurity.

ultimately responsible for the user

Chapter 2, Incident Response, Business Continuity, Disaster Recovery

This chapter focuses on the availability portion of the CIA triad and the importance of maintaining human and system resource availability. These are typically achieved by implementing incident response, business continuity (BC) and disaster recovery (DR) plans. While the scope of these three programs may seem to overlap, they are three distinct programs that are critical to the survival of any organization.

Here are the main things to keep in mind in this chapter: First, an incident response plan responds to unexpected changes in operating conditions to keep the business running; second, a business continuity plan enables a business to continue operating throughout a crisis; If all disaster plans fail, a disaster recovery plan is initiated to help the business return to normal operations as quickly as possible.

health and human safety

When it comes to a career in cybersecurity, the day-to-day focus is on monitoring information systems and looking for unusual network activity, malware, and threat actors. Security professionals ensure the confidentiality, integrity, and availability of systems and data every day, but in addition to securing networks and securing the exchange of data and shared resources, it's important to realize that cybersecurity goes beyond the technical aspects. Its scope includes the protection of persons and their personal information. Nothing is more important than the health and safety of our users, colleagues and customers.

Module 1: Understanding Incident Response (D2.3)

event term

While security professionals work hard to protect systems from malicious attacks or human negligence, problems inevitably arise despite these efforts. For this reason, security professionals also play the role of first responders. To understand incident response, it's important to understand the terminology used to describe various cyber attacks.

breach

Loss of Control, Compromise, Unauthorized Disclosure, Unauthorized Acquisition, or any similar circumstance: Access to Personally Identifiable Information by someone other than the Authorized User; or Access by the Authorized User to Personally Identifiable Information for a purpose other than the authorized purpose. NIST SP 800-53 Revision 5

EVENT event

Any observable event in the network or system. NIST SP 800-61 Revision 2

Using EXPLOIT

special attack. They are so named because these attacks exploit system vulnerabilities.

INCIDENT event

An event that actually or potentially compromises the confidentiality, integrity, or availability of an information system or information processed, stored, or transmitted by the system.

An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.

INTRUTION

A security event or combination of events that constitutes an intentional security incident in which an intruder gains or attempts to gain unauthorized access to a system or system resources. IETF RFC 4949 Edition 2

Threat

Any possible unauthorized access, destruction, disclosure, modification of information and/or denial of service. NIST SP 800-30 Revision 1

vulnerability vulnerability

Weaknesses in information systems, system security procedures, internal controls, or implementations that could be exploited by threat sources. NIST SP 800-30 Revision 1

zero-days zero-day

A previously unknown system vulnerability that has the potential to be exploited without the risk of being detected or prevented because it typically does not conform to accepted patterns, signatures, or methods.

Goals of Incident Response

Every organization must be prepared for events. Despite the best efforts of an organization's management and security teams to avoid or prevent problems, it is inevitable that adverse events will occur that may affect the business mission or goals .

The top priority of any incident response is to protect life, health and safety. When it comes to making any decisions related to priorities, always choose safety first.

The main goal of incident management is to be prepared. Preparedness requires developing policies and response plans to guide the organization through the crisis. Some organizations use the term "crisis management" to describe this process, so you may hear that term too.

An event is anything measurable, and most events are harmless. However, if the incident has the potential to undermine the mission of the business, it is called an incident. Every organization must have an incident response plan that will help keep the business alive and alive.

The incident response process is designed to reduce the impact of an incident so that an organization can resume interrupted operations as quickly as possible. Note that Incident Response Planning is a subset of the larger Business Continuity Management (BCM) discipline, which we will cover shortly.

The Goal of Incident Response

Every organization must be prepared for incidents. Despite the best efforts of an organization’s management and security teams to avoid or prevent problems, it is inevitable that  adverse events will happen that have the potential to affect the business mission or objectives.

The priority of any incident response is to protect life, health and safety. When any decision related to priorities is to be made, always choose safety first.

The primary goal of incident management is to be prepared. Preparation requires having a policy and a response plan that will lead the organization through the crisis. Some organizations use the term “crisis management” to describe this process, so you might hear this term as well.

An event is any measurable occurrence, and most events are harmless. However, if the event has the potential to disrupt the business’s mission, then it is called an incident. Every organization must have an  incident response plan that will help preserve business viability and survival.

The incident response process is aimed at reducing the impact of an incident so the organization can resume the interrupted operations as soon as possible. Note that incident response planning is a subset of the greater discipline of business continuity management (BCM), which we will cover shortly.

Of course, communication is key. "Communicate early, communicate often", I think this is what many people say. Another trick is making sure we're doing these communications at the right level to make sure we're communicating with people and not

I think it's a good thing in the field to be able to communicate with different levels, you know, translate for them

, to communicate at the correct level. And make sure that communication is absolutely included in the business continuity plan, the incident response plan and the disaster recovery plan, all put together

So when you say that and document those steps, it's absolutely key as part of business continuity, incident response and disaster recovery. So make sure you have those documented and where you document them. so this is a good summary

Components of the Incident Response Plan the Incident Response Plan

The incident response policy should reference the incident response plan that all employees will follow, depending on their role in the process. The plan may contain several procedures and standards related to incident response. It is the living embodiment of an organization's incident response strategy.

The organization's vision, strategy, and mission should shape the incident response process. The procedures for implementing the plan should define the technical processes, techniques, checklists, and other tools that the team will use when responding to an incident.

Prepare

• Develop management-approved policies.
• Identify critical data and systems, single points of failure.
• Train employees on incident response.
• Implement an incident response team. (covered in a follow-up topic)
• Practice event recognition. (first reaction)
• Identify roles and responsibilities.
• Coordination of communication among program stakeholders.
• Consider the possibility that a primary method of communication may not be available.

Detection analysis

• Monitor all possible attack vectors.
• Analyze incidents using known data and threat intelligence.
• Prioritize incident response.
• Standardized event documentation.

containment, eradication and recovery

• Collect evidence.
• Choose an appropriate containment strategy.
• Identify attackers.
• Isolate the attack.

after event

• Identify evidence that may need to be retained.
• Document lessons learned.

Retrospective

• Prepare

• Detection analysis

• containment, eradication and recovery

• after event

  旁白：准备工作的第一部分是识别需要保护的关键信息并避免任何单点故障。这意味着，如果我们有一些特别重要的东西，但它只受到一扇门的保护，我们会创建多层保护来降低攻击成功的可能性。纵深防御的原理我们后面会多讲，但是就像堡垒一样，防御层数越多，攻击者想要突破的难度就越大。
  
  对员工进行事件响应培训非常重要，这样每个人都知道该怎么做。培训可以包括模拟和场景，以便团队可以练习他们的反应并学习协调组织不同利益相关者之间的沟通。这包括同事、上级、信息所有者和客户。我们需要考虑可用的通信类型，因为我们无法向所有人传达相同的信息。有些材料是保密的，有些材料只对某些人有用，对媒体或外部个人没有用。
  
  在检测和分析方面，我们需要监控攻击向量、攻击方式以及使用的技术。标准化事件文档很重要，因为在一群人中，每个人都会对如何记录活动和程序有自己的想法。为了组织的一致性和我们对数据所有者的责任，我们需要有一个标准化的事件响应，每个人都知道需要做什么以及按照什么顺序完成。这样可以更轻松地确定响应的优先级，因为每个人都有自己的任务并且知道如何处理自己的责任，然后与其他相关人员进行适当的沟通。
  
  接下来，我们需要找到适当的遏制策略，识别攻击者以及他们如何突破我们的防御系统，并隔离攻击，确保它不会进一步发展或造成额外的破坏。事件发生后，我们确定可能需要保留的证据，然后通常会对发生的事情进行内部审计。可能还需要进行外部调查，尤其是在涉及执法的重大网络攻击中。吸取的教训必须记录在案。也许，会发现我们的反应比之前的攻击更好，但我们仍然需要改进准备或检测分析。通常，这些事件后活动受监管要求的约束，并且必须提交某些文件。如果泄露的关键信息受到法律保护，这一点尤其重要。
  

Incident Response Team

In addition to the need for organizations to establish a security operations center (SOC) , there is also a need to create a suitable incident response team. Depending on the requirements of the organization, properly staffed and trained incident response teams can be utilized, dedicated, or a combination of both.

Many IT professionals are classified as first responders to incidents. They are the first on the scene and know how to distinguish typical IT problems from security incidents. They are similar to medical first responders in that they have the skills and knowledge to provide medical assistance at the scene of an accident and help patients get to a medical facility if necessary. Medical first responders are specially trained to help them tell the difference between minor and serious injuries. Plus, they know what to do in the event of a major injury.

Likewise, IT professionals need specific training so they can identify the difference between typical issues that require troubleshooting and security incidents that need to be reported and resolved at a higher level.

A typical incident response team is a cross-functional group of individuals who represent the responsibilities of the management, technical, and functional areas most directly affected by a security incident. Potential team members include:

• Senior Management Representative
• Information Security Professionals
• legal representative
• Public Affairs/Communications Representative
• Engineering Representative (Systems and Networks)

Team members should receive training on incident response and the organization's incident response plan. Typically, team members assist in investigating incidents, assessing damage, gathering evidence, reporting incidents and initiating recovery procedures. They will also be involved in the remediation and lessons learned phase and help with root cause analysis.

Many organizations now have dedicated teams responsible for investigating any computer security incident that occurs. These teams are often referred to as Computer Incident Response Teams (CIRTs) or Computer Security Incident Response Teams (CSIRTs). When an incident occurs, the response team has four main responsibilities:

• Determine the amount and extent of damage caused by the incident.
• Determine if any confidential information was compromised during the incident.
• Implement any recovery procedures necessary to restore safety and recover from incident-related damage.
• Oversee the implementation of any additional security measures necessary to improve safety and prevent recurrence of the incident.

Incident Response Team

Along with the organizational need to establish a Security Operations Center (SOC) is the need to create a suitable incident response team. A properly staffed and trained incident response team can be leveraged, dedicated or a combination of the two, depending on the requirements of the organization.

Many IT professionals are classified as first responders for incidents. They are the first ones on the scene and know how to differentiate typical IT problems from security incidents. They are similar to medical first responders who have the skills and knowledge to provide medical assistance at accident scenes and help get the patients to medical facilities when necessary. The medical first responders have specific training to help them determine the difference between minor and major injuries. Further, they know what to do when they come across a major injury.

Similarly, IT professionals need specific training so they can determine the difference between a typical problem that needs troubleshooting and a security incident that they need to report and address at a higher level.

A typical incident response team is a cross-functional group of individuals who represent the management, technical and functional areas of responsibility most directly impacted by a security incident. Potential team members include the following:

• Representative(s) of senior management
• Information security professionals
• Legal representatives
• Public affairs/communications representatives
• Engineering representatives (system and network)

Team members should have training on incident response and the organization’s incident response plan. Typically, team members assist with investigating the incident, assessing the damage, collecting evidence, reporting the incident and initiating recovery procedures. They would also participate in the remediation and lessons learned stages and help with root cause analysis.

Many organizations now have a dedicated team responsible for investigating any computer security incidents that take place. These teams are commonly known as computer incident response teams (CIRTs) or computer security incident response teams (CSIRTs). When an incident occurs, the response team has four primary responsibilities:

• Determine the amount and scope of damage caused by the incident.
• Determine whether any confidential information was compromised during the incident.
• Implement any necessary recovery procedures to restore security and recover from incident-related damage.
• Supervise the implementation of any additional security measures necessary to improve security and prevent recurrence of the incident.

Module 2: Understanding Business Continuity (BC) (D2.1)

Purpose of Business Continuity Plan

It is maintaining business operations while recovering from a major disruption. An event has created disruption in the environment, and now you need to know how to stay in business.

A key part of the plan is communications, including multiple methods of contact and backup numbers in case power or communications are lost. Many organizations will set up phone trees so they know who to call if one person is unavailable. Organizations will go through their procedures and checklists to ensure they know exactly who is responsible for which actions. No matter how many times they fly, pilots check the checklist before taking off. Again, there must be established procedures and a thorough checklist so that key elements of business continuity are not missed.

We get the right people together and start launching the business continuity plan. Management must be included as sometimes priorities may change depending on the situation. Individuals with appropriate permissions must perform operations there, for example, if there are critical areas that need to be shut down.

We need to have key contact numbers on hand for the supply chain, law enforcement and other locations outside the facility. For example, a hospital could suffer a severe cyber attack that affects communication in the pharmacy, the Internet, or the phone lines. In the U.S., in the event of such a communications-disrupting cyberattack, specific numbers on specific networks can bypass normal cell phone service and use military-grade networks. These will be assigned to authorized personnel in hospitals or other critical infrastructure in the event of a major disruption or cyberattack, so they can still maintain essential activities.

The intent of a business continuity plan is to sustain business operations while recovering from a significant disruption. An event has created a disturbance in the environment, and now you need to know how to maintain the business.

A key part of the plan is communication, including multiple contact methodologies and backup numbers in case of a disruption of power or communications. Many organizations will establish a phone tree, so that if one person is not available, they know who else to call. Organizations will go through their procedures and checklists to make sure they know exactly who is responsible for which action. No matter how many times they have flown, without fail, pilots go through a checklist before take-off. Similarly, there must be established procedures and a thorough checklist, so that no vital element of business continuity will be missed.

We call the appropriate individuals and start to activate the business continuity plan. Management must be included, because sometimes priorities may change depending on the situation. Individuals with proper authority must be there to execute operations, for instance, if there are critical areas that need to be shut down.

We need to have at hand the critical contact numbers for the supply chain, as well as law enforcement and other sites outside of the facility. For example, a hospital may suffer a severe cyberattack that affects communications from the pharmacy, the internet or phone lines. In the United States, in case of this type of cyberattack that knocks out communications, specific numbers in specific networks can bypass the normal cell phone services and use military-grade networks. Those will be assigned to authorized individuals for hospitals or other critical infrastructures in case of a major disruption or cyberattack, so they can still maintain essential activity.

Narrator : Business continuity is about enabling critical aspects of an organization to function, perhaps with reduced capacity, during a disruption caused by any kind of disruption, attack, infrastructure failure, or natural disaster. Most incidents are minor and can be handled easily with minimal impact. For example, the system needs to be rebooted, but after a few minutes the system comes back up and the event is over. But occasionally, a major event disrupts business for an unacceptable amount of time, and organizations cannot just follow an event plan, but must move towards business continuity.

Business continuity includes planning, preparation, response, and recovery operations, but typically does not include activities to support the full restoration of all business activities and services. It focuses on the critical products and services the organization provides and ensures that these vital areas continue to operate even at reduced performance levels until business returns to normal.

Developing a business continuity plan requires a significant organizational commitment in terms of people and financial resources. To gain this commitment, executive management or executive sponsors must provide organizational support for the business continuity planning effort. Without proper support, business continuity planning efforts have little chance of success.

Components of a business continuity plan

Business Continuity Planning (BCP)) is the proactive development of procedures for restoring business operations following a disaster or other significant disruption to an organization. Members from across the organization should be involved in creating the border crossing to ensure all systems, processes and operations are considered in the plan.

The term business is often used because this is primarily a business function rather than a technical function. However, to protect the confidentiality, integrity and availability of information, the technology must be aligned with business requirements.

Here are some common components of a comprehensive business continuity plan:

• List of BCP team members, including various contact methods and alternate members
• Immediate response procedures and checklists (security and safety procedures, fire suppression procedures, notifying appropriate emergency response agencies, etc.)
• Notification system and call tree to alert personnel that BCP is being developed
• Administration guidelines, including assigning permissions to specific administrators
• How/When to Make a Plan
• Contact numbers of key supply chain members (suppliers, customers, possible external contingency suppliers, third party partners)

Business continuity planning (BCP) is the proactive development of procedures to restore business operations after a disaster or other significant disruption to the organization. Members from across the organization should participate in creating the BCP to ensure all systems, processes and operations are accounted for in the plan.

The term business is used often, as this is mostly a business function as opposed to a technical one. However, in order to safeguard the confidentiality, integrity and availability of information, the technology must align with the business needs.

Here are some common components of a comprehensive business continuity plan:

• List of the BCP team members, including multiple contact methods and backup members
• Immediate response procedures and checklists (security and safety procedures, fire suppression procedures, notification of appropriate emergency-response agencies, etc.)
• Notification systems and call trees for alerting personnel that the BCP is being enacted
• Guidance for management, including designation of authority for specific managers
• How/when to enact the plan
• Contact numbers for critical members of the supply chain (vendors, customers, possible external emergency providers, third-party partners)

Business Continuity in the Workplace

Narrator: Obviously, a business continuity plan needs to be maintained where it can be accessed. Typically, in modern organizations, everything is digital and not provided as hard copy. This can be dangerous, like storing everything in the main company building.

Some organizations have what is called a Red Book, which is provided to appropriate individuals outside the facility. All procedures are outlined in this document – ​​for example, in case a hurricane hits, power goes out, all facilities are damaged and electronic backups are not accessible. Be sure to update this hard copy Redbook each time the electronic version is updated so that the two versions are consistent.

Narrator: Obviously, the business continuity plan needs to be maintained somewhere where it can be accessed. Often, in modern organizations, everything is digital and not provided as a hard copy. This can be dangerous, just like storing everything within the main company building. Some organizations have what is called the Red Book, which is given to the appropriate individual outside the facility. All the procedures are outlined in that document—in case, for example, a hurricane hits, the power is out and all the facilities are compromised and there is no access to electronic backups. It is important to update this hard-copy Red Book any time the electronic copy is updated so both versions remain consistent.

What does business continuity look like in action?

Imagine the complete loss of a company's billing department in a fire. The fire started overnight, so no one was in the building at the time. A business impact analysis (BIA) conducted four months ago determined that the billing function was important to the company but would not immediately impact other areas of work. With a previously signed agreement, the company has an alternate area where the billing department can work, and it can be done in less than a week. Customer service staff will answer customer billing inquiries until the area is fully ready. Billing department personnel will remain in the alternate work area until a new permanent area becomes available.

In this case, BIA has identified dependencies on customer billing inquiries and revenue. Since the company has ample cash reserves, it is acceptable to not be billed for a week during normal business interruptions. Advance planning was enabled by having alternate work areas ready for personnel and having customer service handle calls from the billing department during the transition to temporary office space. As the plan was implemented, there was no significant disruption to the company's business or ability to provide service to customers - indicating successful implementation of the business continuity plan.

What does business continuity look like in action?

Imagine that the billing department of a company suffers a complete loss in a fire. The fire occurred overnight, so no personnel were in the building at the time. A Business Impact Analysis (BIA) was performed four months ago and identified the functions of the billing department as very important to the company, but not immediately affecting other areas of work. Through a previously signed agreement, the company has an alternative area in which the billing department can work, and it can be available in less than one week. Until that area can be fully ready, customer billing inquiries will be answered by customer service staff. The billing department personnel will remain in the alternate working area until a new permanent area is available.

In this scenario, the BIA already identified the dependencies of customer billing inquiries and revenue. Because the company has ample cash reserves, a week without billing is acceptable during this interruption to normal business. Pre-planning was realized by having an alternate work area ready for the personnel and having the customer service department handle the billing department’s calls during the transition to temporary office space. With the execution of the plan, there was no material interruption to the company’s business or its ability to provide services to its customers—indicating a successful implementation of the business continuity plan.

Module 3: Understanding Disaster Recovery (DR) (D2.2)

The Goal of Disaster Recovery

In the Business Continuity module, the essential elements of business continuity planning were explored. Disaster recovery planning steps in where BC leaves off. When a disaster strikes or an interruption of business activities occurs, the Disaster recovery plan (DRP) guides the actions of emergency response personnel until the end goal is reached—which is to see the business restored to full last-known reliable operations.

Disaster recovery refers specifically to restoring the information technology and communications services and systems needed by an organization, both during the period of disruption caused by any event and during restoration of normal services. The recovery of a business function may be done independently of the recovery of IT and communications services; however, the recovery of IT is often crucial to the recovery and sustainment of business operations. Whereas business continuity planning is about maintaining critical business functions, disaster recovery planning is about restoring IT and communications back to full operations after a disruption.

In the business continuity module, the basic elements of a business continuity plan are explored. Disaster recovery planning steps where BC left off . When a disaster strikes or business activity is disrupted, a disaster recovery plan (DRP) guides the actions of emergency responders until the ultimate goal of seeing the business return to its last known fully reliable operation.

Disaster recovery refers specifically to the restoration of information technology and communication services and systems required by an organization during disruption caused by any event and during restoration of normal service. Restoration of a business function may be independent of restoration of IT and communication services; however, its restoration is often critical to the restoration and maintenance of business operations. A business continuity plan is about maintaining a critical business function, while a disaster recovery plan is about restoring it and communications to full operation after an outage.

Complex systems can often store valuable information across multiple servers. While at the most basic level, a disaster recovery plan includes backing up data at the server level, the database itself and any dependencies on other systems also need to be considered. In this more complex scenario, users enter data into one system and database, which is then distributed to other systems. This is common in large enterprises, where multiple systems need to communicate with each other to maintain common data. In another hospital example, the radiology department uses a different system than the laboratory. In this case, a separate routine replicates patient data from the registration system to the laboratory and radiology systems, which technically use separate databases. It is important to understand the data flow and complex dependencies of one system on another so that a disaster recovery plan is properly documented and implemented to be successful when required.

×

Complex systems can often store valuable information across several servers. While at its most basic level, disaster recovery plans include backing up data at a server level, it is also necessary to consider the database itself, as well as any dependencies on other systems. In this more complex scenario, data is entered by users into one system and database and is then distributed to other systems. This is common in large enterprises where multiple systems need to talk to each other to maintain common data. In another hospital example, the radiology department used a different system than the laboratory. In this case, a separate routine copied the patient data from the registration system to the laboratory and the radiology systems, which technically use separate databases. It is important to understand the flow of data and the intricate dependencies of one system on another to properly document and implement a disaster recovery plan that will be successful when it is needed.

Components of a Disaster Recovery Plan

Depending on the size of the organization and the number of people involved in digital resource planning efforts, organizations typically maintain several types of planning documents for different audiences. The following list includes various types of documents worth considering:

• The executive summary provides a high-level overview of the plan

• Sector Specific Programs

• Technical guidance for other personnel responsible for implementing and maintaining critical backup systems

• A copy of the full plan for key disaster recovery team members

• A list of some individuals:

• Key disaster recovery team members will have checklists to help guide their actions in the chaotic atmosphere of the disaster.

• IT personnel will receive technical guidance to help them get the backup site up and running.

• Managers and public relations staff will have easy-to-understand, high-level documentation to help them communicate issues accurately without input from team members busy recovering.

Depending on the size of the organization and the number of people involved in the DRP effort, organizations often maintain multiple types of plan documents, intended for different audiences. The following list includes various types of documents worth considering:

• Executive summary providing a high-level overview of the plan

• Department-specific plans

• Technical guides for IT personnel responsible for implementing and maintaining critical backup systems

• Full copies of the plan for critical disaster recovery team members

• Checklists for certain individuals:

• Critical disaster recovery team members will have checklists to help guide their actions amid the chaotic atmosphere of a disaster.

• IT personnel will have technical guides helping them get the alternate sites up and running.

• Managers and public relations personnel will have simple-to-follow, high-level documents to help them communicate the issue accurately without requiring input from team members who are busy working on the recovery.

Narrator : An example of disaster recovery is the use of system backups. The timeline in this image looks backwards from the moment the state was detected (on the right), as a way of identifying the amount of work that would be lost reloading from backup. Transactional events (triangles) and some backup events (shown as database symbols) are numbered events 1 to 21 from left to right along the timeline. Green transactions (events 1 through 14) are transactions that were fully processed before the intrusion or event started. Presumably, this may be a safe assumption if antivirus and other systems are working properly. These transactions are not subject to possible loss of integrity, authenticity, privacy, or any other desired security properties.

The database symbols in gray (Events 2, 5, 9, and 13 - all preceding events) indicate some form of system and data backup, which may have captured changes to the system due to green transactions completing correctly.

However, events 15 to 21 are questionable. They may be fine, or they may represent a lack of integrity if the data is compromised. The orange database backup symbol, between the time of the incident and its detection, clearly had doubts about its integrity or security. They may contain fake, corrupted data and may even contain various forms of malware. Going backwards in time from the detection of the event until we reach the rightmost gray database symbol (Event 13, the backup before the event) we have the last clean, reliable backup.

Three sets of work can be identified that have been lost since the event began: all transactions or changes that were not part of the backup before the last good backup (if it was an incremental backup or a partial backup rather than a full backup) events 15, 17 through 19, and 21; All transactions and other changes that were processed or attempted in time from this backup until after the detection of the event did not begin to occur; and all transaction changes etc. And simply can't handle it.

Module 4: Summary

This chapter focuses on the availability part of the CIA triad and the importance of maintaining operational availability for business. Maintain business operations during and after an incident, incident, breach, intrusion, exploit or breach by implementing incident response, business continuity (BC) and/or disaster recovery (DR) plans. While these three programs may appear to overlap in scope, they are three distinct programs that are critical to the survival of any organization facing abnormal operating conditions. Here are the main things to remember in this chapter:

First, the incident response plan responds to abnormal operating conditions to keep the business running. The four main components of incident response are: preparedness; detection and analysis; containment, eradication and recovery; and post-event activities. An incident response team is typically a cross-functional group of individuals who represent the responsibilities of the management, technical, and functional areas most directly affected by a security event. Teams are trained on incident response and the organization's incident response plan. When an incident occurs, the team is responsible for determining the amount and extent of the damage and whether any confidential information has been compromised, implementing recovery procedures to restore security and recover from incident-related damage, and overseeing the implementation of future measures to improve safety and prevention Things happened again.

Second, business continuity plans are designed to keep organizations operating during a crisis. Components of a business continuity plan include details on how and when a plan is in place and a notification system, as well as a call tree for alerting team members and organizational staff that a plan has been made. Additionally, it includes contact numbers for contacting key third-party partners, external contingency providers, suppliers and customers. The program provides teams with immediate response procedures, checklists, and management guidance.

Finally, when both incident response and business continuity (BC) plans fail, disaster recovery (DR) plans are activated to restore operations to normal as quickly as possible. A disaster recovery (DR) plan may include the following components: an executive summary providing a high-level overview of the plan, department-specific plans, technical guidance for IT staff responsible for implementing and maintaining critical backup systems, a complete copy of the plan for key DR team members, and certain personal list

Discretionary access control is a model wherein permissions are granted by operational managers, allowing them to make the determination of which personnel can get specific access to particular assets controlled by the manager. B is the correct answer. A is incorrect; in mandatory access control, managers do not have the authority (discretion) to determine who gets access to specific assets. C is incorrect; in role-based access control, managers do not have the authority to determine who gets access to particular assets. D is incorrect; defense in depth is not an access control model, it’s a security philosophy.