Security Meets the Real World Disaster Recovery

1
Security Meets the Real World Disaster Recovery

• Dr. Steve Miksell/ITSC
• smiksell_at_itsc.org
• 10 July 2002
• Workforce Innovation 2002

2
Agenda

• Security Responsibility in the Disaster Recovery
  Arena
• Disaster Recovery Planning
• Recent New York (Disaster Recovery) Experiences

3
The Holy Grail(s) of Security

• The CIA Triad
• Protecting the Enterprise
• Reducing Risk to Acceptable Levels

4
The CIA Triad
Confidentiality
Availability
Integrity
5
Enterprise Protection Steps
Prevention This step consists of activities
designed to prevent security violations from
taking place.
Detection It is important to realize that
incidents will occur. Timely detection is
essential to minimize their impact.
Correction After incidents have occurred,
repairing damage, and decreasing the
vulnerabilities that allowed the security
incident to occur are required.
6
The Concept of Risk
Vulnerability
Threat
Risk
7
Security Risk Assessment and Risk Management
Overview
Risk Management A roadmap for change
Where we are
Risk Assessment
Where we want to be
8
Risk Management Options

• Eliminate Risk Although some risks can be
  virtually eliminated, this is the least likely
  and most difficult option
• Minimize risk Remove vulnerabilities where
  possible
• Offload risk Buy insurance
• Accept risk Determine that cost of risk removal
  is not justified

9
Risk Reduction Not Risk Elimination

• Eliminating all risk is a practical impossibility
• Risk may not be recognized (e.g., unknown
  threats, unrecognized vulnerabilities)
• Risk reduction impractical (There may be no
  reasonable way to remove a vulnerability)
• Risk reduction a fiscal impossibility (Money is
  usually a limited resource)
• Risk management should include recognition of the
  consequences of disaster, and understanding what
  is required to recover

10
The Bottom Line Disasters Happen
11
Security Responsibilities Should Include Disaster
Recovery Support

• Restoring availability after disasters becomes
  crucial (key part of the CIA Triad)
• Corrective actions must be applied quickly and
  effectively (Enterprise Protection)
• Risk management that ignores disasters is of
  least value when it is most needed

12
Agenda

• Security Responsibility in the Disaster Recovery
  Arena
• Disaster Recovery Planning
• Recent New York (Disaster Recovery) Experiences

13
Apply Disaster Avoidance Measures Where Possible

• Y2k Contingency Planning
• Recognition
• Remediation
• Testing
• Verification
• Success!
• Contingency Plan Just in Case

14
Engage in Disaster Recovery Planning Everywhere
Else
Business Continuity Plan (BCP) (Identifying Critic
al Functions)
Disaster Recovery Plan (DRP) (Getting Critical
Functions back in operation)
Disasters happen
15
Disaster Recovery Plan (DRP) Development Approach

• Initiate DRP Development
• Vulnerability Assessment (Data from BCP)
• Business Impact Analysis (Data from BCP)
• DRP Requirements Specification
• Develop Plan
• Develop Testing Program
• Develop Maintenance Program
• Test and Implement (with ongoing maintenance)

16
DRP Development Notes

• Project Initiation
• Establish Scope/Assure management
  Support/Understand Existing Environment
• Build Core Team (Key Business Areas/Information
  Technology/OperationsFacilities/Development/
• Security)
• Vulnerability Assessment (from BCP)
• Review major residual weaknesses/Understand
  potential disasters
• Business Impact Analysis (from BCP)
• Understand critical business functions,
  including short-term, intermediate-term and
  long-term impacts.

17
DRP Development Notes (Cont.)

• 4.Requirements
• Somewhat dependent results of
• Vulnerability Analysis
• Threats Probable/Possible/Unlikely
• Vulnerabilities Current/Residual
• Business Impact Analysis
• Identification of Critical Functions
• Timelines for Restoration
• Defines areas to be covered by DRP and what DRP
  needs to accomplish

18
DRP Development Notes (Cont.)

• 5.DRP Plan
• Typically will address the following areas
• Conditions and protocols for declaration of a
  disaster
• Key Personnel Contact and Notification
  information
• Staff Reporting Guidelines
• Staff Operational Responsibilities
• Facilities Issues
• Baseline and Backup Options (Hot site/Warm
  Site/Cold Site)
• IT Resources (Hardware, Software and Data)
• Baseline and Backup
• Specialized Supplies
• Baseline and Backup
• Disaster Period Operational Procedures
• End of Disaster Protocol and Procedures

19
DRP Development Notes (Cont.)

• 6. Testing Approaches
• Checklist
• Structured walk-through
• Simulation
• Parallel
• Full-interruption
• Note Parallel and Full-interruption tests can
  be very time-consuming, labor intensive and
  expensive. While they provide a high level of
  assurance, usually only extremely important,
  mission critical applications will have the full
  range of tests applied.

20
DRP Development Notes (Cont.)

• 7. Maintenance Program Options
• Mandatory Activity for System Modifications
• Periodic Updates
• Combined approach
• 8. Test and Implement
• (Note Implementation of a Disaster Recovery
  Plan that does not include testing is a disaster
  waiting to happen.)

21
Ivory Tower meets Real World
Formal Disaster Recovery Plan
22
Potential DRP Problems

• The DRP doesnt work as intended
• Unrealistic or non-existent testing
• Unrealistic estimates/expectations relevant to
  actual disaster
• Out-of-date DRP due to lack of maintenance
• The actual disaster was not addressed by the plan
• The potential for the disaster was overlooked or
  discounted
• The disaster was outside the scope of the plan

23
Applying Lessons Learned from Previous
Disasters Can Help

• What worked?
• What didnt?
• What else is needed?
• What would we do differently next time?
• What should we do now to be prepared for next
  time?

24
Lessons Learned in Oklahoma

• ALL personnel should receive mandatory training
• Employers need to be prepared to meet the needs
  of personnel
• Personnels skills and special training can make
  a difference
• Good corporate interfaces with law
  enforcement/public safety organizations are
  valuable

Smith, Lloyd R., Lessons from Oklahoma City
Your EmployeesTheir Needs, Their Role in
Response and Recovery, http//www.disaster-resou
rce.com/articles/96smith.htm
25
Lessons Learned in Oklahoma

• Personnel accountability is a high priority
• Visitors and guests need to be considered in
  emergency procedures
• Issues of pay are important in times of disaster
  resolve and communicate
• Develop an equitable distribution of work

Smith, Lloyd R., Lessons from Oklahoma City
Your EmployeesTheir Needs, Their Role in
Response and Recovery, http//www.disaster-resou
rce.com/articles/96smith.htm
26
Agenda

• Security Responsibility in the Disaster Recovery
  Arena
• Disaster Recovery Planning
• Recent New York (Disaster Recovery) Experiences

27
Closer to Home

• Lessons Learned from the SWA environment are
  particularly valuable
• to other SWAs

28
Dual Disaster Potential The SWA Environment
SWA resources at risk
Community resources at risk
Individuals affected by disaster requiring SWA
Services
SWA
UI/DUA/EB/EUC -- ES
29
New York Experiences

• What happened from some people who were there

Charlene Huggard Core Team Tax Project
Coordinator Patricia Arcari Core Team Benefits
Project Coordinator UISM Project NYS Department
of Labor
30
Resources and Contacts
31
Additional DRP Resources

• The following web site has numerous articles and
  guidelines to support business continuity and
  disaster recovery planning http//www.infosyssec
  .org/infosyssec/buscon1.htm
• The site also contains multiple links to other
  disaster recovery resources, including government
  sites (e.g., FEMA), associations (e.g., the Red
  Cross) and organizations and sites dedicated to
  risk management and disaster recovery and
  business continuity issues
• The ITSC web site
• http//www.itsc.org
• Hot Topics ? ITSC Deliverables ? C-Series ?
  Project C-6
• Contingency Planning for Disaster Recovery
  Applicable to UI Call Center Operations

32
ITSC Contacts

• ITSC Security Contacts
• Steve Miksell (301) 982-1116
• smiksell_at_itsc.org or
• Jane Powanda (301) 513-0143
• jpowanda _at_ itsc.org
• ITSC Management Contacts
• Henry James (301) 982-1575
• hjames_at_itsc.org

33
Notes