x Contents
5 Disaster Recovery Phase 155
5.1 Disaster Recovery Legal Issues 156
5.2 Planning for Handling the Emergency 158
5.2.1 Planning and Insurance Considerations 159
5.2.2 Identification of Potential Disaster Status 160
5.2.3 Involvement of Emergency Services 161
5.2.4 State and Federal Involvement 162
5.2.5Assessing the Business Impact of an Emergency 163
5.2.6 Secure Recovery 164
5.2.7Alternate Sites 164
5.3 Disaster Recovery Team Management Actions 165
5.4Notification and Reporting in Disaster Recovery Phase 166
5.4.1 Mobilizing the Disaster Recovery Team 166
5.4.2Notification to Management and Key Employees 167
5.4.3Handling Notification of Personnel Families 167
5.4.4Handling Media during the Disaster Recovery Phase 168
5.4.5 Maintaining an Event Log during Disaster
Recovery Phase 168
5.5 Disaster Recovery Phase Report 168
5.6 Chapter Summary 169
5.7Endnotes 169
6 Business Recovery Phase 171
6.1Business Recovery Planning Process 171
6.1.1 Mobilizing a Business Recovery Team 172
6.1.2Assessing Extent of Damage and Business Impact 173
6.1.3 Preparing Specific Recovery Plans 173
6.1.4Assess Damaged Property and Documents 176
6.1.5Backup Recovery Site 181
6.1.6 Monitoring Progress 183
6.1.7Keeping Everyone Informed 183
6.1.8Handing Business Operations Back to
Regular Management 184
6.1.9 Preparing Business Recovery Phase Report 185
6.2 Planning Business Recovery Activities 185
6.2.1 Communication Systems 186
6.2.2Human Resources 186
6.2.3 Corporate Proprietary Information and Documentation 186
6.2.4 IT Systems (Hardware and Software) 186
6.2.5Office Supplies 187
Contents xi
Contents
6.2.6Operations and Administration (Support Services) 187
6.2.7 Power and Other Utilities 187
6.2.8 Premises, Fixtures, and Furniture (Facilities
Recovery Management) 188
6.2.9 Production Equipment 189
6.2.10 Nonproduction Equipment 189
6.2.11 Trading, Sales, and Customer Service 189
6.2.12 Warehouse and Stock 190
6.3 Chapter Summary 190
7 Testing, Auditing, and Training 193
7.1Testing the Business Recovery Process 194
7.1.1 Develop Objectives and Scope of Tests 194
7.1.2 Setting the Test Environment 195
7.1.3 Prepare Test Data 196
7.1.4 Identify Who Is to Conduct the Tests 196
7.1.5 Identify Who Is to Control and Monitor the Tests 196
7.1.6 Prepare Feedback Questionnaires 196
7.1.7 Prepare Budget for Testing Phase 196
7.1.8Training Core Testing Team for Each Business Unit 197
7.2 Security Testing 197
7.2.1Testing Concepts and Application 198
7.2.2Testing Risks to Data Integrity, Confidentiality,
and Availability 198
7.2.3 Confidentiality of Test Plans and Data 199
7.2.4 Measurement and Interpretation of Test Results 199
7.2.5Traceability 199
7.2.6Thoroughness 199
7.2.7 Frequency 199
7.3The Open Source Security Testing Methodology Manual 200
7.4 Monitoring and Updating 202
7.4.1 Monitoring 202
7.4.2 Updating 203
7.5Hardening Systems 203
7.5.1 Management of the Hardening Process 204
7.6 System Patches 206
7.7Auditing Fundamentals 207
7.8Auditor’s Role in Developing Security Policies 208
7.9Auditing Standards and Groups 210
7.9.1 Information Systems Audit and Control
Association (ISACA) 211
xii Contents
7.9.1.1 ISACA CISA Certification 211
7.9.2 FISCAM 213
7.9.3 CobIT® 213
7.10 Audit Oversight Committee 214
7.11 Auditing and Assessment Strategies 214
7.11.1 Prerequisites for Developing an Audit Strategy 215
7.11.2 Identifying Audit Coverage Necessary 217
7.11.3Audit Schedule and Resource Estimates 219
7.11.4Establishing Audit Baselines 219
7.11.5 Concept of Time-Based Security 219
7.11.6The Mind of an Auditor 220
7.12 Basic Audit Methods and Tools 221
7.12.1Automated Tools 221
7.12.2 Security Checklists 222
7.12.3 Penetration Testing 223
7.12.4 Monitoring Methods and Tools 223
7.12.5 Configuration Management 224
7.13 General Information Systems (IS) Audit Process 225
7.13.1 Corporate Security Program Planning and Management 226
7.13.2 Access Control 226
7.13.3 Application Software Development and Change Control 227
7.13.4 System Software 227
7.13.5 Segregation of Duties 228
7.13.6 Service Continuity 228
7.14 Perimeter Audits 228
7.15 Using Nmap 229
7.15.1 What Is NLog? 229
7.15.2 Downloading Nmap 230
7.15.3Nmap Features 230
7.16 Mapping the Network with Nmap 231
7.17 Analyzing Nmap Scan Results 232
7.18 Penetration Testing Using Nessus 233
7.19 Training Staff for the Business Recovery Process 234
7.19.1 Develop Objectives and Scope of Training 235
7.19.2Training Needs Assessment 235
7.19.3Training Materials Development 235
7.19.4 Prepare Tr aining Schedule 236
7.19.5 Communication to Staff 236
7.19.6 Prepare Budget for Training Phase 236
7.19.7 Feedback Questionnaires 236
7.19.8Exercise the Tr aining 237
Contents xiii
Contents
7.20 Chapter Summary 237
7.21 Endnotes 238
8 Maintaining a Business Continuity Plan 241
8.1How to Maintain the Business Continuity Plan 241
8.1.1Use Change Control Procedures for Updates to the Plan 243
8.1.2BCP Data Synchronization 244
8.1.3Assign Responsibilities for Maintenance of Each Part
of the Plan 244
8.1.4Test All Changes to Plan 244
8.1.5 Advise BCP Tr aining Staff of Plan Updates/Changes 245
8.2BCP Maintenance 245
8.2.1 Maintenance Frequency 245
8.2.2 Maintenance Responsibilities 247
8.3BCP Distribution Issues 247
8.4Awareness and Training Programs 248
8.5 Monitor and Review 249
8.6 Roles and Responsibilities for Maintaining the BCP Plan 249
8.7 Chapter Summary 250
BCP/DR Glossary 253
General References 275
A. Sample Recovery Checklist 283
A.1 Recovery Checklist (Incident Response Team) 283
B Physical Facility Questionnaire 291
C Organizational Security Management 295
C.1Organizational Security Management 295
C.1.1 Perceptions of Security 295
C.1.2 Placement of a Security Group in the Organization 296
C.1.3 Security Organizational Structure 296
C.1.4 Convincing Management of the Need 297
C.2 Security Management Areas of Responsibility 299
C.2.1Awareness Programs 299
C.2.2 Risk Analysis 300
C.2.3 Incident Handling 301
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
