323
Index
Access
managing, xli
physical, xli
remote, 100–103
Access control lists (ACLs), liii–liv
advanced, liii–liv
elementary, liii
Access control models, xliv–lvii
administration, l–lvii
discretionary, xlvii–xlviii
mandatory, xlv–xlvi
nondiscretionary, xlviii–xlix
types of, xliv
Access control(s), xlii–xliv, 226–27
accountability, xliii
assurance, xliii–xliv
bypass techniques, lvii
criteria, xliv
entities, xlii–xliii
external, lv–lvii
fundamental concepts, xliii
identity-based discretionary, xlvii
internal, lii–lv
mechanisms, lii
purpose, xlii
role-based, xlviii
security policy, xliii
user-directed discretionary, xlvii
uses of, xlix–l
Accountability, xliii
Accreditation, 27
Acknowledgment and research, 99
Acts of sabotage, 44–47
defined, 44
effects, 44–45
extortion, 45
internal sources, 47
malicious code, 47
precautions, 46
types of, 45–47
water and food contamination, 45–46
See also Organized/deliberate destruction
Acts of terrorism, 42–44
response, 44
types, 42
See also Organized/deliberate destruction
Acts of war, 47–49
defined, 47
response, 48–49
See also Organized/deliberate destruction
Administration
backup and recovery, 151
as business recovery activity, 187
team, 121
Administration models, l–lvii
access control mechanisms, lii
centralized, l–li
decentralized, li
external access controls, lv
hybrid, li–lii
324
internal access controls, lii–lv
See also Access control models
Advisories, 302–3
Adware, 106
After-Actions Report, 168–69
Air conditioning
excess capacity, 111–12
failure, 57
Alerts, 302–3
Alternate business process handling, 133–36
cold site, 136
fully mirrored site, 135
mobile site, 135–36
switchable hot site, 135
warm site, 135
Anti-spam software, 106
Anti-spyware software, 106
Antivirus software, 105
Application gateways, 104
Application software development, 227
Archiving
electronic files, 110
information, 109
Arson, 53–54
Assets
characterization, 65–66
identifying, 301
initiation/design phase, 66
Assurance, xliii–xliv
Attacks
brute force, lxi–lxii
dictionary, lxi
hybrid, lxi
infrastructure, xxvii
password, countermeasures, lxiii
Auditing
assessment strategies and, 214–21
auditor’s role, 208–10
automated monitoring tools, 223–24
automated tools, 221–22
baselines, establishing, 219
configuration management, 224
fundamentals, 207–8
IS process, 225–28
methods and tools, 221–24
monitoring methods/tools, 223
with Nmap, 229–32
oversight committee, 214
penetration testing, 223
perimeter, 228–29
schedule and resource estimates, 219
security checklists, 222–23
standards and groups, 210–13
system log review, 223
Auditors
mind of, 220–21
role, 208–10
Audit strategies, 214–21
coverage identification, 217–18
development prerequisites, 215–17
minimum items, 215
Audit validation checklist, 217
Automated tools, 221–22
Availability
continuous, 2
data, xlii
IT systems, 136–37
loss, 59
Backups
administration and operations, 151
customer service, 150–51
desktop computer, 146–47
key BCP personnel and, 152
key documents and procedures, 152–53
key information/documentation, 151–52
managing, 108–9
media, offsite storage, 109
premises and essential equipment, 150
procedures, 133–36
processes, 108, 137
325
Index
restoring data from, 182
software and licenses, 148–49
See also Recovery
BCP maintenance, 4–5, 245–47
framework, 245
frequency, 245–46
procedures development, 246
responsibilities, 244
roles and responsibilities, 249–50
scheduled, 246
See also Business continuity plans (BCPs)
BCP projects
deliverables, 18
documentation requirements, 19–20
kick-off meeting, 16–17
milestones, 18
objectives, 17–18
organization, 14–20
project manager, 15, 16
reporting requirements, 19
scope of responsibilities, 14–15
tasks, 14
team composition, 15
Biometric systems, lviii
Brute force attack, lxi–lxii
Business contingency, 2
Business continuity (BC), 2
Business continuity plans (BCPs), 5
average life, 245
awareness programs, 248–49
BCP projects
building, 3–5
business impact analysis, 4
changes, testing, 244–45
data synchronization, 244
development, 4
distribution issues, 247–48
finance sector requirements, 13
focus, 5
health sector requirements, 14
importance, xix
industry-specific standards/regulations,
12–13
as insurance policy, xx
as living document, 242
maintaining, 241–51
monitor and review, 249
planning, 8–11
preparing, 8
project initiation, 3
recovery strategies, 4
requirements, xxii
standards and guidelines, 11–14
state of, xx–xxiii
steps, 3–5
tasks, 241–42
teams, 15, 17
telecommunications sector requirements,
14
training, 4–5, 248–49
training staff, 245
updates, change control procedures, 243
validation/testing, 4
See also BCP maintenance
Business fraud, xxv
Business functions
classification, 83–84
interdependencies, 84
prioritization, 83–84
recovery team, 121–22
Business impact analysis (BIA), 4, 69–86
advantages, 70
business recovery requirements, 71
defined, 69
effective, 69
financial impact, 84–86
function prioritization/classification, 83–
84
impact on operations determination, 82–
83
information provided by questionnaire,
72–73
326
key business processes identification, 70–
71
operational impact, 84–86
priorities, fine-tuning, 74
process, 69
questionnaire development, 72–73
questions, 73
report format, 74
resource dependencies determination, 74–
81
results, 81
risk assessment vs., 70
service interruption measurement, 84
See also Risk assessment
Business processes
alternate handling, 133–36
key, identifying, 70–71
Business recovery, 117, 171–91
applications data restoration, 182
backup recovery site, 181
business impact assessment, 173
business operations, handing back, 184–
85
damage assessment, 173
damaged property/documents assessment,
176–81
data restoration, 182
human resources, 186
information dissemination, 183–84
new equipment purchase, 181–82
phase, 171–91
planning, 171–85
plan preparation, 173–76
progress monitoring, 183
recovery site assembly, 182
recovery site designation, 181
report, 185
requirements, establishing, 71
restored permanent facility move, 183
team mobilization, 172
training staff, 234–37
Business recovery activities
communication systems, 186
corporate proprietary information/
documentation, 186
IT systems, 186–87
nonproduction equipment, 189
office supplies, 187
operations and administration, 187
planning, 185–90
power, 187–88
premises, fixtures, furniture, 188–89
production equipment, 189
trading, sales, customer service, 190
utilities, 187–88
warehouse and stock, 190
Business recovery plans (BRPs), 171
elements, 173–74
goal, 171
maintenance, 173
preparing, 173–76
Business recovery team (BRT), 120
mobilizing, 172
roles and responsibilities, 250
Business Resumption Plans (BRPs), 5–6
Business risk assessment, 65–69
asset characterization, 65–66
report, 68–69
risk-benefit analysis, 66–67
risk level matrix, 68
See also Risk assessment
Centralized administration model, l–li
CERT Coordination Center (CERT/CC),
208, 302
Certifications, 315–18
CCSA, 316
CISA, 316
CISSP, 316
GIAC/CSE, 316–17
GSEC, 317

Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial