CISSP Chapter 1: Safety and Risk Management Knowledge Points

News 2023-08-16 01:33:56 views: null

Use Xmind to make a knowledge system map, export the png image format here for easy reference (you can save it locally to view the high-definition original image).

 

 

1. Basics of safety and risk management

basic knowledge

  • CIA
    • confidentiality
      • Ensure that information is not disclosed to unauthorized users or entities during storage, use, and transmission
    • integrity
      • Prevent unauthorized tampering, prevent authorized users from improperly modifying information, and maintain internal and external consistency of information
    • availability
      • Ensure that the normal use of information and resources by authorized users or entities will not be denied abnormally, allowing reliable and timely access to information
  • DAD
    • Disclosure, Tampering, Destruction

CIA related technology

  • confidentiality
    • Data encryption (disk encryption, database encryption)
    • Transport confidentiality (IPsec, SSL, TLS, SSH)
    • Access Control (Physical and Technical Controls)
  • integrity
    • hashing (data integrity)
    • Configuration Management (System Integrity)
    • Change Management (process complete)
    • Access Control (Technical and Physical Controls)
    • Software digital signature
      • Code signature (the main function is to protect the integrity of the code, not non-repudiation)
    • Transmission CRC check function (for multiple layers of network transmission)
  • availability
    • Redundant Array of Disks (RAID)
    • cluster
    • load balancing
    • Redundant data and power lines
    • Software and Data Backup
    • disk image
    • Location and off-site measures
    • rollback function
    • failover configuration

layered construction

  • defense in depth
    • Combination of multiple control methods, failure of one control will not lead to system or data leakage

Risk Management

Three security control mechanisms are implemented in a defense-in-depth manner. Risk management is the core content of the core concept of information security

  • Control type 3 classes
    • administrative control
      • Organizational Security Policies and Legal Regulations Examples of policies and procedures: Policies, procedures, hiring practices, background checks, data classification, data labeling, security awareness training, leave records, reporting and review, job surveillance, personnel controls, and testing.
    • technical control/logic control
      • Examples of hardware and software controls: authentication methods, encryption, restricted interfaces, access control lists, protocols, firewalls, routers, IDS, and thresholds
    • physical control
      • Examples of physically accessible measures: security guards, fencing, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, watchdogs, cameras, traps, alarms
  • 6 types of safety control functions
    • deterrence control
    • preventive control
    • detection control
    • compensation control
    • corrective control
      • Backup, BCP, DRP
    • regain control

GRC - Governance, Risk and Compliance

Information Security Management - PDCA Model

  • Plan Plan, implement Do, check Check, measure Action
    • 1. Determine control objectives and control measures based on risk assessment results, legal and regulatory requirements, organizational business, and operational needs. 2. Implement selected security control measures. Improve personnel safety awareness 3. Check the compliance of the implementation of safety measures according to policies, procedures, standards and laws and regulations 4. Take countermeasures against the results of wiping sweat to improve the safety situation

Institutional Information Classification

  • Commercial Company - Public, Sensitive, Private, Confidential (low to high)
  • Military Organizations - Sensitive but Unclassified, Secret, Classified, Top Secret (low to high)

2. Security control framework

Security Control Development

  • Cobit IT Internal Control
    • Prepared by the Information Systems Audit and Control Association (ISACA), divided into governance domains and management domains
  • NST 800-53 Safety Controls Reference

Enterprise Solution Development

  • ISO/IEC 27001 Information Security Management System
    • Originated from BS7799 BS7799-1 corresponds to ISO27002 BS7799-2 corresponds to ISO27001
  • ISO/IEC 27002 Information Security Management System Best Practices - Target Framework ISO/IEC 27003 Information Security Management System Implementation Guidelines ISO/IEC 27005 Information Security Risk Management

Enterprise Architecture Development

  • Zachman, TOGAF Enterprise Framework

Secure Enterprise Architecture Development

  • SABSA Safety Agency Framework

Corporate Governance

  • COSO Enterprise Internal Control Management Framework Internal Control - Overall Framework
    • Five types of internal control elements: environmental control, risk assessment, control activities, information and communication, testing
    • Framework for many organizations to address SOX404 compliance

process management

  • CMMI software development management
  • ITIL IT service management
    • Four processes: service strategy, service design, service delivery, service operation, continuous service improvement
  • Six Sigma Business Process Management

Due Care

(DC, Due Diligence, Careful Consideration, Due Diligence, Due Diligence, Moderate Concern, Moderate Prudence) Due Diligence (DD, Due Diligence, Due Diligence, Due Diligence, Due Diligence, Due Diligence, Moderate Diligence)

3. Security Policy

Security Management Documentation Hierarchy

  • policy
    • 1. At the highest level of strategy 2. A commitment at the highest level to take responsibility for information security 3. Explain the objects and goals to be protected
    • Three types of policy
      • Regulatory and Compliance Policy
      • Suggestive policy
      • Informative, Instructive Policy
  • standard
    • Establish an enforcement mechanism for policy implementation
  • Guidelines/Guidelines
    • Similar to standards, methods of strengthening system security, he is advisory
  • security baseline
    • Minimum level of security requirements to meet policy requirements
  • Procedure/Step/Return
    • Detailed steps to perform a specific task
    • A procedure is a project description of the specific steps involved in performing a protection task

Types of content-focused strategies

  • organizational strategy
  • functional strategy
  • specific system policy

Procurement Security Policies and Practices/Supply Chain

  • Supply Chain Risk and Security Control
  • Hardware, software and service procurement
    • Develop security baselines, clarify the minimum security requirements for procured products and services Conduct security training for supplier personnel Formulate supplier security management strategies and define common security control methods Increase control over OEM manufacturers, distributors and integrators over supplier networks security risk audit
  • Minimum Security Requirements and Service Level Requirements
    • Define service level requirements and minimum security requirements through SLAs
  • Third-Party Audit SOC Report (Syllabus Sixth Knowledge Area)
    • Before the SOC, many organization leaders used the SAS70 report Statement on Auditing Standards (SAS) auditing standards to obtain approval for outsourcing activities. However, SAS 70 focused on financial report content control (ICOFR) rather than system availability and security.
      • Statement on Auditing Standards (SAS) 70 Most organizations use outsourced service areas to require SAS70 reporting, but only from a financial perspective, many users start to focus on security, availability and then privacy
    • SOC1
      • The report requires the service provider to describe his system and define control objectives and controls, which are related to internal control over financial reporting;
      • SOC1 reports generally do not cover those services and controls that are not relevant to the user's ICOFR report.
      • SOC1 reports have been used by many service providers for core financial processing services since 2011;
    • SOC2/SOC3 report
      • Reports that include design and operational effectiveness
      • The principles and guidelines specifically define security, availability, confidentiality, processing integrity and privacy;
      • Provide internal control over financial reporting (ICOFR);
      • Based on the needs of service providers and their users, a modular approach can be adopted to facilitate SOC2/SOC3 reports to cover one or more principles;
      • If the IT service provider does not affect or indirectly affects the user's financial system, use the SOC2 report;
      • SOC3 reports are generally used to inform a wide range of users about their level of assurance without disclosing detailed controls and test results;
    • Type 1 and Type 2

threat modeling

  • step
    • identify threats
      • STRIDE model
    • identify potential attacks
    • Perform Simplified Analysis
    • Priority Licensing and Revocation

4. Organizational structure of information security

Senior managers (CEO, CFO, COO)

  • The decision-making layer or senior management is fully responsible for information security and is the ultimate person in charge of information security
    • Responsibilities: 1. Clarify information security goals and guidelines to guide the direction of information security activities 2. Provide resources for information security activities 3. Make decisions on major issues 4. Coordinate and organize the relationship between different units and links 5. The ultimate responsible person

Chief Information Officer (CIO)

  • Supervise and be responsible for the day-to-day technical operations of the company

Information Systems Security Specialist (CSO)

  • 1. The information security officer or CSO is assigned by senior management (usually to the CIO) to be responsible for implementing and maintaining security 2. Design, implement, manage and review the organization's security policies, standards, guidelines and procedures 3. Coordinate various units within the organization All interactions with security
  • CSO Responsibilities 1. Budgeting for information security activities 2. Development of policies, procedures, baselines, standards, and guidelines 3. Development of a security awareness program 4. Evaluation of security incident responses 5. Development of a security compliance program 6. Participation in management Meeting 7. Establish a security measurement mechanism 8. Assist internal and external audits

safety committee

  • 1. Members come from: senior management representatives, IT managers, heads of business and functional departments, information security officers, etc. 2. Make decisions and approve security-related affairs, policies, standards and guidelines

security administrator

  • 1. Responsible for implementing, monitoring and enforcing security regulations and policies 2. Each department can set up its own security administrator to be responsible for implementing the security management affairs of the department 3. Report to the security committee/information security officer

Information Systems Auditor

  • 1. Provide independent guarantee for safety target management 2. Check the system to determine whether the system meets the safety requirements and whether the safety control is effective

Safety Program Team

Three types of plans

  • Strategic Plan - long-term plan, about five years, relatively stable, defines the goals and mission of the organization
  • Tactical plan - mid-term plan, such as 1 year, detailed description of the tasks and progress to achieve the stated goals in the strategic plan, such as employment plan, budget plan, etc.
  • Operational plan - short-term highly detailed plan, updated frequently monthly or quarterly, such as training plan, system deployment plan, etc.

5. Personnel safety

Entry Security Management

  • Background check-reduce risks, reduce recruitment costs, and reduce employee turnover
  • skills assessment
  • Confidentiality agreement or DNA-clear employee's responsibility for organizational information security, confidentiality and legal liability for violations, applicable to probationary employees, third-party users using information processing process, changing employee contract period and resignation

On-the-job safety management

  • Separation of Duties - Purpose: Less chance of fraud or transactions. Common pattern: knowledge separation, dual control For smaller organizations, strict separation of duties is difficult, and compensatory measures such as monitoring and auditing can be adopted
  • Least Privilege - The minimum privileges required to assign responsibilities
  • Job Rotation - Don't allow a person to hold a fixed position for an extended period of time, so that the individual does not gain too much control. Set up personnel backup, which is conducive to cross-training and fraud detection (cross-training is often used as an alternative to job rotation)
  • Mandatory vacation - forcing sensitive department personnel to take vacation can effectively detect fraud, data modification and resource abuse, etc.

Exit safety management

  • Immediately remove former staff access
  • Recycling of identifiable items
  • Resigners need to be accompanied by cleaning up personal belongings

Vendor, Consultant and Contractor Control

  • Not working on-site, but has administrator privileges
    • 1. Sign a confidentiality agreement with third-party organizations and individuals 2. Monitor all work behaviors of the third party 3. Ensure that the identity of the third-party personnel is verified when accessing
  • Work on site and have administrator privileges
    • 1. On the basis of the above (1-3) measures, increase personnel background investigation 2. When third-party personnel leave the site, relevant authority needs to be withdrawn
  • Add confidentiality requirements and related business terms to the terms of the contract with the third party

Necessary safety (awareness, training, education)

  • 1. Employees must be aware of protecting the organization's information assets; 2. Operators must be trained in the skills to perform their duties securely; 3. Security practitioners should be educated to implement and maintain necessary security controls

6. Risk management

Purpose

  • The process of identifying and assessing risk, reducing risk to an acceptable level, and implementing appropriate mechanisms to maintain this level
  • The balance of cost and benefit ROI ROI = (benefit after implementing control + benefit of recovering data loss) / control cost

Risk Management Related Elements

  • assets
    • Asset Valuation of Information Assets of Value to the Organization: Indicates the monetary value assigned to the asset in terms of actual cost and non-monetary
  • threaten
    • A potential cause of a security incident that could cause damage to an asset or organization
  • vulnerability
    • Vulnerabilities or weaknesses, that is, weaknesses in an asset or asset group that can be exploited by threats, and once exploited, may cause damage to assets
  • risk
    • The potential for a specific threat to exploit an asset's weakness to cause damage to an asset or group of assets
  • possibility
    • Qualitative description of the frequency of threats
  • impact/consequence
    • direct or indirect damage or injury to an organization caused by an accident
  • security measures
    • Controls or countermeasures, that is, mechanisms, methods and measures to reduce risks by preventing threats, reducing vulnerabilities, and limiting the impact of unexpected events
  • residual risk
    • Risks that remain after implementing security measures

risk assessment

  • concept
    • An assessment of information assets and their value, threats, weaknesses, and the size or level of risk brought about by the combined action of the three
  • Target
  • Risk Assessment Method
    • AS/NZS4360
      • Takes a broader approach to risk management (NZS applies to a company's financial, capital, personnel safety and business decision-making risks, not specifically for security use,)
    • NIST SP800-30 and SP800-66
      • Qualitative RA method
      • 1. System classification; 2. Weakness identification; 3. Threat identification; 4. Countermeasure identification; 5. Possibility assessment; 6. Impact assessment; 7. Risk assessment; 8. New countermeasure recommendation; 9. Documentation report
    • OCTAVE
      • An autonomous information security risk assessment specification based on information asset risk, emphasizing asset-driven, consisting of 3 stages and 8 processes
    • CRAMM
      • Basic Processes: Asset Identification and Evaluation; Threat and Vulnerability Assessment; Countermeasure Selection and Recommendation
    • STA
      • Create a tree of all threats that the system may face. The branches can represent categories such as network threats, physical threats, and component failures. When performing RA, unused branches need to be cut off
    • FEMA
      • From hardware analysis. Investigate the potential failure of each component or module and examine the effects of failure
  • quantitative analysis
    • Definition: To assign a numerical or monetary amount to each element that constitutes a risk and the level of potential loss.
    • Basic concepts: exposure factor EF, single loss expectation SLE, annual incidence rate ARO, annual loss expectation ALE
    • Quantitative analysis process
      • Identify assets and assign values ​​to assets
      • Assess threats and weaknesses, and evaluate the impact of specific threats on specific assets, that is, EF (0% to 100%)
      • Counts the number of occurrences (frequency) of a particular threat, i.e. ARO
      • Calculate the SLE of an asset SLE (Single Loss Expectation) = AV Asset Value × EF (Exposure Factor) Short: SLE = AV * EF
      • Calculate the ALE of an asset ALE (Annual Loss Expectation) = SLE (Single Loss Expectation) x Annual Rate of Occurrence (ARO) Short: ALE=SLE ARO or ALE=AV EF*ARO
    • Calculate the cost/benefit of the safeguard = ALE before the safeguard - ALE after the safeguard - annual cost of the safeguard ACS = actual value of the safeguard to the company Short: (ALE1 - ALE2) - ACS
  • qualitative analysis
    • Definition: The most widely used model at present, with strong subjectivity. It is often necessary to rely on the experience and intuition of the analyst, or the practice and standards of the industry, to qualitatively grade the size or level of risk management elements, such as "high, medium, low"
    • qualitative analysis method
      • consensus/delphi approach
      • check list
      • questionnaire
      • personnel interview
  • Comparison of Qualitative and Quantitative Analysis Methods
    • Qualitative methods and results are relatively subjective
    • Qualitative methods fail to establish monetary value for cost/benefit analysis
    • Quantitative methods are computationally intensive and difficult to implement

Risk Assessment/Analysis Process

  • 1. Identify information assets
    • 1. Identify the owner, custodian and user of each asset 2. Establish an asset list and identify information assets according to business processes 3. Physical, logical; intangible assets
  • 2. Evaluate information assets
    • 1. Consider evaluation factors 2. Classify assets according to importance (impact or consequence), and consider possible consequences caused by damage to confidentiality, integrity and usability 3. Evaluation methods for intangible assets
  • 3. Identify and assess threats
    • 1. An asset may face multiple threats, and a threat may also affect multiple assets. 2. Identify threat sources: human threats, system threats, environmental threats, and natural threats. 3. Threat sources must be considered when assessing the possibility of threats Motivation and Ability Factors
  • 4. Identify and assess weaknesses
    • 1. Find the weaknesses that may be exploited for each asset. Technical weaknesses, operating system weaknesses, and management weaknesses. 2. Weakness identification methods Audit reports, event reports, security inspection reports, system testing and evaluation reports Vulnerability information released by professional organizations is automated Vulnerability Scanner Penetration Testing
  • 5. Assets, Threats, and Weaknesses
  • 6. Risk assessment
    • Key indicators 1. Risk impact 2. Risk probability
  • 7. Consideration of existing control measures
    • Three categories of pertinence and implementation methods 1. Management: 2. Operational 3. Technical
    • In terms of function, the types of control measures include: 1. Deterrent 2. Preventive 3. Detective 4. Corrective 5. Restorative 6. Compensatory
  • 8. Risk management strategy
    • Confirm the strategy of risk treatment: 1. Reduce risk 2. Avoid risk 3. Transfer risk 4. Accept risk
    • Risk control measures selection countermeasures 1. Cost/benefit analysis: Basic principle: the cost of implementing security measures should not be greater than the value of the assets to be protected. Countermeasure costs: purchase costs, additional manpower and material resources, training costs, maintenance costs, etc. Impact on business efficiency. Control value = ALE before implementation of control - annual cost of control - ALE after implementation of control 2. Constraints: time constraints, technical constraints, environmental constraints\legal constraints, social constraints 3. Basic functions and effectiveness of protective measures
  • 9. Assess residual risk
    • Residual or residual risk after implementing safety control Residual risk Rr = original risk R0 - control effectiveness R Residual risk <= acceptable risk Rt

7. Compliance with laws and regulations and professional ethics

computer crime related

  • computer assisted crime
    • Computers are not a necessary factor in crime, but are used as a tool to assist criminals.
  • crimes targeting computers
    • Crimes against computers, networks and the information stored on these systems
  • computer-related crime
    • The computer is not necessarily the attacker or the victim, it just happens to be involved in the attack when it occurs.
  • To understand the "why" in crime, many times it is necessary to understand MOM
    • Means way
    • Opportunities
      • B. Opportunities
    • Motivation

Classification of law

  • criminal law
  • civil law
  • administrative law

Features of computer crime

  • It is difficult to investigate and collect evidence, which requires professional technology and the evidence is easily destroyed. Compared with other evidence, it is more difficult to be recognized by the court
  • Relevant laws are imperfect, and laws cannot keep up with technological development and progress, making it difficult for criminals to be punished by law
  • Traits across territories
  • Statistically, insiders are more likely to commit crimes
  • Victims sometimes do not report, fearing that the normal operation of the organization will be affected and users' trust in the organization will be damaged

intellectual property

  • trade secret
    • 1. Not well-known, developed by the company with relevant resources and efforts 2. Received appropriate protection from the company to prevent leakage or unauthorized use 3. Competitive or marketability with the company is critical
    • Examples: product formula, program source code, encryption algorithm
  • Authorship / Copyright
    • 1. The right to public publication, reproduction, display and modification of the most works is legally protected 2. It does not protect the creativity of the work, but protects the expression of creativity
    • Examples: program code, source code and executable files, even user interfaces, literature, paintings, song melodies
  • trademark
    • 1. It protects the words, names, symbols, shapes, sounds, and colors that represent the company's image. 2. Trademarks are usually registered at the trademark registration agency. 3. Trademarks are quality and reputation signs established by companies in the course of market operations
  • patent
    • 1. Legal recognition of the patent ownership of the patent registrant or company, prohibiting unauthorized use by others or companies 2. The patent is valid for 20 years
    • Examples: formulas of medicines, encryption algorithms, etc.

software piracy

  • 1. Free software 2. Shareware 3. Commercial software 4. Academic software
  • International anti-piracy organizations: Software Protection Association SPA, Anti-Software Theft Alliance Relevant laws: Array Millennium Copyright Act DMCA

laws and regulations

Focus on GDPR

  • 1. Sarbanes-Oxley Act, SOX 2, Health Insurance Convenience and Accountability Act, HIPPA 3, Federal Privacy Act 4, Basel II 5, Payment Card Industry Data Security Standard PCL DSS 6, Federal Information Security Act 7, Economic Espionage Act 8 , EU General Data Protection Regulation GDPR
  • GDPR General Data Protection Regulation
    • personal data
      • any data relating to an identified or identifiable natural person ('data subject')
    • Special categories of personal data (sensitive data)
    • Principles of Processing Personal Data
      • legal, fair and transparent
        • Personal data should be processed in a lawful, fair and transparent manner involving the data subject.
      • Minimize data
        • The scope of personal data collected by controllers and processors should be limited to the scope necessary to achieve the purpose, and the processing activities of personal data should ensure the minimum level necessary to achieve the purpose.
          • not overcollect
      • purpose limitation
        • Controllers and processors must collect personal data for clear, clear and lawful purposes, and the processing of personal data must not exceed the stated purposes at the time of collection.
          • Cannot be used as secondary
      • accuracy
      • storage limit
      • Integrity and Confidentiality
    • data subject
      • An identifiable natural person; a natural person who can be identified directly or indirectly​
      • Data Subject Rights
        • available
        • can object
        • revocable
        • limitable
        • can be corrected
        • Portable
        • erasable (power to be forgotten)
    • data controller
      • Determining the purpose and means of processing personal data
    • data processor
      • Processing data in accordance with the requirements of the data controller
    • de-identification
      • Pseudonymization
        • Data pseudonymization is the processing of personal data in such a way that personal data cannot be attributed to a specific data subject without the use of additional information. This process is reversible (as long as there is a corresponding key) and is still considered personal data.
      • hashing, encryption
    • Anonymization
      • Data can no longer be associated with individuals
      • Anonymized data is no longer personal data
    • Notification of Personal Data Breach
      • Notification to regulator "within 72 hours"
        • Inform the supervisory authority if there is a risk to the rights and freedoms of natural persons
        • Data subjects also need to be notified if there is a high risk to the rights and freedoms of natural persons
    • Privacy by Design (PbD)
      • “Privacy by design raises the point that the future of privacy cannot be ensured by adherence to regulatory frameworks; rather: privacy assurance must ideally become the default mode of operation for organizations.
        • 1. Be proactive rather than reactive, preventive rather than remedial
          1. Privacy as default
          1. Privacy Embedded by Design
          1. Full functionality - positive sum not zero sum
          1. End-to-End Security—​Complete Lifecycle Protection
          1. Visibility and Transparency — Stay Open
          1. Respect user privacy - user-centric
    • Cross-border data flow (new knowledge points in the outline)
      • Adequately recognized countries
      • BCR(Bounding Coperate Rule)
        • Transnational data transfer within a group company
      • Data transfers between the European Union and the United States
        • Safe Harbor Agreement (abandoned in 2015)
        • Privacy Shield Agreement (obsolete in 2020)

privacy treatment

  • Goals: 1. Actively seek to protect citizens' personally identifiable information (PII) 2. Actively seek a balance between the needs of government and business and security concerns to consider the collection and use of PII
  • personally identifiable information
    • ID number, IP address, license plate number, driver's license number, face, fingerprint or handwriting, credit card number, digital identity, date of birth, place of birth, genetic information, etc.
  • Principles of Personal Information Use
    • Obligations of the personal data controller 1. The collection of personal data requires the consent of the data subject and the purpose of notification. 2. Only collect data related to the purpose, and only use and store it within the period required for the purpose. 3. The method of data collection and the purpose of the data Cater to the law 4. Take reasonable measures, technical, management and operational measures to prevent malicious infringement of personal information, ensure data integrity and confidentiality, and clear outdated data to prevent access by people who have no use for related work
    • Obligations of personal data subjects to review the collected information and to correct incorrect information

ISC2 Code of Ethics (Handout P71)

Society for Computer Ethics (Handout P72)

Internet Architecture Committee (Handout P73)

8. BCP&DRP requirements

disaster

  • definition of disaster
    • Sudden, unfortunate and unexpected event resulting in substantial loss.
  • organizational disaster
    • For an institution, any event that results in the inability of a critical business function for a certain period of time is considered a disaster
    • Disaster characteristics: 1. Unplanned service interruption 2. Prolonged service interruption 3. The interruption cannot be resolved through normal problem management procedures 4. The interruption causes major losses
    • Whether an outage event is considered a catastrophe depends on: 1. The criticality of the business functions affected by the outage 2. The length of the outage

Disaster Recovery Plan (DRP)

  • The main purpose of the disaster recovery plan: 1. When the disaster strikes, properly handle the disaster and its catastrophic consequences, and pay more attention to the IT information technology level
  • 2. The execution of the disaster recovery plan is when everything is in a state of emergency, and everyone is busy restoring the critical system 2

Business Continuity Plan BCP

  • The main purpose of the business continuity plan: 1. Focus on the availability of information systems 2. BCP adopts a broader approach to deal with problems, including migrating key systems to other safe environments when the original facility is being repaired. During this period, the right people enter the right positions to keep the business running until it returns to normal.
  • BCP Standards and Best Practices
    • 1. "Information Security Technology Information System Disaster Recovery Specification" GB/T20988-2007 2. "Information Technology IT System Continuity Guide" NISTSP800-34 3. British Standards Institution (BIS) Business Continuity Management Standard BS 25999 4. Business Continuity International standard ISO 22301 for sex management systems (replaces BS25999)
    • NIST SP800-34 Best Practices for IT System Continuity Guidelines
      • 1. Develop a continuity planning strategy statement 2. Perform a business impact analysis BIA 3. Determine preventive controls 4. Develop a recovery strategy 5. Develop contingency plans 6. Test the plan and conduct training and drills 7. Sustain the plan
  • Preparatory activities before BCP launch
    • 1. Determine BCP needs, which can include targeted risk analysis to identify possible disruptions to critical systems 2. Understand the requirements of relevant laws, regulations, industry norms, and the organization's business and technical planning to ensure that the BCP is consistent with it 3. Appoint the BCP Project leader, establish a BCP team, including representatives of business and technical departments 4. Develop a project management plan, which should clarify the project scope, objectives, methods, responsibilities, tasks and progress 5. Senior leaders should hold a formal coverage meeting Project kick-off meeting to demonstrate high-level support 6. Awareness raising activities can educate employees about BCP Build support from within 7. Implement necessary BCP skills training to support BCP success 7. Identify the automation tools needed to collect data and start Collect data across the organization to aid in various continuity plans
  • Responsibilities of the BCP project leader
    • 1. The business continuity coordinator, as the person in charge of the BCP project, is fully responsible for the planning, preparation, training and other work of the project. 2. Communication and liaison between the planned development team and the management team. 4. Fully understand the impact of business interruption on the organization's business 5. Familiar with the organization's needs and operations, and have the ability to balance the different needs of relevant departments of the organization 6. Relatively easy access to senior management 7. Understand the organization's business direction and senior management 8. Ability to influence senior management decisions
  • Key roles in the BCP project
    • 1. Business department: Identify key business functions of the organization, assist in the selection and formulation of recovery strategies 2. IT department: Provide professional guidance and advice 3. Information security department 4. Legal department 5. Communication department
  • Business Impact Analysis BIA
    • BIA Overview: Identify areas that are likely to experience significant loss or disruption of operations in a disaster, identify critical systems used for an organization's inventory after a disaster and how long the organization can tolerate disruption.
    • BIA analysis method
      • Qualitative analysis of the impact of a disaster or disruption event in terms of severity
      • Quantitative analysis of the impact of a disaster or disruption event in monetary terms
    • Purpose of BIAs
      • 1. Assist administrators in understanding potential outage impacts 2. Identify key business functions and the IT resources that support them 3. Assist managers in identifying deficiencies in institutional functional support 4. Schedule recovery of IT resources - analyze the impact of outages, Determine recovery windows for each business function
    • The BIA process
      • 1. Identify information collection techniques 2. Select respondents to conduct interviews to collect data 3. Identify key business functions of the company and their supporting resources 4. Determine maximum allowable time to disruption (MTD) 5. Identify weaknesses and threats 6. Calculate risk analysis 7 , document these findings and report the BIA to management
    • BIA Questionnaire Design
    • Information Analysis of BIA
    • Make the allowable interruption time MTD larger
      • If the interruption time exceeds the maximum allowable interruption time, it will be difficult to recover the business. The more critical the function or resource, the shorter the MTD should be. Critical: Within 1 hour Urgent: 24 hours Important: 72 hours General: 7 days Non-essential: 30 days
      • Sequence the recovery of critical business functions and their supporting resources according to MTD
  • BCP strategy selection
    • Metrics and Specifications for Disaster Recovery
      • Work recovery time WRT Work recovery time is relatively fixed
      • Recovery Time Objective RTO: RTO<MTD is the maximum time allowed to elapse before system unavailability seriously affects the organization
      • Recovery Point Objective RPO The point at which data must be recovered in order to continue processing, which is the maximum amount of data loss allowed
      • RTO+WRT<=MTD

Guess you like

Origin blog.csdn.net/qq_18209847/article/details/126821189
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com