CC7178

Cyber Security Management

Lecture 5

Contingency Planning

CC7178 Cyber Security Management

Learning Objectives
– Understand the need for contingency planning
– Understand the major components of
contingency planning
– Create a simple set of contingency plans,
using Business Impact Analysis
– Prepare and execute a test of contingency
plans
– Understand the combined contingency plan
approach

CC7178 Cyber Security Management Slide 2

(Week 3) Risk Control Strategies
• There are four basic strategies to control risks
– Avoidance: applying safeguards that eliminate
or reduce the remaining uncontrolled risks for the
vulnerability
– Transference: shifting the risk to other areas or
to outside entities
– Mitigation: reducing the impact should the
vulnerability be exploited
– Acceptance: understanding the consequences
and accepting the risk without control or
mitigation

CC7178 Cyber Security Management Slide 3

(Week 3) Mitigation
• Mitigation is the control approach that attempts to
reduce, by means of planning and preparation, the
damage caused by the exploitation of vulnerability.
• This approach includes three types of plans
(Contingency Planning):
– Incident Response Plan (IRP)
– Disaster Recovery Plan (DRP)
– Business Continuity Plan (BCP)
• Mitigation depends upon the ability to detect and
respond to an attack as quickly as possible.

CC7178 Cyber Security Management Slide 4

Introduction
Contingency Planning:
• What it is:- Planning for the unexpected event when
the use of technology is disrupted and business
operations come close to a standstill
• How to implement it:- Procedures are required that
will permit the organization to continue essential
functions if information technology support is
interrupted
• What is at stake:- Over 40% of businesses that
don't have a disaster plan go out of business after a
major loss (source: Hartford)

CC7178 Cyber Security Management Slide 5

What Is Contingency Planning?
• The overall planning for unexpected events is
called Contingency Planning (CP).
• It is how organizational planners position their
organizations to prepare for, detect, react to,
and recover from events that threaten the
security of information resources and assets.
• The main goal is the restoration to normal
modes of operation with minimum cost and
disruption to normal business activities after an
unexpected event.

CC7178 Cyber Security Management

CP Components
• Incident Response Plan (IRP):- focuses on
immediate response.
• Disaster Recovery Plan (DRP):- focuses on
restoring operations at the primary site after
disasters occur.
• Business Continuity Plan (BCP):- facilitates
establishment of operations at an alternate site.
• These are based on Business Impact Analysis
(BIA):- identifies the critical business function &
information assets.

CC7178 Cyber Security Management

6 Steps to CP
Contingency planners should:
– Identify the mission- or business-critical functions.
– Identify the resources that support the critical
functions.
– Anticipate potential contingencies or disasters.
– Select contingency planning strategies.
– Implement selected strategy.
– Test and revise contingency plans.

CC7178 Cyber Security Management

CP Teams
• Four teams are involved in contingency planning
and contingency operations:
– The overall CP team
• Champion
• Project Manager
• Team Members (e.g Business managers, Information
technology managers, Information security managers)

– The Incident Recovery (IR) team

– The Disaster Recovery (DR) team
– The Business Continuity plan (BC) team

CC7178 Cyber Security Management

Contingency Planning
• NIST describes the need for this type of
planning:
“These procedures (contingency plans, business
interruption plans, and continuity of operations
plans) should be coordinated with the backup,
contingency, and recovery plans of any general
support systems, including networks used by the
application. The contingency plans should
ensure that interfacing systems are identified
and contingency/disaster planning coordinated.”

CC7178 Cyber Security Management

Components of
Contingency Planning

CC7178 Cyber Security Management

Major Tasks
in Contingency Planning

CC7178 Cyber Security Management

Business Impact Analysis (BIA)
• First phase in the CP process
• A crucial component of the initial planning
stages
• Provides the CP team with information
about systems and threats they face.
• Provides detailed scenarios of the impact
each potential attack can have.

CC7178 Cyber Security Management

BIA vs Risk Management
Difference between BIA and RM:

• Risk Management focuses on identifying

threats, vulnerabilities, and attacks to
determine controls.
• BIA assumes controls have been
bypassed or are ineffective, and attack
was successful.

CC7178 Cyber Security Management

Business Impact Analysis:
5 Stages
• The CP team conducts the BIA in the
following stages:
1. Threat attack identification
2. Business unit analysis
3. Attack success scenarios
4. Potential damage assessment
5. Subordinate plan classification

CC7178 Cyber Security Management

Threat/Attack Identification
and Prioritization
• An organization that uses a risk
management process will have identified
and prioritized threats.
• These organizations update threat list and
add one additional piece of information:
the attack profile.
• An attack profile is a detailed description
of activities that occur during an attack.

CC7178 Cyber Security Management

Example
Attack
Profile

CC7178 Cyber Security Management

Business Unit Analysis
• To analysis and prioritization of
business functions within the
organization

CC7178 Cyber Security Management

Attack Success Scenario
Development
• Create a series of scenarios depicting impact of
successful attack on each functional area.
• Attack profiles should include scenarios
depicting typical attack including:
– Methodology
– Indicators
– Broad consequences
• More details are added to the attack profile,
including alternate outcomes—best, worst, and
most likely.

CC7178 Cyber Security Management

Potential Damage Assessment
• From detailed scenarios, the BIA team
must estimate the cost of the best, worst,
and most likely outcomes by preparing an
attack scenario end case.

• This will allow identification of what must

be done to recover from each possible
case.

CC7178 Cyber Security Management

Subordinate Plan Classification
• Once the potential damage has been assessed,
and each scenario and attack scenario end case
has been evaluated, a subordinate plan must be
developed or identified from among existing
plans already in place.
• Each attack scenario end case is categorized as
disastrous or not.
• Attack end cases that are disastrous find
members of the organization waiting out the
attack, and planning to recover after it is over.

CC7178 Cyber Security Management

Incident Response Plan (IRP)
• In CP, an unexpected event is called an
incident.

• The IRP is a detailed set of processes and

procedures that anticipate, detect, and mitigate
the impact of an unexpected event that might
compromise information resources and assets.

• Incident response is a set of procedures that

commence when an incident is detected.

CC7178 Cyber Security Management

Incident Response Plan (cont.)
• When a threat becomes a valid attack, it is
classified as an information security incident
if:
– It is directed against information assets
– It has a realistic chance of success
– It threatens the confidentiality, integrity, or availability
of information assets
• It is important to understand that IR is a
reactive measure, not a preventative one.
• For each incident scenario, the CP team creates
3 sets of incident-handling procedures.

CC7178 Cyber Security Management

Three Sets of
Incident-Handling Procedures
During the incident
• Planners develop and document the procedures
that must be performed during the incident.
• These procedures are grouped and assigned to
various roles.
• The planning committee drafts a set of function-
specific procedures (for each group).

CC7178 Cyber Security Management

Three Sets of
Incident-Handling Procedures (Cont.)
After the incident
• Once the procedures for handling an incident
are drafted, planners develop and document
the procedures that must be performed
immediately after the incident has ceased.
• Again, separate functional areas may develop
different procedures.

CC7178 Cyber Security Management

Three Sets of
Incident-Handling Procedures (Cont.)
Before the incident
• Planners draft a third set of procedures, those tasks
must be performed in advance of the incident.
• These procedures include:
– Details of data backup schedules
– Disaster recovery preparation
– Training schedules
– Testing plans
– Copies of service agreements
– Business continuity plans, if any

CC7178 Cyber Security Management

An example of IRP

CC7178 Cyber Security Management

Disaster Recovery Plan (DRP)
• Disaster recovery planning is the preparation
for and recovery from a disaster, whether
natural or man made.
• In general, an incident is a disaster when:
– The organization is unable to contain or control the
impact of an incident.
– The level of damage or destruction from an incident is
so severe that the organization is unable to quickly
recover.
• The key role of a DRP is defining how to
reestablish operations at the location where
the organization is usually located.

CC7178 Cyber Security Management

Disaster Classifications
A DRP can classify disasters in a number of
ways:

– The most common method is to separate natural

disasters from man-made disasters.

– Another way of classifying disasters is by speed of

development.
• Rapid onset disasters (e.g. earthquakes, floods, hurricanes)
• Slow onset disasters (e.g. environment degradation)

CC7178 Cyber Security Management

Planning for Disaster
• Key points in the DRP
– Clear delegation of roles and responsibilities for the DR
team
– Execution of the alert roster and notification of key
personnel (may extend to outside bodies)
– Clear establishment of priorities (saving human life being
the top priority)
– Documentation of the disaster
– Action steps to mitigate the impact
– Alternative implementations for the various systems
components (e.g. stand-by equipment)

• DRP must be tested regularly.

CC7178 Cyber Security Management

Responding to the Disaster
• Actual events could overwhelm even the best of
plans. To be prepared, DRP should be flexible.

• If physical facilities are intact, the DR team should

begin restoration there.

• If organization’s facilities are unusable, take

alternative actions.

• When disaster threatens the organization at the

primary site, DRP becomes BCP.

CC7178 Cyber Security Management

Business Continuity Planning (BCP)
• BCP ensures critical business functions can continue in
a disaster.
• Most properly managed by CEO.
• Activated and executed concurrently with the DRP when
needed, when the disaster is major or long term.
• While BCP reestablishes critical functions at
alternate site, DRP focuses on reestablishment at
the primary site.
• BCP relies on identification of critical business functions
and the resources to support them.

CC7178 Cyber Security Management

Continuity Strategies
 Several continuity strategies for business continuity,
with determining factor usually being cost.

• Three exclusive-use options:

– Hot sites
– Warm sites
– Cold sites

• Three shared-use options:

– Timeshare
– Service bureaus
– Mutual agreements

CC7178 Cyber Security Management

Exclusive Use Options
• Hot sites
– Fully configured computer facility with all services

• Warm sites
– Like hot site, but software applications not kept
fully prepared

• Cold sites
– Only rudimentary services and facilities kept in
readiness

CC7178 Cyber Security Management

Shared Use Options
• Timeshares
– Like an exclusive use site but leased
• Service bureaus
– Agency that provides physical facilities
• Mutual agreements
– Contract between two organizations to assist

• Other specialized alternatives

– Rolling mobile site
– Externally stored resources

CC7178 Cyber Security Management

Incident Response
and Disaster Recovery

CC7178 Cyber Security Management

Disaster Recovery
and Business Continuity Planning

CC7178 Cyber Security Management

Contingency Plan
Implementation Timeline

CC7178 Cyber Security Management

Business Resumption Planning
• Because the DRP and BCP are closely
related, most organizations prepare them
concurrently, and may combine them into
a single document, the Business
Resumption Plan (BRP)

• Although a single planning team can

develop the BRP, execution requires
separate teams

CC7178 Cyber Security Management

Testing Contingency Plans
• To identify potential problems and make
improvements, and the resulting plan can be
relied on in times of need
• There are five testing strategies that can be
used to test contingency plans:
– Desk check
– Structured walkthrough
– Simulation
– Parallel testing
– Full interruption

CC7178 Cyber Security Management

Final Thoughts on Continuous
Improvement
• Iteration results in improvement.

• A formal implementation of this methodology is

a process known as continuous process
improvement (CPI).

• Each time the plan is rehearsed it should be

improved.

• Constant evaluation and improvement leads to

an improved outcome.

CC7178 Cyber Security Management Slide 41

Summary
• Introduction
• What Is Contingency Planning?
• Components of Contingency Planning
• Putting a Contingency Plan Together
• Testing Contingency Plans
• A Single Continuity Plan

CC7178 Cyber Security Management Slide 42