Recovery Strategies and the CISSP

An organization’s information systems are under constant threat from an array of events that can adversely impact its ability to perform internal and external functions. No IT group should be without a comprehensive Disaster Recovery Plan (DRP) that covers in detail how an operation will prepare and respond to a cyber security attack, a natural or unnatural disaster, or any other event that creates an interruption of data services.

The 2014 EMC Global Data Protection Index found that IT downtime and data losses cost businesses $1.7 trillion. Of the 3,300 IT decision-makers surveyed for the report, 71% reported that they were not fully confident in their ability to recover data services following an event. With numbers like that, it is easy to see why such a great demand exists in the market for certified Information Systems Security Management Professionals (ISSMP) who can lead an organization’s disaster recovery initiatives.

The Certified Information Systems Security Personnel (CISSP)’s ISSMP exam covers in detail how an IT professional should go about creating a DRP and how to execute it, should a group need to. Preparation for disaster recovery calls not only for the practical steps of writing the DRP, assigning personnel to key tasks (before a cyber security attack or natural disaster) and pre-arranging backup facilities, equipment and other resources, but also how to get management to buy into a comprehensive disaster recovery program. Without a 100% buy-in from upper management on the importance of disaster recovery, resulting plans and preparations will all but certainly be inadequate.

Business Unit and Functional Priorities

Every group within an organization, as well as their clients, relies on IT services. These services vary widely in the degree to which they impact a business. When a cyber security event or other disaster has impacted multiple services, the most pragmatic approach is to restore those services which are most critical to an organization’s mission. Depending upon the circumstances, it may be necessary to either restore services by a ranking of importance or to reallocate resources (hardware, software, personnel and funds) from one initiative to another.

Businesses use prioritization schedules in all groups and in all levels of management, so oftentimes a basic idea of prioritization will already exist. This existing base of knowledge will be helpful in conducting a Business Impact Analysis (BIA), which candidates will be expected to understand for the ISSMP exam.

BIAs provide a comprehensive examination of the various risks and threats that exist to all IT resources, what role each plays in supporting the organization and potential damage to revenue streams and image, based upon how long each resource is unusable or marginally performing. ISSMP training programs cover how data is gathered and examined to complete this study.

One of the most helpful and vaunted tools in prioritization is a questionnaire. Surveying managers for not only what they believe are most vital services from an operations support viewpoint, but also quantifying financial and public-image impact of each IT capability lost. Correlating those findings with IT’s assessment of cost and time associated with restoring individual services provides a roadmap as to what should be tackled first through last.

CISSP recommends a scoring system based on Low, Medium, High and Critical:

• Low – Considered a minor interruption that may go unnoticed by clients and continue for up to 30 days with no serious impact on operations.
• Medium – Anything that would cause major disruption of services after a few days to a week, and result in significant financial losses or loss of customers.
• High – Disruptions of more than mere minutes or hours that cause serious damage to a firm’s image or finances.
• Critical – Simply cannot happen without major, adverse impact to an organization. To avert these events, every reasonable precaution must be taken.

Categorizing using these guidelines and designing policies and procedures in accordance with respective rankings will go a long way towards developing both the BIA and DRP.

Crisis Management

During a crisis, any number of parties will want and/or need direction and information. Most recovery operations will have been pre-defined, specifically addressing what alternative site should be used, data restoration plan and other tasks, which are not so much based on the actual event, but rather the outcome of the event. An exception to this is communication. The press, customers, employees, management, shareholders, authorities and other stakeholders will want to know exactly what has been and is happening.

Leaders in operations, IT and other groups will need only to follow pre-established procedures to restore services, and to regularly communicate status. The party responsible for managing communications must wing it more so than others. A properly trained spokesperson can have some press releases, internal messages and other communications prepared in advance of a disaster or cyber security event, such as general apologies and procedures. However, much of the specific messaging will need to be created as it is discovered, such as what exactly happened in the event, what the organization is doing at a given hour in response and when exactly services will be restored.

ISSMP candidates must understand the role of each member of the disaster response team, and ensure that they have the training, plans and tools necessary to manage a crisis.

 Emergency Communications

Following a cyber security event or other incident, stakeholders will want and need to know what has happened and how to proceed. Reliable status updates and clear instructions for proceeding go a long way towards easing concerns and minimizing the adverse impact of both operations and image of an organization. For many of these answers, these stakeholders will look for significant input from the IT recovery team.

Cyber security breaches and other disasters can render an organization’s primary communication systems useless, along with any statements or records that will need to be accessed for internal and external communications. DRP will need to have contingency plans for loss of communications hardware and collateral that may also be lost at the primary site or in an external data system. ISSMP candidates will be expected to understand these principles for the exam.

 Workgroup Recovery

Workgroup recovery, in most cases, will be more involved in physical events, rather than in cyber security breaches or attacks. For a workgroup to recover from a cyber security attack, alternative systems and tools must be available to conduct mission-critical tasks. In the wake of a major natural disaster, the lives of employees may be seriously impacted with loss of homes and transportation. Comprehensive disaster recovery considers and plans for all of these possibilities.

Alternate Processing Sites

More likely to occur in a physical disaster than in a cyber security, the complete annihilation of a data center is among the most devastating events that an organization might experience. ISSMP candidates will be tested on how to plan for just such an event.

Options for alternate processing sites include real-time, redundant systems, along with hot, warm and cold data centers. The capabilities, costs and best practices for each of these options will be weighed against budgets and business impact during the planning process. After settling on a particular option, pre-existing contracts should be put into place, rather than attempting to procure these sites during a disaster.

Mutual Assistance Agreements

Reciprocal agreements are surprisingly common among corporations. Nearly every business understands that they could be hit with a cyber security attack or other disaster that could bring them to their knees. Businesses can and do have pre-existing agreements that offer to lend personnel, facilities or off-site IT services to one another.

These agreements are somewhat dicey, and disaster recovery planners should consider several factors before contracting with another firm for mutual disaster recovery support. Direct competitors should be considered as a last resort, as there may be less incentive to provide all possible help, and sensitive information, which could compromise a firm’s advantage in a market, could very well be gained by the competitor.

Database Recovery

As with so many tasks necessary in disaster recovery, the ability to restore databases will hinge largely on preparations made in advance. The BIA will have included an assessment of all databases, and the impact the loss of each will have. The degree of impact will determine what backup configurations and restore tools are appropriate for each individual database.

Which media type to use for backup, frequency of backups, where to store media, who has access to the media and reuse and rotation policies of media will all be decided based on a database’s impact to the business. Available budget will also play a role in developing the storage plan, so ISSMPs must be prepared to justify the costs of any technology or preventive measures used in the process.

Awareness and Training

Without proper training of staff and an awareness and adherence to disaster recovery policies and procedures, even the best of contingency plans will struggle to be executed promptly and thoroughly. Through classes, newsletters, bulletins, word-of-mouth and any other means available, the ISSMP must continue to evangelize the value of disaster recovery and ensure that all employees understand their roles in a disaster, before it strikes.

CISSP Training – Resources (InfoSec)

Testing

After all planning and preparations have been completed, a test of staff and systems should be conducted, both to help prepare employees for a disaster and to uncover any shortcomings that need addressing. Following the initial test, disaster drills should occur on a regular basis. Candidates for the exam will need to understand the types of tests recommended.

ISSMP exam will cover five types of tests:

1. Checklist – Not actually a test, but a good start.
2. Structured walkthrough – The emergency management team and group managers all meet to orally walkthrough their roles and procedures.
3. Simulation – As implied by name, this test involves the simulation of a disaster, with employees performing the duties they would in a bona fide event.
4. Parallel – This test is the structured walkthrough performed at two sites: the affected and the alternative.
5. Full interruption – The best, but most dangerous of tests, as systems are shut down and database restoration is performed on first-line systems, which can result in a disaster itself.

Final Word

ISSMP certification demonstrates that a candidate has a solid understanding of what procedures and policies are necessary to best prepare an organization to respond to an event compromising data services. Well-respected in the IT community, certified ISSMPs are entrusted with disaster recovery planning and preparation, and to become evangelists for disaster recovery initiatives within an organization.

After completing training and passing the ISSMP exam, successful candidates will have the confidence and skills needed to fulfill the expectations of the IT community for disaster planning. Certified ISSMPs will also possess the ability to effectively persuade upper management of the critical nature of disaster recovery, and to justify associated costs and efforts from both financial and image standpoints.

Suggested reading:

http://csrc.nist.gov/news_events/HIPAA-May2010_workshop/presentations/2-2b-contingency-planning-swanson-nist.pdf

http://www.pearsonitcertification.com/articles/article.aspx?p=1329710&seqNum=3

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Learn More!