302
A Practical Guide to Security Assessments
indefinitely if the cost is negligible and having different backup strategies
for different data would create more work. Another scenario is where there
is no backup strategy and data is not backed up consistently, which is def-
initely a cause for concern. It is critical that data owners define backup
requirements. IT should not be dictating backup requirements. IT should
develop a cost-effective backup strategy that fulfills the requirements set
forth by the data owners.
Risk:
The risk associated with backup and recovery strategies not being
aligned with business requirements include:
• Critical data may not be backed up, resulting in legal or operational
issues.
• Excessive resources may be spent in backing up too much data.
Client Response:
9. Is your company governed by any regulatory requirements related to
backup and recovery?
Guidance:
With regulatory requirements, companies essentially have no
choice. For example, there is a specific requirement related to backups in
the HIPAA security regulations, with which health care entities must com-
ply. Regulatory requirements are an area where personnel from the business
and technology sides must interact. Data owners affected by regulations
should stay up to date on requirements and communicate with IT person-
nel accordingly. As part of the assessment, you should determine whether
IT is receiving this information or whether they are expected to know it.
One thing to do in preparation for the security assessment is to gain an
understanding of the regulations that might affect the client.
Risk:
The risk associated with not being compliant with regulatory re-
quirements can include fines or damage to a company’s reputation.
Client Response:
10. Are the backup tapes clearly labeled to help ensure a smooth recovery
process?
Guidance:
Backup tapes are often needed for restoring anything from sin-
gle files to multiple directories. Typically, when restorations are required,
AU1706_book.fm Page 302 Wednesday, July 28, 2004 11:06 AM
Appendix F
303
users want it done immediately, particularly if it affects a mission-critical
process. To help ensure this quick turnaround time, tapes should be labeled
properly so information can be quickly located. The key benefits related to
labeling backup tapes include:
•Turnaround time for restoring files is faster than if not labeled.
• It reduces the dependency on one or few individuals who are the only
ones who know the contents of the backup tapes. With labeling, any
IT person who knows the restore process can find the right backup
tape in the event a restoration is required.
Risk:
The risk associated with not clearly labeling backup tapes is poten-
tially not being able to perform restorations on a timely basis. In addition,
there is a risk associated with a limited number of people knowing the con-
tent of the tapes.
Client Response:
11. Are there Service Level Agreements or Objectives (SLAs or SLOs) related
to restoring data for users?
Guidance:
Some organizations have agreements (SLAs or SLOs) for
restoring data. The difference between SLAs and SLOs is that the SLAs
are more contractual in nature in that penalties exist if the terms of the
agreement are not kept. SLOs are objectives for which a servicing organi-
zation is striving. With backup and recovery processes, the agreements are
between the user community and IT and can specify target metrics for var-
ious aspects of backup and recovery. Depending on the organization, these
agreements may have financial implications — e.g., if the IT department
is charging individual departments of a company for its services, charges
may be adjusted if service level requirements are not met. Agreements
establish accountability for all parties involved and provide a mechanism
to identify processes that are not working properly. In a security assess-
ment, two key aspects of the agreements should be reviewed:
• Are the current processes adequate to achieve the metrics established
in the agreements (acceptable time frames for file restoration, tape
retention requirements, etc.)?
• Does the company manage to the agreements — i.e., does the company
enforce the agreements? Without enforcement, the value of the agree-
ments is significantly diminished.
Risk:
Not applicable. A lack of SLAs or SLOs does not necessarily pose
any security risk, but the presence of SLAs or SLOs does enhance the over-
all security posture by adding accountability to the tasks in the information
security program.
AU1706_book.fm Page 303 Wednesday, July 28, 2004 11:06 AM
304
A Practical Guide to Security Assessments
Client Response:
12. Are users aware of where information should be stored to ensure that
their information is backed up? Do they store information locally on their
computers, which normally are not backed up?
Guidance:
Companies typically have several places (directories, drives,
etc.) where information can be stored. Users might have a network shared
drive, a home directory, and their local hard drives on their personal com-
puters. Not all of these places where a user can store information will be
backed up. Local hard drives on users’ computers are not typically backed
up. However, users are not always aware of this and as a result, they store
their critical information on their local machines, which are probably not
backed up on a regular basis. For example, sales representatives or consult-
ants may primarily work at customer premises where their work is probably
stored on their hard drives. If the hard drive on a computer is corrupted,
they can lose all of their information. Consider a research and development
person who has significant analysis documentation on his or her personal
computer, and the computer crashes or is stolen. In this scenario, some
very valuable information can be permanently lost or even worse, propri-
etary research information can get into the hands of a competitor. In these
instances, the value of the information is more than the value of the com-
puter. Users should be made aware of where they must store their informa-
tion to ensure that it is backed up properly. This can be addressed in an
orientation or awareness program.
Risk:
The risk associated with users not being aware of where information
must be stored is that valuable information might be permanently lost.
Depending on the criticality of the information, significant operational
consequences can result.
Client Response:
13. Is off-site storage used for backup tapes? If not, where are backups stored?
Guidance:
Backup tapes are ultimately used in many cases to restore in-
formation. Off-site storage is important in the event that an incident forces
the company facilities to be inaccessible. Formal off-site storage might be
expensive and not feasible for a company. In some cases (particularly in
smaller companies), a person in the IT department or some other person
AU1706_book.fm Page 304 Wednesday, July 28, 2004 11:06 AM
Appendix F
305
might take backup tapes home, avoiding the cost of off-site storage. In other
cases, companies might use their other facilities to store tapes. The main
thing to look for is that the tapes are not stored on site, where they might
be inaccessible in the event of a disaster. In addition, off-site storage
should be addressed in the business continuity plan.
Risk:
If tapes are not adequately stored somewhere off site, there is a risk
that backup tapes will not be accessible in the event of a disaster, which
can potentially result in disruption of operations.
Client Response:
14. What type of documentation is maintained for off-site tapes?
Guidance:
In the event that restoration of data is required, someone must
know where the tapes are, what is contained on what tape, and how to re-
store from the tape. In addition, there should be documentation on who is
authorized to access the tapes, which can be in a procedure for accessing
off-site tapes. This is important when information has to be restored or if
there is a disaster. Off-site tapes documentation and the related authoriza-
tion lists should be addressed within a business continuity plan.
Risk:
If no documentation exists regarding tapes that are stored off site,
there is a risk that tapes will not be easily accessible in the event of a
disaster.
Client Response:
15. Who has access to the backup tapes and how is access managed?
Guidance:
Backup tapes contain sensitive and critical information about
a company. As a result, access to the tapes should be limited to only those
who need it to do their jobs. Typically, only those who have primary re-
sponsibility for file restoration and someone who is a backup should have
access. In addition, you may have others who have access for purposes of
business continuity and even then, only under special circumstances. In no
case should the tapes be easily accessible to the general IT population. In
addition, the tapes should be locked up with the appropriate protections.
When an authorized individual needs access to the tapes, it should be
logged. The person taking the tape and the reason for taking the tape
AU1706_book.fm Page 305 Wednesday, July 28, 2004 11:06 AM
306
A Practical Guide to Security Assessments
should be documented. There should be appropriate segregation of duties
between the person accessing the tapes and the person maintaining the log.
Risk:
If access to the tapes is not properly controlled, there are risks relat-
ed to:
• Unauthorized access to critical company information
• Loss or destruction of the tapes, making restoration of information
difficult if not impossible
Client Response:
16. How do you ensure that backups were successful?
Guidance:
Backups can be done manually or as an automated process
where certain batch jobs are run at predefined intervals (daily, weekly,
monthly) depending on the company’s specific business requirements. For
many companies, backups are done as part of automated jobs, which run
every night. There should be a process or control in place to ensure that
backups are run successfully. At the minimum, there should be a process
to ensure that mission-critical data is backed up as required. If backups are
not successful, appropriate individuals should be notified.
Risk:
If there is no process for ensuring successful backups, there is a risk
that file restorations will not be possible due to information not being prop-
erly backed up. The risk becomes significantly worse if mission-critical
data cannot be restored.
Client Response:
17. Has a full recovery ever been tested?
Guidance:
A full recovery test is something that is not always performed
for a variety of reasons including:
• Full recovery tests can be very time consuming.
• Companies do not always have the staff to do this type of test.
• The recovery test might cause a disruption in operations if not per-
formed properly.
• Companies do not necessarily see the value in doing it because the
likelihood that a full restoration is required may seem minimal.
AU1706_book.fm Page 306 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.