292 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
e critical needs can be obtained in a consistent manner by using a user depart-
ment questionnaire. e questionnaire focuses on documenting critical activities in
each department and identifying related minimum requirements for sta, equip-
ment, forms, supplies, documentation, facilities, and other resources.
Offshoring Risks
Simple communication is possible without trust, but collaboration is not. High-
value activities require trustworthy environments. e good news is that the need
to distribute trust is highly recognized, resulting in numerous initiatives to create
both new technologies and new social mechanisms. Technology tends to take the
lead, with legal and other social mechanisms following.
e term “community of trust” (CoT) refers to a sociotechnical construct that
meets the communications and security needs for ongoing sharing of sensitive data
across the Internet between multiple organizations. Built on top of the existing
enterprise and the Internet, but not limited to any particular subset of it, a CoT
provides the social conventions and technical standards necessary to support sub-
stantive collaboration, ensuring that initial conditions for trusted collaboration are
met and maintained.
Concerns about controlling conditions of data use have grown as data become
easier to copy. A growing risk since the introduction of the Xerox machine, data
misuse exploded as a concern in the 1990s. Inexpensive computers, a ubiquitous
network, and high-capacity personal storage devices make this goal exponentially
more dicult to attain than it ever was in the past.
ere is, then, a need to develop the strategy to ensure that your BC policy and
plans for your organization accommodate a growing number of requirements for
external access to sensitive organizational information.
In the rush to save costs through outsourcing and take advantage of new business
models, we have often forgotten one of the most fundamental aspects of risk. e
less you know about something, the riskier you must assume that it is. Furthermore,
postmodern philosophies about moral relativism have made it somewhat politically
unacceptable to suggest that some groups of people cannot be trusted as much as
other groups. is ies in the face of human experience that universally puts family
relationships ahead of community relationships, with a culturally dependent set of
increasingly less-trusted communities arranged almost hierarchically beyond that.
Within each recognizable community exists what Francis Fukuyama refers to as a
“radius of trust”; outside of that radius, people feel a lesser obligation toward others.
In terms of a distributed communications model of any kind, the greater the
degree of separation, the harder it is to predict what other people will do. If you
misinterpret your relative standings within the perceived radius of trust, you are
going to underestimate the likelihood that you will come to harm.
Understanding BCP, DRP, and COOP ◾ 293
© 2011 by Taylor & Francis Group, LLC
With all other factors equal, the farther you get from your data center, the
greater the information-related risk. Technical compatibilities and dierences in
legal climate also create unanticipated risk. e greater the degree of separation,
the more eort that must be put into ensuring that the collaboration partners can
be trusted and that communications are reliable.
Business impact assessment (BIA) is a fundamental part of the BS 25999 stan-
dard. It provides the basis upon which all of the other activities are driven. It is
therefore essential that the right mechanisms exist within the owning organization
to ensure that BIA is addressed in a controlled, consistent, and robust manner.
Identification of Critical Activities
Describe here how the organization identies its business critical activities (BCA). In
this context these are all the activities that, should they fail, would represent an impact
to the delivery of the goods and services provided to your organization or its business
partners. Table4.4 provides an example of the typical level of detail required.
Threats and Vulnerabilities
During your CISSP, we evaluated a generic structure based upon the model pro-
vided by the Common Criteria for IT Security Evaluation in Figure4.8. is model
shows the relationships between the dierent elements. However, we have to remem-
ber that as our systems have become more complex over time, as objects are reused
by dierent subsystems, and as systems are distributed across distributed systems,
sometimes geographically dispersed, that a single threat can impact a number of
assets with diering outcomes. What may appear as a minor risk to one asset could
have a signicant impact on another. us, evaluating the threat against the end-to-
end processing of any given asset will provide a truer reection of the level of risk.
Threat Analysis
reats manifest themselves in a variety of guises. We are very familiar with such
threats as viruses and bots, which aect our information technology, disrupting
normal service and processing capabilities through their corruption of our data and
their consumption of processing power. Over time, we have taken action to imple-
ment safeguards such as antivirus programs, rewalls, intrusion prevention and
detection systems, and implementing demilitarized zones. However, the scope and
nature of threat vectors have changed over time as organizations have become more
reliant on information systems and information technology to operate their busi-
nesses. Further, we have come to recognize the importance of people as part of those
systems and the need to mitigate their loss as well as the technology. As businesses
adopt a more global approach, disseminating their activities around the world, we
294 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Table4.4 The Typical Level of Detail Required to Identify Business Critical Activities (BCA)
Supporting Activities
Impacts
Resulting
from the
Disruption
of the
Activities
Maximum
Tolerable
Period of
Disruption
(Recovery
Time
Objective
[RTO])
Recovery
Priority and
Critical
Activities
(Priority 1 =
Critical
Activity
[MCA])
Relevant
Dependencies
for Critical
Activities
Determine
Supplier
BCM Where
BCAs Are
Dependent
Critical
Activity
RTO
Resources
Required by
BCAs for
Resumption
Key operation facilities
(e.g., estate inventory
including facilities
provided, business
operations housed, and
technical infrastructures)
Transport/logistics (e.g.,
vehicles, tools, spares,
fuel, materials inventory
data, and location of
documentation)
Key systems
Documentation of
end-to-end processes of
core business systems,
conceptual and physical
Understanding BCP, DRP, and COOP ◾ 295
© 2011 by Taylor & Francis Group, LLC
Test facility
Test environment before
restoration of business
processes
Provision of people (e.g.,
loss of key personnel or
critical mass due to
industrial action,
pandemic flu)
Supply management (e.g.,
inability to maintain
supply chain)
Suppliers/sub-suppliers
(e.g., loss of main or
sub-supplier)
Operational
environmental
management (e.g., loss of
building or use of
building)
(continued on next page)
296 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Table4.4 (continued) The Typical Level of Detail Required to Identify Business Critical Activities (BCA)
Supporting Activities
Impacts
Resulting
from the
Disruption
of the
Activities
Maximum
Tolerable
Period of
Disruption
(Recovery
Time
Objective
[RTO])
Recovery
Priority and
Critical
Activities
(Priority 1 =
Critical
Activity
[MCA])
Relevant
Dependencies
for Critical
Activities
Determine
Supplier
BCM Where
BCAs Are
Dependent
Critical
Activity
RTO
Resources
Required by
BCAs for
Resumption
Information and
communications (e.g.,
fixed voice [incl. internal],
mobile [incl. messaging],
information access [incl.
intranet, Internet, and
extranet])
Incident management
capability
CERT teams, IRM teams
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.