Business Continuity Planning and Disaster Recovery Planning are two sides of the same coin. Each springs into action when a disaster strikes. The difference between BCP and DRP can be expressed in the following two statements: Show
Tip BCP and DRP: A simple illustration Here’s the scenario: The business in question is a delivery service with one delivery truck that delivers goods around the city. Business Continuity Planning is concerned with keeping the delivery service running in case something happens to the truck, presumably with a backup truck, substitute drivers, maps to get around traffic jams, and other contingencies that can keep the delivery function running. Disaster Recovery Planning, on the other hand, is concerned with fixing the original delivery truck. This might involve making repairs or even buying/leasing a new truck. While the Business Continuity team is busy keeping business operations running via one of possibly several contingency plans, the Disaster Recovery team members are busy restoring the original facilities and equipment so that they can resume normal operations. Here’s an analogy. Two boys kick a big anthill - a disaster for the ant colony. Some of the ants will scramble to save the eggs and the food supply; that’s ant city continuity. Other ants will work on rebuilding the anthill; that’s ant city disaster recovery. Both teams are concerned with the anthill’s survival, but each team has its own role to play. BCP and DRP projects have these common elements:
This is where the similarities end. The BCP project diverges on continuing business operations whereas the DRP is recovering the original business functions. While both are concerned with the long-term survival of the business, they are different activities. Page 2
Before a BCP project can begin, some basic definitions and assumptions have to be made and understood by everyone on the project team. They are
A BCP project typically has four components: scope determination, the Business Impact Assessment, the Business Continuity Plan, and implementation. We discuss each of these components in the following sections. Page 3
The success and effectiveness of a Business Continuity Plan depends greatly upon whether its scope is properly defined. Business processes and technology can muddy the waters and make this task difficult. For instance, distributed systems and genuine dependence on at least some desktop systems for vital business functions expands the scope beyond core functions. Geographically dispersed companies - often the result of mergers - complicate matters as well. Also, large companies are understandably more complex. The boundaries between where a function begins and ends are oftentimes fuzzy and sometimes poorly defined. Political pressures can influence the scope as well. A department that thinks that it’s vital but which is outside the BCP scope may lobby to be included therein, appropriately or otherwise. Everybody wants to be important, and some just want to appear to be important. Scope creep can become scope leap if the BCP project team is weak or inexperienced. For the success of the project, strong leaders must make rational decisions about the scope of the project. Remember that the scope of BCP projects can be changed in later iterations of the project. The project team needs to find a balance between too narrow a scope, which will make the plan ineffective, and too wide a scope, which will make the plan too cumbersome. Page 4The Business Impact Assessment (BIA) describes the impact that a disaster has on business operations. The impact includes quantitative and qualitative elements. The quantitative impact is generally financial, such as loss of revenue or output of production. The qualitative impact has more to do with the delivery of goods and/or services and things such as the following. Vulnerability AssessmentOften a BIA includes a Vulnerability Assessment that’s used to get a handle on obvious and not-so-obvious weaknesses in business critical systems. Like a Risk Assessment, a Vulnerability Assessment has quantitative (financial) and qualitative (operational) sections. Instant Answer The purpose of a Vulnerability Assessment is to determine the impact - both quantitative and qualitative - of the loss of a critical business function. Quantitative losses include
Qualitative losses include loss of
The Vulnerability Assessment identifies critical support areas, which are business functions that, if lost, would cause irreparable harm to the business by jeopardizing critical business processes or the lives and safety of personnel. Critical support areas should be studied carefully in the Vulnerability Assessment to identify the resources that they require to continue functioning. Instant Answer Quantitative losses include an increase in operating expenses attributable to any higher costs associated with executing the contingency plan. Criticality AssessmentThe BCP team should inventory all high-level business functions (for example, customer support, order processing, returns, accounts receivable, and so on) and rank them in order of criticality, and also describe the impact of a disruption of each function on overall business operations. Essential to the Criticality Assessment is an analysis of the impact of a disruption based upon its duration. You can see the vast difference in business impact of a disruption lasting one minute compared with one hour, one day, one week, or longer. Generally, the criticality of a business function depends upon the degree of impact that its impairment has on the business. Identifying key playersAlthough you can consider a variety of angles when evaluating vulnerability and criticality, commonly you start with a high-level organization chart (hip people call this the org chart). In most companies, the major functions pretty much follow the structure of the organization. Following an org chart helps the BCP project team to consider all the steps in a critical process. A walk through the org chart, stopping at each manager’s or director’s position and asking, “What does he do?” and “What does she do?” will help to jog your memory and to better see all the parts of the organization’s big picture. Tip When you’re cruising an org chart to make sure all areas of the organization are covered, you may easily overlook outsourced functions that might not show up in the org chart. For instance, if accounts payable (A/P) functions are outsourced, you might miss this detail if you don’t see it on an org chart. Okay, maybe this is a bad example because the absence of all of A/P would probably be noticed. But if part of A/P - say, a group that detects and investigates A/P fraud (looking for payment patterns that would suggest the presence of phony payment requests) - were outsourced, that vital function would probably not be on the org chart. Establishing Maximum Tolerable DowntimeAn extension of the Criticality Assessment is a statement of Maximum Tolerable Downtime (MTD) for each critical business function. Maximum Tolerable Downtime is the maximum period of time that a critical business function can be inoperative before the company fails to be viable. Here’s an illustration: Imagine your favorite online merchant - a bookseller, an auction house, or an online trading company - being down for an hour or a day or a week. At some point, you have to figure that a prolonged disruption will literally sink the ship and that the business won’t survive. This is what MTD is all about. The Maximum Tolerable Downtime assessment should be a major factor that determines the criticality - and priority - of business functions. A function that can only withstand two hours of downtime obviously has a higher priority than another function that can withstand several days of downtime. Instant Answer Maximum Tolerable Downtime is a measure of the longest period of time that a critical business function can be disrupted without threatening the survivability of the organization. Defining Resource RequirementsThe Resource Requirements portion of the BIA is a listing of the resources that are required to continue operating each critical business function. In an organization with finite resources (which is pretty much everyone), the most critical functions are going to get first pick, with the lower priority functions getting the leftovers. Page 5A complete Business Recovery Plan consists of several components that handle not only the continuation of critical business functions but also all the functions and resources that support those critical functions. Emergency responseEmergency response teams must be identified for every possible type of disaster. These response teams need written procedures to keep critical business functions operating. Written procedures are vital for two reasons. First, the people who perform critical functions may not be familiar with them: They may not be the same persons who perform them under usual circumstances (during a disaster, the people who ordinarily perform the function may be unavailable). Second, the procedures and processes for performing the critical functions during a disaster will probably be different than under normal conditions. Damage assessmentWhen a disaster strikes, experts need to be called in to inspect the premises and determine the extent of the damage. Typically, you need experts who can assess building damage, as well as damage to any special equipment and machinery. Depending upon the nature of the disaster, damage assessment may be performed in stages. A first assessment may be a quick walkthrough to look for obvious damage, followed by a more time-consuming and detailed assessment to look for problems that are not so easily found. The purpose of damage assessments is to determine whether buildings and equipment can still be used, whether they can be used after some repairs, or whether they must be abandoned altogether. Personnel safetyIn any kind of disaster, the safety of personnel is the highest priority, ahead of buildings, equipment, computers, backup tapes, and so on. This is not only because of the intrinsic value of human life, but also because people - not physical assets - make the business run. Personnel notificationThe Continuity Plan must have some provisions for notifying all affected personnel that a disaster has occurred. Multiple methods for notifying key business continuity personnel are needed in cases in which public communications infrastructures are interrupted. Not all disasters are obvious: A fire or broken water main is a local event, not a regional one. And, in an event like a tornado or flood, the state of the business is not necessarily clear to employees who live even a few miles away. Consequently, the organization needs a plan for communicating with employees, no matter what the situation. Throughout a disaster and its recovery, management must be given regular status reports as well as updates on crucial tactical issues so that management can align resources to support critical business operations that function on a contingency basis. For instance, a manager of a corporate facilities department can loan equipment needed by critical departments so that they can keep functioning. Backups and off-site storageThings go wrong with hardware and software, resulting in wrecked or unreachable data. When it’s gone, it’s gone! This is why IT departments everywhere make copies of their critical data onto tapes or removable discs. These backups must be performed regularly, usually once per day. The backup media must also be stored off-site in the event that the facility housing those systems is damaged. Having backup tapes in the data center is of little value if they’re destroyed along with their respective systems. For systems with large amounts of data, that data must be well understood in order to determine what kinds of backups need to be performed (full, differential, incremental) and how frequently. The factors that need to be considered are
For example, you must consider whether restoring application software from backup tapes is faster than just installing them from release media? Also, if Off-site storage of backup media and other materials (documentation, and so on) must be chosen carefully. Factors to consider include survivability of the off-site storage facility as well as the distance from the off-site facility to the data center, airports, and alternate processing sites. The facility needs to be close enough so that media retrieval doesn’t take too long ( how long depends upon the organization’s recovery needs), but not so close that the facility will be involved in the same natural disaster as the business. Tip Some organizations have one or more databases that are so large that they literally can not (or, at any rate, do not) back them up to tape. Instead, they keep one or more replicated copies of the database on other computers in other cities. BCP planners need to consider this possibility when developing continuity plans. Instant Answer The purpose of off-site media storage is to make up-to-date data available in the event that the primary data center is damaged. Software escrow agreementsYour organization should consider software escrow agreements (wherein the software vendor sends a copy of its software code to a third-party escrow organization for safekeeping) with the software vendors whose applications support critical business functions. In the event that an insurmountable disaster (this could include bankruptcy) strikes the software vendor, your organization must be able to consider all options for the continued maintenance for those critical applications, including in-house support. External communicationsThe Corporate Communications, External Affairs, and (if applicable) Investor Relations departments should all have plans in place for communicating the facts about a disaster to the press, customers, and public. Contingency plans for these functions are critical if the organization is to continue communicating to the outside world. Open communication during a disaster is vital so that customers, suppliers, and investors don’t panic because they don’t know the true extent of the disaster. Warning Who says External Affairs is nonessential? Suppose the headquarters building for a large company burns to the ground. (This is very unlikely in modern buildings, but stay with us.) All personnel escape unharmed. In fact, the organization is very well off because all the information in the building was duplicated and stored in an off-site facility. Nice work! However, the External Affairs department, which was housed in that building, loses everything. It takes two days to recover the capability of communicating to the outside world. However, because of this time lag, the company loses many of its customers, who feared the worst. This is an especially unfortunate and ironic circumstance because the company was actually in pretty good shape prior to the disaster. The emergency communications plan needs to take into account the possibility that some corporate facilities or personnel may be unavailable. So even the data and procedures related to the communications plan need to be kept safe so that they’re available in any situation. UtilitiesData-processing facilities that support time-critical business functions must keep running in the event of a power failure. Although every situation is different, the principle is not: The BCP team must determine for what period of time the data-processing facility must be able to continue operating without utility power. A power engineer can find out the length of power outages in your area and crunch the numbers to arrive at the mean time between outages. By using that information, as well as having an inventory of the data center’s equipment and environmental equipment, you can determine whether the organization needs an uninterruptible power supply (UPS) alone, or a UPS and an electric generator. Instant Answer Uninterruptible power supplies (UPSes) and emergency electric generators are used to provide electric power during prolonged power outages. Remember In a really long power outage (more than a day or two), it is also essential to have a plan for the replenishment of generator fuel. Logistics and suppliesThe BCP team needs to study every aspect of critical functions that must be made to continue in a disaster. Every resource that’s needed to sustain the critical operation must be identified and then considered against every possible disaster scenario to determine what special plans must be made. For instance, if a business operation relies upon a just-in-time shipment of materials for its operation and an earthquake has closed the region’s only highway (or airport or sea/lake port), then alternative means for acquiring those materials must be determined in advance. Or, perhaps an emergency ration of those materials needs to be stockpiled so that the business function can continue uninterrupted. Fire and water protectionMany natural disasters disrupt public utilities, including water supplies or delivery. In the event that a disaster has interrupted water delivery, new problems arise. Your facility may not be allowed to operate without the means for fighting a fire, should one occur. In many places, businesses could be ordered to close if they can’t prove that they can effectively fight a fire using other means, such as FM-200. Then again, if water supplies have been interrupted, you have other issues to contend with, such as drinking water and water for restrooms. Without water, you’re hosed! DocumentationAny critical business function must be able to continue operating after a disaster strikes. An essential item for sustained operations includes all relevant documentation for every piece of equipment as well as every critical process and procedure that’s performed in a given location. Don’t be lulled into taking for granted the emerging trend of hardware and software products not coming with any documentation. After all, many vendors deliver their documentation only over the Internet, or they charge extra for hard copy. But many types of disasters may disrupt Internet communications, thereby leaving an operation high and dry with no instructions on how to use and manage tools or applications. At least one set of hard copy (or CD-ROM soft copy) of documentation should be stored at the same off-site storage facility that stores the organization’s backup tapes. Instant Answer Continuity and recovery documentation must exist in hard copy in the event that it’s unavailable via technical means such as laptop computers. Data processing continuity planningData processing facilities are so vital to businesses today that a lot of emphasis is placed on them. Generally this comes down to these variables: where and how the business will continue to sustain its data processing functions. Because data centers are so expensive and time consuming to build, better business sense dictates having an alternate processing site available. The types of sites are
Instant Answer A hot site provides the most rapid recovery ability, but it’s also the most expensive because of the effort that it takes to maintain its readiness. Table 10-1 compares these options side by side.
Page 6By now you’ve defined the scope of the BCP project and developed the Business Impact Assessment, Criticality Analysis and MTDs. Here’s what you know so far:
The hard part of the Business Continuity Project begins now: This is where you develop the strategy for continuing each critical business function when disasters occur. This is known as the Continuity Strategy. Developing a Continuity Strategy is the time for looking at the excruciating details of critical business functions. This is the time for strong coffee, pizzas, buckets of Rolaids, and cool heads. Identifying success factorsThe critical success factors for this important and time-consuming phase of the project include
Getting amazing things done It is amazing what you can accomplish if you don’t care who gets the credit. Nowhere is this more true in business than in Business Continuity Planning. A BCP project is a setting where people will jostle for power, influence, and credit. These forces must be neutralized. Business Continuity Planning should be apolitical, meaning differences and personal agendas are set aside. Only then is there a reasonable chance of success. The business, and its employees and customers, deserve nothing less. Simplifying large or complex critical functionsSome critical business functions may be too large and complex to examine in one big chunk. Complex functions can be broken down into smaller components, perhaps like this:
Analyzing processes is like disassembling Tinker Toy houses - you’ve got to break them down to the individual component level. You really do need to understand each step in even the largest processes in order to be able to develop good continuity plans for them. If a team analyzing a large complex business function breaks into groups such as these listed here, these groups need to get together frequently to ensure that their respective strategies eventually become a cohesive whole. Eventually, these four (or whatever number) groups need to come back together and integrate their separate materials into one complete plan. Documenting the strategyNow for the part that everyone loves: documentation. The details of the continuity plans for each critical function must be described in minute detail, step by step by step. Why? The people who develop the strategy may very well not be the people who execute it. The people who develop the strategy may change roles in the company or change jobs altogether. Or, the scope of an actual disaster may be wide enough that the critical personnel just aren’t available. Any skeptics should consider September 11 and the impact that this disaster had on a number of companies that lost practically everyone and everything. Remember Why hire an expert? Most of us don’t do Business Continuity Planning for a living. Although we may be the experts on our business processes, we’re not necessarily the right people for knowing all the angles of contingency planning. Turn this question around for a minute: What would you think if an IT shop developed a security strategy without having a security expert’s help? Do you think that this would result in a sound, viable strategy? The same argument fits equally well with BCP. For the remaining skeptics, do yourself a favor: Hire a BCP expert for just a short time to help validate your framework and plan. If your expert says that your plan is great, then you can consider it money well spent to confirm your suspicions. If the consultant says that your plan needs help, ask for details on where and how. Then you decide whether to rework and improve your plan. When disaster strikes, it’s too late to wish that you had a good business continuity plan. Best practices for documenting Business Continuity Plans exist. Here is another reason to have that expert around. For $300 an hour, a consultant can spend a couple of weeks developing templates. But watch out - your consultant might just download templates from a BCP Web site, tweak them a little bit, and spend the rest of his time playing World of Warcraft. Page 7It is an accomplishment indeed when the BCP documentation has been written, reviewed, edited, and placed into three-ring binders. However, the job isn’t yet done. The Business Continuity Plan needs senior management buy-in, the plan must be announced and socialized throughout the organization, and one or more persons must be dedicated to keeping the plan up-to-date. Oh yeah, and the plan needs to be tested! Securing senior management approvalAfter the entire plan has been documented and reviewed by all stakeholders, it’s time for senior management to examine it and approve it. Not only must senior management approve the plan, but senior management must also publicly approve it. Instant Answer Senior management approval is needed so that all affected and involved employees in the organization understand the importance of emergency planning. Promoting organizational awarenessEveryone in the organization needs to be made aware of the existence of the plan and of his or her role in it. This may mean training for potentially large numbers of people who are expected to be there when a disaster strikes. Instant Answer All employees in the organization must be made aware of the existence of the Business Continuity Plan. Maintaining the planNo, the plan isn’t finished. It has just begun! Now the BCP person (the project team members by this time have collected their commemorative denim shirts, mugs and mouse pads, and have moved on to other projects) needs to periodically chase The Powers That Be to make sure that they know about all significant changes to the environment. In fact, if the BCP person has any leadership left at this point in the process, he or she needs to start attending the Change Control Board (or whatever that company calls it) meetings and to jot down notes that may mean that some detail in a BCP document may need some changes. Tip The Business Continuity Plan is easier to modify than it is to create out of thin air. Once or twice each year, someone knowledgeable needs to examine the detailed strategy and procedure documents in the BCP to make sure that they’ll still work. Page 8
As we describe in the earlier section “The Difference between BCP and DRP,” the planning for both Disaster Recovery and Business Continuity have common roots. Both need to assemble similar project teams; both need executive sponsorship and support; and both must identify critical business processes. Here the similarity ends. In the remainder of this chapter, we discuss the development and implementation of the Disaster Recovery Plan. Page 9While the BCP folks develop a plan to keep business operations rolling, the DRP people develop a plan to restore the damaged facility(ies) so that the critical business functions can operate there again. Preparing for emergency responseEmergency response teams must be prepared for every possible scenario. Members of these teams need a variety of specialized training to deal with such things as water and smoke damage, structural damage, flooding, and hazardous materials. All the types of response must be documented so that the response teams know what to do. The emergency response documentation consists of two major parts: how to respond to each type of incident, and up-to-date facts about the facilities and equipment that the organization uses. In other words, you want your teams to know how to deal with water damage, smoke damage, structural damage, hazardous materials, and many other things. Your teams also need to know everything about every company facility: where things such as utility entrances, electrical equipment, HVAC, fire control, elevators, communications, data closets, and so on are located, which vendors maintain and service them, and so on. And you need experts who know about the materials and construction of the buildings themselves. Responding to an emergency branches into two activities: salvage and recovery. Tangential to this is preparing financially for the costs associated with salvage and recovery. SalvageThe salvage team is concerned with restoring full functionality to the damaged facility. This includes several activities:
Instant Answer The salvage team is primarily concerned with the restoration of a facility to return it to operational readiness. RecoveryRecovery comprises equipping the BCP team (yes, the BCP team - this is one of the touch points between BCP and DRP) with any logistics, supplies, or coordination in order to get alternate functional sites up and running. This activity should be heavily scripted, with lots of procedures and checklists in order to ensure that every detail is handled. Financial readinessThe salvage and recovery operations can be very expensive. The organization must be prepared for potentially large expenses (at least several times the total monthly operating cost) to restore operations to the original facility. Notifying personnelThe disaster recovery team needs to have communication plans prepared in advance of any disaster. The DRP team must have a way of notifying employees about facilities that are closed, and note that one or more traditional means of communications may also have been adversely affected by the same event that damaged business facilities. For example, if a building has been damaged, the voice-mail system that you would expect people to call into for checking messages and getting workplace status might not be working. Hmmm, what to do, what to do . . . Facilitating external communicationsThe corporate departments that communicate with customers, investors, government, and the media are equipped with pretty much the same information as for Business Continuity Planning. There are really no differences and no need for any significant differences in planning for external communications between DRP and BCP. Not only response, but also prevention On the surface, it appears that Disaster Recovery Planning is all about cleaning up and restoring business operations after a hurricane, tornado, or flood. However the DRP project can add considerable value to the organization if it also points out things that are putting the business at risk in the first place. For instance, the DRP planning team may discover a design flaw in a building that makes it more vulnerable to damage during a flood. The planning team can make a recommendation outlining the necessary repairs in order to reduce the likelihood of flood damage. Maintaining physical securityLooting and vandalism sometimes occur after significant disastrous events. The organization must be prepared to deploy additional guards as well as erect temporary fencing and other physical barriers in order to protect its physical assets until damaged facilities are secured and law and order are restored. And we’re not just concerned with physical assets: personnel (if any are present) require protection too. Personnel safetyThe safety of personnel needs to be addressed, as there are often personnel working in areas with damage and safety issues, usually right after a disaster, during salvage and damage assessment. Page 10
By the time that an organization has completed a DRP, it will probably have spent hundreds of man-hours and possibly tens or hundreds of thousands of dollars on consulting fees. You would think that after making this large of an investment, any organization would want to test its DRP to make sure that it works when a real emergency strikes. Five methods available for testing the Disaster Recovery Plan are
Instant Answer The parallel test includes the loading of data onto recovery systems without taking production systems down. Page 11
Barnes, James C. and Rothstein, Philip Jan. A Guide to Business Continuity Planning. John Wiley & Sons, Inc. Fulmer, Kenneth L. Business Continuity Planning: A Step-by-Step Guide with Planning Forms on CD-ROM. Rothstein Associates. Myers, Kenneth N. Manager’s Guide to Contingency Planning for Disasters: Protecting Vital Facilities and Critical Operations. John Wiley & Sons, Inc. Tipton, Harold F. and Krause, Micki. Information Security Management Handbook, 4th Edition, Chapter 24. Auerbach Publications. Page 12
Answers
Page 13
In This Chapter
OverviewSimilar to police officers, information security professionals are expected to determine when a computer crime has occurred, secure the crime scene, and collect any evidence - to protect and to serve! In order to perform these functions effectively, the CISSP candidate must know what a computer crime is, how to conduct an investigation and collect evidence, and understand what laws may have been violated. Additionally, CISSP candidates are required to adhere to the (ISC) 2 Code of Ethics and must be able to apply these principles to resolve ethical dilemmas. Further, CISSP candidates are expected to be familiar with the laws and regulations that are relevant in their country and industry. This could include national laws, local laws, and any laws that pertain to the type of activity performed by the organization. Page 14Our discussion of the major categories and types of laws consists of U.S. and international law, including many key concepts and terms that are important to understand for the CISSP exam. U.S. common lawUnder the common law system of the United States, three major categories of laws are defined at the federal and state levels: criminal, civil (or tort), and administrative (or regulatory) laws. Criminal lawCriminal law defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public. As such, in the eyes of the court, the victim is incidental to the greater cause. Criminal penaltiesPenalties under criminal law have two main purposes:
Burden of proof under criminal lawTo be convicted under criminal law, a judge or jury must believe beyond a reasonable doubt that the defendant is guilty. Therefore, the burden of proof in a criminal case rests firmly with the prosecution. Classifications of criminal lawThere are two main classifications of criminal law depending upon severity, such as type of crime/attack or total loss in dollars:
Civil lawCivil (tort) law addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death. Civil penaltiesUnlike criminal penalties, civil penalties don’t include jail or prison terms. Instead, civil penalties provide financial restitution to the victim as follows:
Burden of proof under civil lawConvictions under civil law are typically easier to obtain than under criminal law because the burden of proof is much less. To be convicted under civil law, a jury must believe based upon the preponderance of the evidence that the defendant is guilty. This simply means that the available evidence leads the judge or jury to a conclusion of guilt. Liability and due careThe concepts of liability and due care are germane to civil law cases but are also applicable under administrative law, which we discuss in the next section. The standard criteria for assessing the legal requirements for implementing recommended safeguards is to evaluate the cost of the safeguard and the estimated loss from the corresponding threat, if realized. If the cost is less than the estimated loss and the organization doesn’t implement a safeguard, then a legal liability may exist. This is based on the principle of proximate causation, in which an action taken or not taken was part of a sequence of events that resulted in negative consequences. Under the Federal Sentencing Guidelines, senior corporate officers may be personally liable if their organization fails to comply with applicable laws. Such individuals must follow the prudent man rule, which requires them to perform their duties:
The concepts of due care and due diligence are related but distinctly different:
Technical Stuff Lawyer-speak Although the information in this sidebar is not tested on the CISSP examination, when attempting to learn the various laws and regulations in this domain, you’ll find it helpful to know the correct parlance (fancy-speak for jargon) used. For example: 18 U.S.C. § 1030 (1986)(the Computer Fraud and Abuse Act of 1986) refers to Section 1030 in Title 18 of the 1986 edition of the United States Code, not “18 University of Southern California squiggly-thingy 1030 (1986).” Federal statutes and administrative laws are usually cited in the following format:
Other important abbreviations to understand include:
Another important aspect of due care is the principle of culpable negligence. If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent. In such cases, jury awards may be adjusted accordingly, and the organization’s insurance company may be required to pay only a portion of any loss. Administrative lawAdministrative (regulatory) laws define standards of performance and conduct for major industries (including banking, energy, and healthcare), organizations, and officials. These laws are typically enforced by various government agencies, and violations may result in financial penalties and/or imprisonment. International lawGiven the global nature of the Internet, it’s often necessary for many countries to cooperate in order to bring a computer criminal to justice. But because practically every country in the world has its own unique legal system, such cooperation is always difficult and often impossible. As a starting point, many countries disagree on exactly what justice is. Other problems include:
Page 15Computer crime consists of any criminal activity in which computer systems or networks are used as tools. Computer crime also includes crimes in which computer systems are targeted, or in which computers are the scene of the crime committed. That’s a pretty wide spectrum. However, the real world has difficulties in dealing with computer crimes. Several reasons why computer crimes are hard to cope with include
Computer crimes are often difficult to prosecute for the reasons that we just listed and also because of the following issues:
Computer crimes are often classified under one of the following six major categories:
Terrorist attacksTerrorism exists at many levels on the Internet. In April 2001, during a period of tense relations between China and the U.S. (resulting from the crash landing of a U.S. Navy reconnaissance plane on Hainan Island), Chinese hackers (cyberterrorists) launched a major effort to disrupt critical U.S. infrastructure, which included U.S. government and military systems. Following the terrorist attacks against the U.S. on September 11, 2001, the general public became painfully aware of the extent of terrorism on the Internet. Terrorist organizations and cells are using online capabilities to coordinate attacks, transfer funds, harm international commerce, disrupt critical systems, disseminate propaganda, and gain useful information about developing techniques and instruments of terror, including nuclear, biological, and chemical weapons. Military and intelligence attacksMilitary and intelligence attacks are perpetrated by criminals, traitors, or foreign intelligence agents seeking classified law enforcement or military information. Such attacks may also be carried out by governments during times of war and conflict. Financial attacksBanks, large corporations, and e-commerce sites are the targets of financial attacks, all of which are motivated by greed. Financial attacks may seek to steal or embezzle funds, gain access to online financial information, extort individuals or businesses, or obtain the personal credit card numbers of customers. Business attacksBusinesses are becoming the targets of more and more computer and Internet attacks. These attacks include competitive intelligence gathering, denial of service, and other computer-related attacks. Businesses are often targeted for several reasons including
The cost to businesses can be significant, including loss of trade secrets or proprietary information, loss of revenue, and loss of reputation. Grudge attacksGrudge attacks are targeted at individuals or businesses and are motivated by a desire to take revenge against a person or organization. A disgruntled employee, for example, may steal trade secrets, delete valuable data, or plant a logic bomb in a critical system or application. Fortunately, these attacks (at least in the case of a disgruntled employee) can be easier to prevent or prosecute than many other types of attacks because:
“Fun” attacks“Fun” attacks are perpetrated by thrill seekers and script kiddies who are motivated by curiosity or excitement. Although these attackers may not intend to do any harm or use any of the information that they access, they’re still dangerous and their activities are still illegal. These attacks can also be relatively easy to detect and prosecute. Because the perpetrators are often script kiddies or otherwise inexperienced hackers, they may not know how to cover their tracks effectively. Also, because no real harm is normally done nor intended against the system, it may be tempting (although ill advised) for a business to prosecute the individual and put a positive public relations spin on the incident. You’ve seen the film at 11: “We quickly detected the attack, prevented any harm to our network, and prosecuted the responsible individual; our security is unbreakable!” Such action, however, will likely motivate others to launch a more serious and concerted grudge attack against the business. Many computer criminals in this category only seek notoriety. Although it’s one thing to brag to a small circle of friends about defacing a public Web site, the wily hacker who appears on CNN reaches the next level of hacker celebrity-dom. These twisted individuals want to be caught to revel in their 15 minutes of fame. Cross-Reference As we discuss in Chapter 7, script kiddies are novice hackers or less experienced (not too salty) crackers. Typically, script kiddies are new to the dark side and perhaps don’t realize just how dark (and illegal) the dark side really is. Script kiddies lack true hacking or programming skills, so they must rely on freely available tools that others have created and distributed on the Internet, often without knowing or understanding how much damage they may actually do to a system or network. Page 16Given the difficulties in defining and prosecuting computer crimes, many prosecutors seek to convict computer criminals on more traditional criminal statutes, such as theft, fraud, extortion, and embezzlement. Intellectual property rights and privacy laws, in addition to specific computer crime laws, also exist to protect the general public and assist prosecutors. Remember The CISSP candidate should understand that because of the difficulty in prosecuting computer crimes, prosecutors often use more traditional criminal statutes, intellectual property rights, and privacy laws to convict criminals. In addition, you should also realize that specific computer crime laws do exist. Intellectual propertyIntellectual property is protected by U.S. law under one of four classifications, as follows:
Intellectual property rights worldwide are agreed, defined, and enforced by various organizations and treaties, including the World Intellectual Property Organization (WIPO), World Customs Organization (WCO), World Trade Organization (WTO), United Nations Commission on International Trade Law (UNCITRAL), European Union (EU), and Trade-Related Aspects of Intellectual Property Rights (TRIPs). Licensing violations are among the most prevalent examples of intellectual property rights infringement. Other examples include plagiarism, software piracy, and corporate espionage. PatentsA patent, as defined by the U.S. Patent and Trademark Office (PTO) is “the grant of a property right to the inventor.” A patent grant confers upon the owner “the right to exclude others from making, using, offering for sale, selling, or importing the invention.” Examples of computer-related objects that may be protected by patents are computer hardware and physical devices in firmware. A patent is granted by the U.S. PTO for an invention that has been sufficiently documented by the applicant and that has been verified as original by the PTO. A patent is generally valid for 20 years from the date of application and is effective only within the U.S., including territories and possessions. The owner of the patent may then grant a license to others for use of the invention or its design, often for a fee. U.S. patent (and trademark) laws and rules are covered in 35 U.S.C. and 37 Remember Patent grants were previously valid for only 17 years, but have recently been changed, for newly granted patents, to 20 years. TrademarkA trademark, as defined by the U.S. PTO, is “any word, name, symbol, or device, or any combination, used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others.” Computer-related objects that may be protected by trademarks include corporate brands and operating system logos. U.S. Public Law 105–330, the Trademark Law Treaty Implementation Act, provides some international protection for U.S. registered trademarks. CopyrightA copyright is a form of protection granted to the authors of “original works of authorship,” both published and unpublished. A copyright protects a tangible form of expression rather than the idea or subject matter itself. Under the original Copyright Act of 1909, publication was generally the key to obtaining a federal copyright. However, the Copyright Act of 1976 changed this requirement, and copyright protection now applies to any original work of authorship immediately from the time that it’s created in a tangible form. Object code or documentation are examples of computer-related objects that may be protected by copyrights. Copyrights can be registered through the Copyright Office of the Library of Congress, but a work doesn’t need to be registered to be protected by copyright. Copyright protection generally lasts for the lifetime of the author plus 70 years. Trade secretA trade secret is proprietary or business-related information that a company or individual uses and has exclusive rights to. To be considered a trade secret, the information must meet the following requirements:
Software source code or firmware code are examples of computer-related objects that may be protected by trade secrets. Privacy lawsPrivacy laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse. Privacy laws are one area in which the United States lags behind many others, particularly the European Union (EU), which has defined more restrictive privacy regulations that prohibit the transfer of personal information to countries (including the United States) that don’t equally protect such information. The EU privacy rules include the following requirements about personal data and records:
Two important pieces of privacy legislation in the United States are the U.S. Federal Privacy Act of 1974 and the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996. U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552AThe Federal Privacy Act of 1974 protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents. Except under certain specific conditions, no agency may disclose any record about an individual “except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act also has provisions for access and amendment of individual records by the individual, except in cases of “information compiled in reasonable anticipation of a civil action or proceeding.” The Privacy Act provides individual penalties for violation including a misdemeanor charge and fines up to $5,000. U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, PL 104-191HIPAA was signed into law effective August 1996. The HIPAA legislation provided Congress three years from this date to pass comprehensive health privacy legislation. If Congress failed to pass legislation by this deadline, the Department of Health and Human Services (HHS) was given the authority to develop the privacy and security regulations for HIPAA. In October 1999, HHS released proposed HIPAA privacy and security regulations entitled “Privacy Standards for Individually Identifiable Health Information.” Organizations that must comply with HIPAA regulations are referred to as covered entities and include
Civil penalties for HIPAA violations include fines of $100 per incident, up to $25,000 per provision, per calendar year. Criminal penalties include fines up to $250,000 and potential imprisonment of corporate officers for up to 10 years. Additional state penalties may also apply. U.S. Gramm-Leach-Bliley Financial Services Modernization Act, PL 106-102Gramm-Leach-Bliley (usually known as GLBA) opened up competition among banks, insurance companies, and securities companies. GLBA also requires financial institutions to better protect their customers’ personally identifiable information (PII) with three rules:
Civil penalties for GLBA violations are up to $100,000 for each violation. Further, officers and directors of financial institutions are personally liable for civil penalties of not more than $10,000 for each violation. Computer crime and information security lawsImportant international computer crime and information security laws that the CISSP candidate should be familiar with include:
U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended)In 1984, the first U.S. federal computer crime law, the U.S. Computer Fraud and Abuse Act, was passed. This intermediate act was narrowly defined and somewhat ambiguous. The law covered
The U.S. Computer Fraud and Abuse Act of 1986 enhanced and strengthened the 1984 law, clarifying definitions of criminal fraud and abuse for federal computer crimes and removing obstacles to prosecution. The act established two new felony offenses for the unauthorized access of federal interest computers and a misdemeanor for unauthorized trafficking in computer passwords. Major provisions of the act established three new crimes (two felonies and one misdemeanor) as follows:
Tip A federal interest computer (actually the term was changed to protected computer in the 1996 amendments to the act) is defined in the act as a computer:
Several minor amendments to the U.S. Computer Fraud and Abuse Act were made in 1988, 1989, and 1990, and more significant amendments were made in 1994, 1996 (by the Economic Espionage Act of 1996), and 2001 (by the USA PATRIOT Act of 2001). The act, in its present form, establishes seven specific computer crimes. In addition to the three that we discuss above, these include the following five provisions [Subsection (a)(5) is reintroduced here in its current form]:
We discuss major amendments to the U.S. Computer Fraud and Abuse Act of 1986 (as amended), introduced in 2001 in the upcoming “USA PATRIOT Act of 2001” section. Instant Answer The U.S. Computer Fraud and Abuse Act of 1986 is the major computer crime law currently in effect. The CISSP exam will likely test your knowledge of the act in its original 1986 form, but you should also be prepared for revisions to the exam that may cover the more recent amendments to the act. U.S. Electronic Communications Privacy Act (ECPA) of 1986The ECPA complements the U.S. Computer Fraud and Abuse Act of 1986 and prohibits eavesdropping, interception, or unauthorized monitoring of wire, oral, and electronic communications. However, the ECPA does provide specific statutory exceptions, allowing network providers to monitor their networks for legitimate business purposes when the network users are notified of the monitoring process. The ECPA was amended extensively by the USA PATRIOT Act of 2001. These changes are discussed in the upcoming “USA PATRIOT Act of 2001” section. Instant Answer The U.S. Electronic Communications Privacy Act (ECPA) provides the legal basis for network monitoring. U.S. Computer Security Act of 1987The U.S. Computer Security Act of 1987 requires federal agencies to take extra security measures to prevent unauthorized access to computers holding sensitive information. In addition to identifying and developing security plans for sensitive systems, the act requires those agencies to provide security-related awareness training for their employees. The act also assigns formal government responsibility for computer security to the National Institute of Standards and Technology (NIST) for information security standards in general and to the National Security Agency (NSA) for cryptography in classified government/military systems and applications. U.S. Federal Sentencing Guidelines of 1991In November 1991, the United States Sentencing Commission published Chapter 8, Federal Sentencing Guidelines for Organizations, of the U.S. Federal Sentencing Guidelines. These guidelines establish written standards of conduct for organizations, provide relief in sentencing for organizations that have demonstrated due diligence, and place responsibility for due care on senior management officials with penalties for negligence including fines of up to $290 million. U.S. Economic Espionage Act of 1996The U.S. Electronic Espionage Act (EEA) of 1996 was enacted to curtail industrial espionage, particularly when such activity benefits a foreign entity. The EEA makes it a criminal offense to take, download, receive, or possess trade secret information that has been obtained without the owner’s authorization. Penalties include fines of up to $10 million, up to 15 years in prison, and forfeiture of any property used to commit the crime. The EEA also enacted the 1996 amendments to the U.S. Computer Fraud and Abuse Act, which we discuss earlier in the section “U.S. Computer Fraud and Abuse Act of 1986, 18 U.S. Child Pornography Prevention Act of 1996The U.S. Child Pornography Prevention Act (CPPA) of 1996 was enacted to combat the use of computer technology to produce and distribute pornography involving children, including adults portraying children. Warning The USA PATRIOT Act of 2001, which we cover in the next section, changes many of the provisions in the computer crime laws, particularly the U.S. Computer Fraud and Abuse Act of 1986 (as amended) and the Electronic Communications Privacy Act of 1986, which we detail in the earlier section “U.S. Electronic Communications Privacy Act (ECPA) of 1986.” As a security professional, you must keep abreast of current laws and affairs to perform your job effectively. USA PATRIOT Act of 2001Following the terrorist attacks against the United States on September 11, 2001, the USA PATRIOT Act of 2001 (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was enacted in October 2001 and renewed in March 2006 (many provisions originally set to expire have since been made permanent under the renewed Act). This Act takes great strides to strengthen and amend existing computer crime laws, including the U.S. Computer Fraud and Abuse Act and the U.S. Electronic Communications Privacy Act (ECPA), as well as to empower
U.S. Sarbanes-Oxley Act of 2002 (SOX)In the wake of several major corporate and accounting scandals, SOX was passed in 2002 to restore public trust in publicly held corporations and public accounting firms by establishing new standards and strengthening existing standards for these entities including auditing, governance, and financial disclosures. SOX established the Public Company Accounting Oversight Board (PCAOB), which is a private-sector, nonprofit corporation responsible for overseeing auditors in the implementation of SOX. PCAOB’s “Accounting Standard 2” recognizes the role of information technology as it relates to a company’s internal controls and financial reporting. The Standard identifies the responsibility of Chief Information Officers for the security of information systems that process and store financial data and has many implications for information technology security and governance. U.S. CAN-SPAM Act of 2003The U.S. CAN-SPAM Act (Controlling the Assault of non-Solicited Pornography and Marketing Act) establishes standards for sending commercial e-mail messages, charges the U.S. Federal Trade Commission (FTC) with enforcement of the provision, and provides penalties that include fines and imprisonment for violations of the Act. Directive 95/46/EC on the protection of personal data (1995, EU)In 1995 the European Parliament ratified this essential legislation that protects personal information for all European citizens. The directive states that personal data should not be processed at all, except when certain conditions are met. A legitimate concern about the disposition of European citizens’ personal data when it leaves computer systems in Europe and enters computer systems in the U.S. led to the creation of . . . Safe Harbor (1998)In an agreement between the European Union and the U.S. Department of Commerce in 1998, the U.S. Department of Commerce developed a certification program called Safe Harbor. This permits U.S.-based organizations to certify themselves as properly handling private data belonging to European citizens. The Council of Europe’s Convention on Cybercrime (2001)The Convention on Cybercrime is an international treaty, currently signed by more than 40 countries (the U.S. ratified the treaty in 2006), requiring criminal laws to be established in signatory nations for computer hacking activities, child pornography, and intellectual property violations. The treaty also attempts to improve international cooperation with respect to monitoring, investigations, and prosecution. The Computer Misuse Act 1990 (U.K.)The Computer Misuse Act 1990 (U.K.) defines three criminal offenses related to computer crime: unauthorized access (whether successful or unsuccessful), unauthorized modification, and hindering authorized access (Denial of Service). Cybercrime Act 2001 (Australia)The Cybercrime Act 2001 (Australia) establishes criminal penalties, including fines and imprisonment, for persons committing computer crimes, including unauthorized access, unauthorized modification, or denial of service, with intent to commit a serious offense. Page 17Computer forensics is the science of conducting a computer crime investigation to determine what has happened and who is responsible, and to collect legally admissible evidence for use in a computer crime case. The purpose of an investigation is to determine what happened, who is responsible, and collect evidence. Incident handling is done to determine what happened, contain and assess damage, and restore normal operations. Closely related to, but distinctly different from investigations, is incident handling (or response). Incident handling is discussed in detail later in this chapter. Investigations and incident handling must often be conducted simultaneously in a well-coordinated and controlled manner to ensure that the initial actions of either activity don’t destroy evidence or cause further damage to the organization’s assets. For this reason, it’s important that Computer Incident (or Emergency) Response Teams (CIRT or CERT, respectively) be properly trained and qualified to secure a computer-related crime scene or incident while preserving evidence. Ideally, the CIRT includes individuals who will actually be conducting the investigation. An analogy to this would be an example of a police patrolman who discovers a murder victim. It’s important that the patrolman quickly assesses the safety of the situation and secures the crime scene; but at the same time, he must be careful not to destroy any evidence. The homicide detective’s job is to gather and analyze the evidence. Ideally, but rarely, the homicide detective would be the individual who discovers the murder victim, allowing her to assess the safety of the situation, secure the crime scene, and begin collecting evidence. Think of yourself as a CSISSP! EvidenceEvidence is information presented in a court of law to confirm or dispel a fact that’s under contention, such as the commission of a crime. A case can’t be brought to trial without sufficient evidence to support the case. Thus, properly gathering evidence is one of the most important and most difficult tasks of the investigator. The types of evidence, rules of evidence, admissibility of evidence, chain of custody, and evidence life cycle comprise the main elements to be tested in the Investigations portion of this domain. Types of evidenceSources of legal evidence that can be presented in a court of law generally fall into one of four major categories:
Other types of evidence that may fall into one or more of the above major categories include
Rules of evidenceImportant rules of evidence for computer crime cases include the best evidence rule and hearsay evidence rule. The CISSP candidate must understand both of these rules and their applicability to evidence in computer crime cases. Best evidence ruleThe best evidence rule, defined in the Federal Rules of Evidence, states that “to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is [ordinarily] required.” However, an exception to this rule is also defined in the Federal Rules of Evidence, as follows:
This means that data extracted from a computer - that is a fair and accurate representation of the original data - satisfies the best evidence rule and may normally be introduced into court proceedings as such. Hearsay ruleHearsay evidence is that evidence that is not based on personal, first-hand knowledge of the witness but rather was obtained through other sources. Under the Federal Rules of Evidence, hearsay evidence is normally not admissible in court. This rule exists to prevent unreliable statements by witnesses from improperly influencing the outcome of a trial. Business records, including computer records, have traditionally, and perhaps mistakenly, been considered hearsay evidence by most courts because these records cannot be proven accurate and reliable. One of the most significant obstacles for a prosecutor to overcome in a computer crime case is seeking the admission of computer records as evidence. A prosecutor may be able to introduce computer records as best evidence rather than hearsay evidence as we discuss in the preceding section. Several courts have acknowledged that the hearsay rules are applicable to computer-stored records containing human statements but are not applicable to computer-generated records untouched by human hands. Perhaps the most successful and commonly applied test of admissibility for computer records in general, has been the business records exception, established in the Federal Rules of Evidence, for records of regularly conducted activity, meeting the following criteria:
Admissibility of evidenceBecause computer-generated evidence can sometimes be easily manipulated, altered, or tampered with, and because it’s not easily and commonly understood, this type of evidence is usually considered suspect in a court of law. In order to be admissible, evidence must be
Chain of custody and the evidence life cycleThe chain of custody (or evidence) provides accountability and protection for evidence throughout its entire life cycle and includes the following information, which is normally kept in an evidence log:
Any time that evidence changes possession or is transferred to a different media type, it must be properly recorded in the evidence log to maintain the chain of custody. Law enforcement officials must strictly adhere to chain of custody requirements, and this adherence is highly recommended for anyone else involved in collecting or seizing evidence. Security professionals and incident response teams must fully understand and follow the chain of custody, no matter how minor or insignificant a security incident may initially appear. Even properly trained law enforcement officials sometimes make crucial mistakes in evidence handling. Most attorneys won’t understand the technical aspects of the evidence that you may present in a case, but they will definitely know evidence-handling rules and will most certainly scrutinize your actions in this area. Improperly handled evidence, no matter how conclusive or damaging, will likely be inadmissible in a court of law. The evidence life cycle describes the various phases of evidence from its initial discovery to its final disposition. The evidence life cycle has the following five stages:
Collection and identificationCollecting evidence involves taking that evidence into custody. Unfortunately, evidence can’t always be collected and must instead be seized. Many legal issues are involved in seizing computers and other electronic evidence. The publication Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (January 2001), published by the U.S. Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS) provides comprehensive guidance on this subject. Find this publication available for download at www.cybercrime.gov. In general, law enforcement officials can search and/or seize computers and other electronic evidence under any of four circumstances:
When evidence is collected, it must be properly marked and identified. This ensures that it can later be properly presented in court as actual evidence gathered from the scene or incident. The collected evidence must be recorded in an evidence log with the following information:
Additionally, the evidence must be marked, using the following guidelines:
Always collect and mark evidence in a consistent manner so that you can easily identify evidence and describe your collection and identification techniques to an opposing attorney in court, if necessary. AnalysisAnalysis involves examining the evidence for information pertinent to the case. Analysis should be conducted with extreme caution, by properly trained and experienced personnel only, to ensure the evidence is not altered, damaged, or destroyed. Storage, preservation, and transportationAll evidence must be properly stored in a secure facility and preserved to prevent damage or contamination from various hazards, including intense heat or cold, extreme humidity, water, magnetic fields, and vibration. Evidence that’s not properly protected may be inadmissible in court, and the party responsible for collection and storage may be liable. Care must also be exercised during transportation to ensure that evidence is not lost, damaged, or destroyed. Presentation in courtEvidence to be presented in court must continue to follow the chain of custody and be handled with the same care as at all other times in the evidence life cycle. This process continues throughout the trial until all testimony related to the evidence is completed and the trial is over. Return to victim (owner)After the conclusion of the trial or other disposition, evidence is normally returned to its proper owner. However, under some circumstances, certain evidence may be ordered destroyed, such as contraband, drugs, or paraphernalia. Any evidence obtained through a search warrant is legally under the control of the court, possibly requiring the original owner to petition the court for its return. Conducting investigationsA computer crime investigation should begin immediately upon report of an alleged computer crime or incident. Any incident should be handled, at least initially, as a computer crime investigation until a preliminary investigation determines otherwise. The CISSP candidate should be familiar with the general steps of the investigative process, which include the following steps:
Instant Answer MOM: Motive, Opportunity, and Means. Incident handling (or response)Incident response begins before an incident has actually occurred. Preparation is the key to a quick and successful response. A well-documented and regularly practiced incident response plan ensures effective preparation. The plan should include:
Additional steps in incident response include:
Remember Investigations and incident response have similar steps but different purposes: The distinguishing characteristic of an investigation is the gathering of evidence for possible prosecution, whereas incident response focuses on containing the damage and returning to normal operations. Page 18Ethics (or moral values) are not easily discerned, and a fine line often hovers between ethical and unethical activity. Unethical activity doesn’t necessarily equate to illegal activity. And what may be acceptable in some organizations, cultures, or societies may be unacceptable or even illegal in others. Ethical standards can be based on a common or national interest, individual rights, laws, tradition, culture, or religion. One helpful distinction between laws and ethics is that laws define what we must do and ethics define what we should do. Many common fallacies abound about computers and the Internet, which contribute to this gray area:
Almost every recognized group of professionals defines a code of conduct or standards of ethical behavior by which its members must abide. For the CISSP, it is the (ISC) 2 Code of Ethics. The CISSP candidate must be familiar with the (ISC) 2 Code of Ethics and Request for Comments (RFC) 1087 for professional guidance on ethics (and the exam). (ISC) 2 Code of EthicsAs a requirement for (ISC) 2 certification, all CISSP candidates must subscribe to and fully support the (ISC) 2 Code of Ethics. The (ISC) 2 Code of Ethics consists of a mandatory preamble and four mandatory canons. Additional guidance is provided for each of the canons on the (ISC) 2 Web site at www.isc2.org. Internet Architecture Board (IAB) - “Ethics and the Internet” (RFC 1087)Published by the Internet Architecture Board (IAB) in January 1989, RFC 1087 characterizes as unethical and unacceptable any activity that purposely:
Other important tenets of RFC 1087 include
Page 19
Allen, Julia H. The CERT Guide to System and Network Security Practices, Chapters 1 and 7. Addison-Wesley. Krutz, Ronald L. and Vines, Russell Dean. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, Chapter 9. John Wiley & Sons, Inc. Mandia, Kevin and Prosise, Chris. Incident Response: Investigating Computer Crime, Chapters 1–5 and Appendix C. Osborne/McGraw-Hill. Parker, Donn B. Fighting Computer Crime: A New Framework for Protecting Information, Chapters 4, 6, and 15. John Wiley & Sons, Inc. Pipkin, Donald L. Information Security: Protecting the Global Enterprise, Chapters 21–31. Prentice Hall PTR. Tipton, Harold F. and Krause, Micki. Information Security Management Handbook, 4th Edition, Chapters 28–30. Auerbach Publications. Page 20
Answers
Page 21
In This Chapter
OverviewIf you’ve already read Chapter 4, you may recall our analogy that castles are normally built in a strategic location with towering walls. But what makes a location strategic, and how high is towering? Exactly where should the battlements and bastions be positioned? Who should guard the entrance, and what are the procedures for raising and lowering the drawbridge? And what should you do after burning and pillaging? This is the realm of the physical (environmental) security domain. For the Physical (Environmental) Security domain of the Common Body of Knowledge (CBK), the Certified Information Systems Security Professional (CISSP) candidate must fully understand the various threats to physical security, the elements of site and facility requirements planning and design, and the various physical security controls, including access controls, technical controls, environmental and life safety controls, and administrative controls, and how to support the implementation and operation of these controls, as covered in this chapter. Tip Many CISSP candidates underestimate the physical security domain. As a result, exam scores are often lowest in this domain. Although much of the information in this domain is redundant and may seem to be common sense, the CISSP exam does ask very specific questions from this domain, and many candidates lack practical experience in fighting fires! Page 22Fire: Threats from fire can be potentially devastating and lethal. Proper precautions, preparation, and training not only help limit the spread of fire and damage but, more important, can also save lives. Saving human lives is the first priority in any life-threatening situation. Other hazards associated with fires include smoke, explosions, building collapse, release of toxic materials or vapors, and water damage. Fire requires three elements to burn: heat, oxygen, and fuel. These three elements are sometimes referred to as the fire triangle. (See Figure 13-1.) Fire suppression and extinguishing systems fight fires by removing one of these three elements or by temporarily breaking up the chemical reaction between these three elements: that is, separating the fire triangle. Fires are classified according to the fuel type, as listed in Table 13-1.
Instant Answer Saving human lives is the first priority in any life-threatening situation. You must be able to describe Class A, B, and C fires and their primary extinguishing methods. Class D is less common and is not relevant to the CISSP exam. Page 23
Astute organizations will involve security professionals during the design, planning, and construction of new or renovated locations and facilities. Proper site and facility requirements planning during the early stages of construction helps ensure that a new building or data center is adequate, safe, and secure - all of which can help an organization avoid costly situations later. Choosing a secure locationLocation, location, location! Although to a certain degree this bit of conventional business wisdom may be less important to profitability in the age of e-commerce, it’s still a critical factor in physical security. Important factors when considering a location include
Designing a secure facilityMany of the physical and technical controls that we discuss later in this chapter should be considered during the initial design of a secure facility. Doing so will often help reduce the costs and improve the overall effectiveness of these controls. Other building design considerations include
These must be properly secured to prevent an intruder from easily lifting hinge pins and removing the door.
Page 24Physical (Environmental) security controls include a combination of physical access controls, technical controls, environmental and life safety controls, fire detection and suppression, and administrative controls. Physical access controlsPhysical access controls consist of the systems and techniques used to restrict access to a security perimeter and provide boundary protection. These include fencing, security guards, dogs, locks, storage areas, security badges, and biometric access controls. FencingFencing is the primary means for securing an outside perimeter or external boundary and an important element of physical security that the CISSP candidate must know for the exam. Fencing provides physical access control and includes fences, gates, turnstiles, and mantraps. The main disadvantages of fencing are cost and appearance. General fencing height requirements are listed in Table 13-3.
MantrapsA mantrap is a physical access control method consisting of a double set of locked doors or turnstiles. The mantrap may be guarded or monitored, may require different levels of access to pass through both doors or in a different direction and, in more advanced systems, may have a weight-sensing floor to prevent more than one person from passing through at once. Security guardsThroughout history, guards have been used to provide physical security for many different situations and environments. Although modern surveillance equipment, biometric access controls, and intrusion detection systems (IDS) may seem to diminish the role of security guards; on the contrary, these tools have increased the need for skilled physical security personnel capable of operating advanced technology and applying discerning judgment. The major advantages of security guards include
Some disadvantages include
Instant Answer The main advantage of security guards is their ability to use human judgment when responding to different situations. DogsLike human guards, dogs also provide a highly visible deterrent, response, and control capability. Additionally, dogs are typically more loyal and reliable than humans, with more acute sensory abilities (smell and hearing). However, the use of guard dogs is typically restricted to an outside security perimeter. Other considerations include
LocksDoors, windows, and other access points into secure or sensitive areas need to be protected. One of the simplest ways to accomplish this is with a lock. The three basic types of locks are
Storage areasStorage areas containing spare equipment and parts, consumables, and deliveries should be locked and controlled to help prevent theft. Additionally, you should be aware of any hazardous materials being stored in such areas and any environmental factors or restrictions that may affect the contents of the storage area. Security badgesSecurity badges (or access cards) are used for identification and authentication of authorized personnel entering a secure facility or area. A photo identification card (also referred to as a dumb card) is a simple ID card with a facial photograph of the bearer. Typically, no technology is embedded in these cards for authentication purposes, requiring that a security guard determines whether entry is permitted by the bearer. Smart cards are digitally encoded cards that contain an integrated chip (IC) or magnetic stripe (possibly in addition to a photo). Various types of smart cards include
Although more common in logical access controls, smart cards can also provide two-factor authentication in physical access control systems by requiring the user to enter a personal identification number (PIN) or password, or by incorporating an authentication token or other challenge-response mechanism. Smart cards, and their associated access control systems, can be programmed to permit multilevel access, restrict access to certain periods (day and time), and log access information. Warning In the Physical (Environmental) Security domain, smart card is used as a general term to describe any security badge or access card with built-in identification and authentication features, such as embedded technology. This may be as simple as a magnetic stripe on an ID card that’s swiped through a card reader. However, in the Access Control domain, a smart card refers to a very specific, highly specialized type of access card: A magnetic stripe doesn’t qualify. Biometric access controlsBiometrics provides the only absolute method for positively identifying an individual based on some unique physiological or behavioral characteristic of that individual (something you are). We discuss biometrics extensively in Chapter 4. Although biometrics in the Physical (Environmental) Security domain refers to physical access control devices (rather than logical access control devices, as in the Access Control domain), the underlying concepts and technologies are the same. To review, the major biometric systems in use today include
The accuracy of a biometric system is normally stated as a percentage, in the following terms:
Technical controlsTechnical controls include monitoring and surveillance, intrusion detection systems (IDS), and alarms that alert personnel to physical security threats and allow them to respond appropriately. SurveillanceVisual surveillance systems include photographic and electronic equipment that provide detective and deterrent controls. When used to monitor or record live events, they’re a detective control. The visible use of these systems also provides a deterrent control. Electronic systems such as closed-circuit television (CCTV) are used to extend and improve the monitoring and surveillance capability of security guards. Photographic systems, including recording equipment, are used to record events for later analysis or as evidence for disciplinary action and prosecution. Intrusion detectionIntrusion detection in the physical security domain refers to systems that detect attempts to gain unauthorized physical access to a building or area. Modern intrusion detection systems (IDS) commonly use the following types of sensors:
Warning Don’t confuse intrusion detection systems (IDS) used to detect physical intruders in the Physical (Environmental) Security domain with network-based and host-based intrusion detection systems (IDS) used to detect cyber-intruders. AlarmsAlarms are activated when a certain condition is detected. Examples of systems employing alarms include fire and smoke detectors, motion sensors and intrusion detection systems (IDS), metal and explosives detectors, access control systems (physical and logical), environmental (for instance, standing water), and climate control monitoring systems. Alarm systems should have separate circuitry and a backup power source. Line supervision, comprising technology and processes used to detect attempts to tamper with or disable an alarm system, should also be implemented. The five general types of alarm systems are
Environmental and life safety controlsThese are the controls necessary for maintaining a safe and acceptable operating environment for computers and personnel. These include electrical power, HVAC, smoke detection, and fire detection and suppression. Electrical powerGeneral considerations for electrical power include having a dedicated feeder(s) from one or more utility substations or power grids and also ensuring that adequate physical access controls are implemented for electrical distribution panels and circuit breakers. An Emergency Power Off (EPO) switch should be installed near major systems and exit doors to shut down power in case of fire or electrical shock. Additionally, a backup power source should be established, such as a diesel power generator. Backup power should only be provided for critical facilities and systems including emergency lighting, fire detection and suppression, mainframes and servers (and certain workstations), HVAC, physical access control systems, and telecommunications equipment. Protective controls for ESD include
Protective controls for electrical noise include
Using an Uninterruptible Power Supply (UPS) is perhaps the most important protection against electrical anomalies. A UPS provides clean power to sensitive systems and a temporary power source during electrical outages (black-outs, brownouts, and sags); it’s important that this power supply is sufficient to properly shut down the protected systems. Note: A UPS should not be used as a backup power source. A UPS - even a building UPS - is designed to provide temporary power, typically for 5–30 minutes, in order to give a diesel generator time to start up or to allow a controlled and proper shutdown of protected systems. Surge protectors and surge suppressors provide only minimal protection for sensitive computer systems and are more commonly (and dangerously) used to overload an electrical outlet or as a daisy-chained extension cord. The protective circuitry in most of these units cost less than one dollar (compare the cost of a low-end surge protector with that of a 6-foot extension cord), and you get what you pay for - these glorified extension cords provide only minimal spike protection. True, a surge protector does provide more protection than nothing at all, but don’t be lured into complacency by these units - check them regularly for proper use and operation and don’t accept them as a viable alternative to a UPS. HVACHeating, ventilation, and air conditioning (HVAC) systems maintain the proper environment for computers and personnel. HVAC requirements planning involves complex calculations based on numerous factors including the average BTUs (British Thermal Units) produced by the estimated computers and personnel occupying a given area, the size of the room, insulation characteristics, and ventilation systems. The ideal temperature range for computer equipment is between 50–80° F (10–26° C). At temperatures as low as 100° F (38° C), magnetic storage media can be damaged. Instant Answer The ideal temperature range for computer equipment is between 50–80° F (10–26° C). The ideal humidity range for computer equipment is between 40–60 percent. Higher humidity causes condensation and corrosion. Lower humidity increases the potential for ESD or static electricity. Doors and side panels on computer equipment racks should be kept closed (and locked, for physical access control) to ensure proper airflow for cooling and ventilation. Heating and cooling systems should be properly maintained and air filters cleaned regularly to reduce dust contamination and fire hazards. Most gas discharge fire suppression systems will automatically shut down HVAC systems prior to discharging, but a separate EPO should be installed near exits to facilitate a manual emergency shutdown. Ideally, HVAC equipment should be dedicated, controlled, and monitored. If the systems aren’t dedicated or independently controlled, proper liaison with the building manager is necessary to ensure that escalation procedures are effective and understood. Monitoring systems should alert the appropriate personnel when operating thresholds are exceeded. Fire detection and suppressionFire detection and suppression systems are some of the most essential life safety controls for protecting facilities, equipment, and most important, human lives. Detection systemsThe three main types of fire detection systems are
Instant Answer The three main types of fire detection systems are heat-sensing, flame-sensing, and smoke-sensing. Suppression systemsThe two primary types of fire suppression systems are
Instant Answer Halon is an ozone-depleting substance. Acceptable replacements include FM-200, CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen. Administrative controlsThese include the policies and procedures necessary to ensure that physical access, technical controls, and environmental and life safety controls are properly implemented and achieve an overall physical security strategy. Restricted areasAreas in which sensitive information is handled or processed should be formally designated as restricted areas with additional security controls implemented. Restricted areas should be clearly marked, and all employees should know the difference between authorized and unauthorized personnel: specifically, how to detect whether someone on the premises is authorized or not. VisitorsVisitor policies and escort requirements should be clearly defined in the organizational security policy. All visitors should be required to present proper identification to a security guard or receptionist, sign a visitor log, complete a nondisclosure agreement (when appropriate), and wear a conspicuous badge that both identifies them as a visitor and clearly indicates whether an escort is required (often done with color-coded badges). If an escort is required, the assigned escort should be identified by name and held responsible for the visitor at all times while on the premises. Audit trails and access logsAudit trails and access logs are detective controls that provide a record of events. These records can be analyzed for unauthorized access attempts and patterns of abuse; they can also potentially be used as evidence. We cover audit trails in Chapter 12. Asset classification and controlAsset classification and control, particularly physical inventories, are an important detective control. The proliferation of desktop PCs, notebooks, personal digital assistants (PDAs), and wireless devices has made theft a very common and difficult physical security threat to counter. An accurate inventory helps identify missing equipment and may potentially be used as evidence. Emergency proceduresEmergency procedures must be clearly documented, readily accessible (often posted in appropriate areas), periodically updated, and routinely practiced (in training and drills). Additional copies may also be kept at secure off-site facilities. Emergency procedures should include emergency system shutdown procedures, evacuation plans and routes, and business continuity plan/disaster recovery plan (BCP/DRP), which we cover in Chapter 11. General housekeepingGood housekeeping practices are an important aspect of physical security controls. Implementing and enforcing a no-smoking policy helps to reduce not only potential fire hazards but also contamination of sensitive systems. Cleaning dust and ventilation systems helps maintain a cleaner computing environment and also reduces static electricity and fire hazards. Keeping work areas clean and trash emptied reduces potential fire hazards (combustibles) and also helps identify and locate sensitive information that may have been improperly or carelessly handled. Pre-employment and post-employment proceduresThese include procedures for background and reference checks, obtaining security clearances, granting access, and termination procedures. These procedures are covered extensively in Chapters 6 and 10. Page 25Now that you understand the various threats to physical security and the tools and countermeasures available, let’s consider where these controls may need to be implemented and supported. At the perimeter, which may include adjacent buildings or grounds, parking lots, and possibly a moat - well, that’s a stretch - physical security threats may include fire, water, vibration and movement, severe weather, sabotage and vandalism, and loss of communications or utilities. And, of course, you were involved in the initial site selection and facility design planning when your building was built so you have no problem securing the perimeter, right? Well, for the other 99 percent that weren’t so fortunate and have to address physical security in a preexisting location and facility, begin by assessing what threats are most relevant and how to mitigate associated risks. Consider recommending physical security controls at the perimeter such as fencing, security guards, dogs, surveillance, and alarms, when applicable. If these controls already exist, ensure that they are adequate and assessed regularly. If physical security is not part of your responsibility, ensure that you have a good working relationship with whoever is responsible. Know who to call in an emergency (fire, police, and utilities) and don’t be a stranger - establish working relationships with these professionals before you need their help! Recommend appropriate security technologies that support physical and environmental security controls. Interior security deals with . . . the inside of your facility! Many of the same physical security threats that affect the perimeter also affect the interior, but often in very different ways. A fire can be a far more life-threatening emergency inside a facility. Water damage may come from sources other than a flash flood, such as your own fire suppression system. Again, under ideal circumstances, your employer’s interior designer consulted with a CISSP, but more often than not, you’ve got some work to do in this area as well! Consider the various aspects of the facility when recommending and supporting interior controls. These include the interior walls, ceilings, floors, doors, and storage areas. And don’t forget the lighting, electrical wiring, physical cabling, ventilation systems, and pipes. Various controls for interior security may include locks, restricted areas, security badges, biometric access controls, surveillance, intrusion detection, motion detectors, alarms, and fire detection and suppression systems. Operations/facility and equipment security will involve addressing many of the same threats as interior security and supporting many of the same security controls and countermeasures, but with a specific focus on how these threats may adversely affect your business and computer operations. Administrative controls, such as designating restricted areas, visitor policies, audit trails and access logs, and asset classification and control, are particularly important. Page 26
Krutz, Ronald L. and Vines, Russell Dean. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, Chapter 10. John Wiley & Sons, Inc. Tipton, Harold F. and Krause, Micki. Information Security Management Handbook, 4th Edition, Chapter 31. Auerbach Publications. Russell, Deborah and Gangemi Sr, G.T. Computer Security Basics, Chapter 9. O’Reilly and Associates. Parker, Donn B. Fighting Computer Crime: A New Framework for Protecting Information, pages 249–252. John Wiley & Sons, Inc. |