What is the difference between DRP and BCP?

Business Continuity Planning and Disaster Recovery Planning are two sides of the same coin. Each springs into action when a disaster strikes. The difference between BCP and DRP can be expressed in the following two statements:

• BCP: Business Continuity Planning is concerned with keeping business operations running - perhaps in another location or by using different tools and processes - after a disaster has struck.

• DRP: Disaster Recovery Planning is concerned with restoring normal business operations after the disaster takes place.

Here’s the scenario: The business in question is a delivery service with one delivery truck that delivers goods around the city.

Business Continuity Planning is concerned with keeping the delivery service running in case something happens to the truck, presumably with a backup truck, substitute drivers, maps to get around traffic jams, and other contingencies that can keep the delivery function running.

Disaster Recovery Planning, on the other hand, is concerned with fixing the original delivery truck. This might involve making repairs or even buying/leasing a new truck.

While the Business Continuity team is busy keeping business operations running via one of possibly several contingency plans, the Disaster Recovery team members are busy restoring the original facilities and equipment so that they can resume normal operations.

Here’s an analogy. Two boys kick a big anthill - a disaster for the ant colony. Some of the ants will scramble to save the eggs and the food supply; that’s ant city continuity. Other ants will work on rebuilding the anthill; that’s ant city disaster recovery. Both teams are concerned with the anthill’s survival, but each team has its own role to play.

BCP and DRP projects have these common elements:

• Identification of critical business functions via the Business Impact Assessment and Vulnerability Assessment

• Identification of possible disaster scenarios

• Experts who understand the organization’s critical business processes

This is where the similarities end. The BCP project diverges on continuing business operations whereas the DRP is recovering the original business functions. While both are concerned with the long-term survival of the business, they are different activities.

Page 2

Before a BCP project can begin, some basic definitions and assumptions have to be made and understood by everyone on the project team. They are

• Senior management support: The development of a Business Continuity Plan is time consuming, with no immediate or tangible return on investment (ROI). For a BCP project to be successful, it needs the support of senior management, including adequate budget, manpower, and visible statements backing the project. Senior management needs to make explicit statements identifying the responsible parties, as well as the importance of the BCP project, budget, priorities, urgency, and timing.

• Senior management involvement: Senior management can’t just bless the BCP project. Because senior managers and directors may be implicitly and explicitly responsible for the organization’s ability to recover from a disaster, senior management needs to have a degree of direct involvement in the BCP effort. The careers that these people save may be their own.

• Project team membership: Which persons will be chosen to be on the BCP project team? All relevant functions and business units must be represented. Chances are that many of the team members have their usual jobs too, so the team will need to be realistic about how quickly the BCP project can make progress.

• Who brings the donuts: Because it’s critical that BCP meetings are well attended, this is an essential success component.

A BCP project typically has four components: scope determination, the Business Impact Assessment, the Business Continuity Plan, and implementation. We discuss each of these components in the following sections.

Page 3

The success and effectiveness of a Business Continuity Plan depends greatly upon whether its scope is properly defined. Business processes and technology can muddy the waters and make this task difficult. For instance, distributed systems and genuine dependence on at least some desktop systems for vital business functions expands the scope beyond core functions. Geographically dispersed companies - often the result of mergers - complicate matters as well.

Also, large companies are understandably more complex. The boundaries between where a function begins and ends are oftentimes fuzzy and sometimes poorly defined.

Political pressures can influence the scope as well. A department that thinks that it’s vital but which is outside the BCP scope may lobby to be included therein, appropriately or otherwise. Everybody wants to be important, and some just want to appear to be important.

Scope creep can become scope leap if the BCP project team is weak or inexperienced. For the success of the project, strong leaders must make rational decisions about the scope of the project. Remember that the scope of BCP projects can be changed in later iterations of the project.

The project team needs to find a balance between too narrow a scope, which will make the plan ineffective, and too wide a scope, which will make the plan too cumbersome.

Page 4

The Business Impact Assessment (BIA) describes the impact that a disaster has on business operations. The impact includes quantitative and qualitative elements. The quantitative impact is generally financial, such as loss of revenue or output of production. The qualitative impact has more to do with the delivery of goods and/or services and things such as the following.

Vulnerability Assessment

Often a BIA includes a Vulnerability Assessment that’s used to get a handle on obvious and not-so-obvious weaknesses in business critical systems. Like a Risk Assessment, a Vulnerability Assessment has quantitative (financial) and qualitative (operational) sections.

 Instant Answer   The purpose of a Vulnerability Assessment is to determine the impact - both quantitative and qualitative - of the loss of a critical business function.

Quantitative losses include

• Loss of revenue

• Loss of operating capital

• Loss because of personal liabilities

• Increase in expenses

• Penalties because of violations of business contracts

• Violations of laws and regulations

Qualitative losses include loss of

• Competitive advantages

• Market share

• Prestige and reputation

The Vulnerability Assessment identifies critical support areas, which are business functions that, if lost, would cause irreparable harm to the business by jeopardizing critical business processes or the lives and safety of personnel. Critical support areas should be studied carefully in the Vulnerability Assessment to identify the resources that they require to continue functioning.

 Instant Answer   Quantitative losses include an increase in operating expenses attributable to any higher costs associated with executing the contingency plan.

Criticality Assessment

The BCP team should inventory all high-level business functions (for example, customer support, order processing, returns, accounts receivable, and so on) and rank them in order of criticality, and also describe the impact of a disruption of each function on overall business operations.

Essential to the Criticality Assessment is an analysis of the impact of a disruption based upon its duration. You can see the vast difference in business impact of a disruption lasting one minute compared with one hour, one day, one week, or longer. Generally, the criticality of a business function depends upon the degree of impact that its impairment has on the business.

Identifying key players

Although you can consider a variety of angles when evaluating vulnerability and criticality, commonly you start with a high-level organization chart (hip people call this the org chart). In most companies, the major functions pretty much follow the structure of the organization.

Following an org chart helps the BCP project team to consider all the steps in a critical process. A walk through the org chart, stopping at each manager’s or director’s position and asking, “What does he do?” and “What does she do?” will help to jog your memory and to better see all the parts of the organization’s big picture.

 Tip   When you’re cruising an org chart to make sure all areas of the organization are covered, you may easily overlook outsourced functions that might not show up in the org chart. For instance, if accounts payable (A/P) functions are outsourced, you might miss this detail if you don’t see it on an org chart. Okay, maybe this is a bad example because the absence of all of A/P would probably be noticed. But if part of A/P - say, a group that detects and investigates A/P fraud (looking for payment patterns that would suggest the presence of phony payment requests) - were outsourced, that vital function would probably not be on the org chart.

Establishing Maximum Tolerable Downtime

An extension of the Criticality Assessment is a statement of Maximum Tolerable Downtime (MTD) for each critical business function. Maximum Tolerable Downtime is the maximum period of time that a critical business function can be inoperative before the company fails to be viable.

Here’s an illustration: Imagine your favorite online merchant - a bookseller, an auction house, or an online trading company - being down for an hour or a day or a week. At some point, you have to figure that a prolonged disruption will literally sink the ship and that the business won’t survive. This is what MTD is all about.

The Maximum Tolerable Downtime assessment should be a major factor that determines the criticality - and priority - of business functions. A function that can only withstand two hours of downtime obviously has a higher priority than another function that can withstand several days of downtime.

 Instant Answer   Maximum Tolerable Downtime is a measure of the longest period of time that a critical business function can be disrupted without threatening the survivability of the organization.

Defining Resource Requirements

The Resource Requirements portion of the BIA is a listing of the resources that are required to continue operating each critical business function. In an organization with finite resources (which is pretty much everyone), the most critical functions are going to get first pick, with the lower priority functions getting the leftovers.

Page 5

A complete Business Recovery Plan consists of several components that handle not only the continuation of critical business functions but also all the functions and resources that support those critical functions.

Emergency response

Emergency response teams must be identified for every possible type of disaster. These response teams need written procedures to keep critical business functions operating.

Written procedures are vital for two reasons. First, the people who perform critical functions may not be familiar with them: They may not be the same persons who perform them under usual circumstances (during a disaster, the people who ordinarily perform the function may be unavailable). Second, the procedures and processes for performing the critical functions during a disaster will probably be different than under normal conditions.

Damage assessment

When a disaster strikes, experts need to be called in to inspect the premises and determine the extent of the damage. Typically, you need experts who can assess building damage, as well as damage to any special equipment and machinery.

Depending upon the nature of the disaster, damage assessment may be performed in stages. A first assessment may be a quick walkthrough to look for obvious damage, followed by a more time-consuming and detailed assessment to look for problems that are not so easily found.

The purpose of damage assessments is to determine whether buildings and equipment can still be used, whether they can be used after some repairs, or whether they must be abandoned altogether.

Personnel safety

In any kind of disaster, the safety of personnel is the highest priority, ahead of buildings, equipment, computers, backup tapes, and so on. This is not only because of the intrinsic value of human life, but also because people - not physical assets - make the business run.

Personnel notification

The Continuity Plan must have some provisions for notifying all affected personnel that a disaster has occurred. Multiple methods for notifying key business continuity personnel are needed in cases in which public communications infrastructures are interrupted.

Not all disasters are obvious: A fire or broken water main is a local event, not a regional one. And, in an event like a tornado or flood, the state of the business is not necessarily clear to employees who live even a few miles away. Consequently, the organization needs a plan for communicating with employees, no matter what the situation.

Throughout a disaster and its recovery, management must be given regular status reports as well as updates on crucial tactical issues so that management can align resources to support critical business operations that function on a contingency basis. For instance, a manager of a corporate facilities department can loan equipment needed by critical departments so that they can keep functioning.

Backups and off-site storage

Things go wrong with hardware and software, resulting in wrecked or unreachable data. When it’s gone, it’s gone! This is why IT departments everywhere make copies of their critical data onto tapes or removable discs.

These backups must be performed regularly, usually once per day. The backup media must also be stored off-site in the event that the facility housing those systems is damaged. Having backup tapes in the data center is of little value if they’re destroyed along with their respective systems.

For systems with large amounts of data, that data must be well understood in order to determine what kinds of backups need to be performed (full, differential, incremental) and how frequently. The factors that need to be considered are

• The time that it takes to perform backups

• The effort required to restore data

• The procedures for restoring data from backups compared with other methods for re-creating the data

For example, you must consider whether restoring application software from backup tapes is faster than just installing them from release media? Also, if
a large part of the database is static, does it really need to be backed up every day?

Off-site storage of backup media and other materials (documentation, and so on) must be chosen carefully. Factors to consider include survivability of the off-site storage facility as well as the distance from the off-site facility to the data center, airports, and alternate processing sites. The facility needs to be close enough so that media retrieval doesn’t take too long ( how long depends upon the organization’s recovery needs), but not so close that the facility will be involved in the same natural disaster as the business.

 Tip   Some organizations have one or more databases that are so large that they literally can not (or, at any rate, do not) back them up to tape. Instead, they keep one or more replicated copies of the database on other computers in other cities. BCP planners need to consider this possibility when developing continuity plans.

 Instant Answer   The purpose of off-site media storage is to make up-to-date data available in the event that the primary data center is damaged.

Software escrow agreements

Your organization should consider software escrow agreements (wherein the software vendor sends a copy of its software code to a third-party escrow organization for safekeeping) with the software vendors whose applications support critical business functions. In the event that an insurmountable disaster (this could include bankruptcy) strikes the software vendor, your organization must be able to consider all options for the continued maintenance for those critical applications, including in-house support.

External communications

The Corporate Communications, External Affairs, and (if applicable) Investor Relations departments should all have plans in place for communicating the facts about a disaster to the press, customers, and public. Contingency plans for these functions are critical if the organization is to continue communicating to the outside world. Open communication during a disaster is vital so that customers, suppliers, and investors don’t panic because they don’t know the true extent of the disaster.

Suppose the headquarters building for a large company burns to the ground. (This is very unlikely in modern buildings, but stay with us.) All personnel escape unharmed. In fact, the organization is very well off because all the information in the building was duplicated and stored in an off-site facility. Nice work! However, the External Affairs department, which was housed in that building, loses everything. It takes two days to recover the capability of communicating to the outside world. However, because of this time lag, the company loses many of its customers, who feared the worst. This is an especially unfortunate and ironic circumstance because the company was actually in pretty good shape prior to the disaster.

The emergency communications plan needs to take into account the possibility that some corporate facilities or personnel may be unavailable. So even the data and procedures related to the communications plan need to be kept safe so that they’re available in any situation.

Utilities

Data-processing facilities that support time-critical business functions must keep running in the event of a power failure. Although every situation is different, the principle is not: The BCP team must determine for what period of time the data-processing facility must be able to continue operating without utility power. A power engineer can find out the length of power outages in your area and crunch the numbers to arrive at the mean time between outages. By using that information, as well as having an inventory of the data center’s equipment and environmental equipment, you can determine whether the organization needs an uninterruptible power supply (UPS) alone, or a UPS and an electric generator.

 Instant Answer   Uninterruptible power supplies (UPSes) and emergency electric generators are used to provide electric power during prolonged power outages.

 Remember   In a really long power outage (more than a day or two), it is also essential to have a plan for the replenishment of generator fuel.

Logistics and supplies

The BCP team needs to study every aspect of critical functions that must be made to continue in a disaster. Every resource that’s needed to sustain the critical operation must be identified and then considered against every possible disaster scenario to determine what special plans must be made. For instance, if a business operation relies upon a just-in-time shipment of materials for its operation and an earthquake has closed the region’s only highway (or airport or sea/lake port), then alternative means for acquiring those materials must be determined in advance. Or, perhaps an emergency ration

of those materials needs to be stockpiled so that the business function can continue uninterrupted.

Fire and water protection

Many natural disasters disrupt public utilities, including water supplies or delivery. In the event that a disaster has interrupted water delivery, new problems arise. Your facility may not be allowed to operate without the means for fighting a fire, should one occur.

In many places, businesses could be ordered to close if they can’t prove that they can effectively fight a fire using other means, such as FM-200. Then again, if water supplies have been interrupted, you have other issues to contend with, such as drinking water and water for restrooms. Without water, you’re hosed!

Documentation

Any critical business function must be able to continue operating after a disaster strikes. An essential item for sustained operations includes all relevant documentation for every piece of equipment as well as every critical process and procedure that’s performed in a given location.

Don’t be lulled into taking for granted the emerging trend of hardware and software products not coming with any documentation. After all, many vendors deliver their documentation only over the Internet, or they charge extra for hard copy. But many types of disasters may disrupt Internet communications, thereby leaving an operation high and dry with no instructions on how to use and manage tools or applications.

At least one set of hard copy (or CD-ROM soft copy) of documentation should be stored at the same off-site storage facility that stores the organization’s backup tapes.

 Instant Answer   Continuity and recovery documentation must exist in hard copy in the event that it’s unavailable via technical means such as laptop computers.

Data processing continuity planning

Data processing facilities are so vital to businesses today that a lot of emphasis is placed on them. Generally this comes down to these variables: where and how the business will continue to sustain its data processing functions.

Because data centers are so expensive and time consuming to build, better business sense dictates having an alternate processing site available. The types of sites are

• Cold site: A cold site is basically an empty computer room with environmental facilities (UPS; heating, ventilation, and air conditioning [HVAC]; and so on) but no equipment. This is the least costly option, but more time is required to assume a workload because computers need to be brought in from somewhere and set up, and data and applications need to be loaded. Connectivity to other locations also needs to be installed.

• Warm site: A warm site is basically a cold site but with computers and communications links already in place. In order to take over production operations, the computers must be loaded with application software and business data.

• Hot site: Indisputably the most expensive option, a hot site is equipped with the same computers as the production system, with application changes, operating system changes, and even patches kept in sync with the live production system counterparts. Even business data is kept up-to-date at the hot site, with some sort of mirroring or transaction replication. Because they are trained on operating the organization’s business applications (and they have documentation), the staff there knows what to do to take over data processing operations at a moment’s notice.

• Reciprocal site: Your organization and another organization sign a reciprocal agreement that pledges to one another the availability of the other’s data center in the event of a disaster. Back in the day when data centers were rare, this was a common remedy, but it has fallen out of favor in recent years.

• Multiple data centers: Larger organizations can consider the option of running daily operations out of two or more regional data centers that are hundreds (or more) of miles apart. The advantage of this arrangement is that the organization doesn’t have to make arrangements with outside vendors for hot/warm/cold sites, and the organization’s staff is already onsite and familiar with business and computer operations.

 Instant Answer   A hot site provides the most rapid recovery ability, but it’s also the most expensive because of the effort that it takes to maintain its readiness.

Table 10-1 compares these options side by side.

Page 6

By now you’ve defined the scope of the BCP project and developed the Business Impact Assessment, Criticality Analysis and MTDs. Here’s what you know so far:

• You know what portion of the organization is included in the plan.

• You know, of this portion of the organization, which business functions are so critical that the business would fail were these functions to be interrupted for long (or even short) periods of time.

• You have some idea of the degree of impact on the business when one of the critical functions fails. This idea comes from quantitative and qualitative data.

The hard part of the Business Continuity Project begins now: This is where you develop the strategy for continuing each critical business function when disasters occur. This is known as the Continuity Strategy.

Developing a Continuity Strategy is the time for looking at the excruciating details of critical business functions. This is the time for strong coffee, pizzas, buckets of Rolaids, and cool heads.

Identifying success factors

The critical success factors for this important and time-consuming phase of the project include

• Call things as you see them: No biases. No angles. No politics. No favorites. No favors. This isn’t the time for screwing around - you’re trying to save the business before the disaster strikes.

• Build smaller teams of experts: Each critical business function should have teams dedicated to just that function. That team’s job is to analyze just one critical business function and figure out how it can be made to continue despite a disaster of some sort. Pick the right people for each team - people who really understand the details of the business process being examined.

• Brainstorm: Proper brainstorming considers all ideas, even silly ones (to a point). Even a silly idea can lead to a good idea.

• Have teams share results with each other: Teams working on individual continuity strategies can learn from each other. Each team can share highlights of its work over the past week or two. Some of the things that they say will spark ideas on other teams. The entire effort will be better off for it.

• No competition or politics in or between teams: Don’t pit teams against each other. This is not a zero-sum game: Everyone needs to do an excellent job.

• Retain a BCP mentor/expert: If your organization doesn’t have experienced business continuity planners on staff, you need to bring in a consultant - someone who has helped to develop plans for other organizations. Even more important than that - someone who has been there when disaster struck and who saw the BCP in action.

It is amazing what you can accomplish if you don’t care who gets the credit. Nowhere is this more true in business than in Business Continuity Planning. A BCP project is a setting where people will jostle for power, influence, and credit.

These forces must be neutralized. Business Continuity Planning should be apolitical, meaning differences and personal agendas are set aside. Only then is there a reasonable chance of success. The business, and its employees and customers, deserve nothing less.

Simplifying large or complex critical functions

Some critical business functions may be too large and complex to examine in one big chunk. Complex functions can be broken down into smaller components, perhaps like this:

• People: The team can identify the critical people - or more appropriately, the critical subfunctions - required to keep the function running.

• Facilities: In the event that the function’s primary facilities are unavailable, where will the function be performed?

• Technology: What hardware, software, and other computing/network components support the critical function? If parts or all these components are unavailable, what other equipment will support the critical business functions? Will the functions be performed any differently?

• Miscellaneous: What supplies, other equipment, and services are required to support the critical business function?

Analyzing processes is like disassembling Tinker Toy houses - you’ve got to break them down to the individual component level. You really do need to understand each step in even the largest processes in order to be able to develop good continuity plans for them.

If a team analyzing a large complex business function breaks into groups such as these listed here, these groups need to get together frequently to ensure that their respective strategies eventually become a cohesive whole. Eventually, these four (or whatever number) groups need to come back together and integrate their separate materials into one complete plan.

Documenting the strategy

Now for the part that everyone loves: documentation. The details of the continuity plans for each critical function must be described in minute detail, step by step by step.

Why? The people who develop the strategy may very well not be the people who execute it. The people who develop the strategy may change roles in the company or change jobs altogether. Or, the scope of an actual disaster may be wide enough that the critical personnel just aren’t available. Any skeptics should consider September 11 and the impact that this disaster had on a number of companies that lost practically everyone and everything.

Most of us don’t do Business Continuity Planning for a living. Although we may be the experts on our business processes, we’re not necessarily the right people for knowing all the angles of contingency planning.

Turn this question around for a minute: What would you think if an IT shop developed a security strategy without having a security expert’s help? Do you think that this would result in a sound, viable strategy?

The same argument fits equally well with BCP.

For the remaining skeptics, do yourself a favor: Hire a BCP expert for just a short time to help validate your framework and plan. If your expert says that your plan is great, then you can consider it money well spent to confirm your suspicions. If the consultant says that your plan needs help, ask for details on where and how. Then you decide whether to rework and improve your plan.

When disaster strikes, it’s too late to wish that you had a good business continuity plan.

Best practices for documenting Business Continuity Plans exist. Here is another reason to have that expert around. For $300 an hour, a consultant can spend a couple of weeks developing templates. But watch out - your consultant might just download templates from a BCP Web site, tweak them a little bit, and spend the rest of his time playing World of Warcraft.

Page 7

It is an accomplishment indeed when the BCP documentation has been written, reviewed, edited, and placed into three-ring binders. However, the job isn’t yet done. The Business Continuity Plan needs senior management buy-in, the plan must be announced and socialized throughout the organization, and one or more persons must be dedicated to keeping the plan up-to-date. Oh yeah, and the plan needs to be tested!

Securing senior management approval

After the entire plan has been documented and reviewed by all stakeholders, it’s time for senior management to examine it and approve it. Not only must senior management approve the plan, but senior management must also publicly approve it.

 Instant Answer   Senior management approval is needed so that all affected and involved employees in the organization understand the importance of emergency planning.

Promoting organizational awareness

Everyone in the organization needs to be made aware of the existence of the plan and of his or her role in it. This may mean training for potentially large numbers of people who are expected to be there when a disaster strikes.

 Instant Answer   All employees in the organization must be made aware of the existence of the Business Continuity Plan.

Maintaining the plan

No, the plan isn’t finished. It has just begun! Now the BCP person (the project team members by this time have collected their commemorative denim shirts, mugs and mouse pads, and have moved on to other projects) needs to periodically chase The Powers That Be to make sure that they know about all significant changes to the environment.

In fact, if the BCP person has any leadership left at this point in the process, he or she needs to start attending the Change Control Board (or whatever that company calls it) meetings and to jot down notes that may mean that some detail in a BCP document may need some changes.

 Tip   The Business Continuity Plan is easier to modify than it is to create out of thin air. Once or twice each year, someone knowledgeable needs to examine the detailed strategy and procedure documents in the BCP to make sure that they’ll still work.

Page 8

As we describe in the earlier section “The Difference between BCP and DRP,” the planning for both Disaster Recovery and Business Continuity have common roots. Both need to assemble similar project teams; both need executive sponsorship and support; and both must identify critical business processes.

Here the similarity ends. In the remainder of this chapter, we discuss the development and implementation of the Disaster Recovery Plan.

Page 9

While the BCP folks develop a plan to keep business operations rolling, the DRP people develop a plan to restore the damaged facility(ies) so that the critical business functions can operate there again.

Preparing for emergency response

Emergency response teams must be prepared for every possible scenario. Members of these teams need a variety of specialized training to deal with such things as water and smoke damage, structural damage, flooding, and hazardous materials.

All the types of response must be documented so that the response teams know what to do. The emergency response documentation consists of two major parts: how to respond to each type of incident, and up-to-date facts about the facilities and equipment that the organization uses.

In other words, you want your teams to know how to deal with water damage, smoke damage, structural damage, hazardous materials, and many other things. Your teams also need to know everything about every company facility: where things such as utility entrances, electrical equipment, HVAC, fire control, elevators, communications, data closets, and so on are located, which vendors maintain and service them, and so on. And you need experts who know about the materials and construction of the buildings themselves.

Responding to an emergency branches into two activities: salvage and recovery. Tangential to this is preparing financially for the costs associated with salvage and recovery.

Salvage

The salvage team is concerned with restoring full functionality to the damaged facility. This includes several activities:

• Damage assessment: The facility must be thoroughly examined to identify the full extent and nature of damage. Frequently, this inspection is performed by outside experts such as structural engineers and the like.

• Salvage assets: Assets, such as computer equipment, records, furniture, inventory, and so on need to be removed from the facility.

• Cleaning: The facility needs to be thoroughly cleaned to eliminate smoke damage, water damage, debris, and more. This job is frequently performed by outside companies that specialize in these services.

• Restoring the facility to operational readiness: The final step to full recovery is the completion of repairs and restocking and reequipping the facility to return it to pre-disaster readiness. At this point, the facility is ready for business functions to resume there.

 Instant Answer   The salvage team is primarily concerned with the restoration of a facility to return it to operational readiness.

Recovery

Recovery comprises equipping the BCP team (yes, the BCP team - this is one of the touch points between BCP and DRP) with any logistics, supplies, or coordination in order to get alternate functional sites up and running. This activity should be heavily scripted, with lots of procedures and checklists in order to ensure that every detail is handled.

Financial readiness

The salvage and recovery operations can be very expensive. The organization must be prepared for potentially large expenses (at least several times the total monthly operating cost) to restore operations to the original facility.

Notifying personnel

The disaster recovery team needs to have communication plans prepared in advance of any disaster. The DRP team must have a way of notifying employees about facilities that are closed, and note that one or more traditional means of communications may also have been adversely affected by the same event that damaged business facilities. For example, if a building has been damaged, the voice-mail system that you would expect people to call into for checking messages and getting workplace status might not be working. Hmmm, what to do, what to do . . .

Facilitating external communications

The corporate departments that communicate with customers, investors, government, and the media are equipped with pretty much the same information as for Business Continuity Planning. There are really no differences and no need for any significant differences in planning for external communications between DRP and BCP.

On the surface, it appears that Disaster Recovery Planning is all about cleaning up and restoring business operations after a hurricane, tornado, or flood. However the DRP project can add considerable value to the organization if it also points out things that are putting the business at risk in the first place. For instance, the DRP planning team may discover a design flaw in a building that makes it more vulnerable to damage during a flood. The planning team can make a recommendation outlining the necessary repairs in order to reduce the likelihood of flood damage.

Maintaining physical security

Looting and vandalism sometimes occur after significant disastrous events. The organization must be prepared to deploy additional guards as well as erect temporary fencing and other physical barriers in order to protect its physical assets until damaged facilities are secured and law and order are restored. And we’re not just concerned with physical assets: personnel (if any are present) require protection too.

Personnel safety

The safety of personnel needs to be addressed, as there are often personnel working in areas with damage and safety issues, usually right after a disaster, during salvage and damage assessment.

Page 10

By the time that an organization has completed a DRP, it will probably have spent hundreds of man-hours and possibly tens or hundreds of thousands of dollars on consulting fees. You would think that after making this large of an investment, any organization would want to test its DRP to make sure that it works when a real emergency strikes.

Five methods available for testing the Disaster Recovery Plan are

• Checklist: This amounts to a review or read-through of the disaster recovery plan documentation. By itself, this is an insufficient way to test a DRP; however, it’s a logical starting place. One of the following tests should be performed afterwards.

• Structured walkthrough: A team of experts in the organization perform the step-by-step review of the DRP (and preferably in a fancy mountain retreat, where they can think much more clearly).

• Simulation: In a simulation, all the designated disaster recovery personnel practice going through the motions associated with a real recovery. In a simulation, the team doesn’t actually perform any recovery or alternate processing.

• Parallel: A parallel test involves performing all the steps of a real recovery except that the real, live production computers are kept running. They run in parallel with the disaster recovery computers. This is a very time-consuming test, but it does test the accuracy of the applications because analysts compare data on the test recovery systems with production data.

• Interruption: An interruption test is similar to a parallel test except that in an interruption test, a function’s computer systems are actually shut off or disconnected. An interruption test is the ultimate test of a disaster recovery plan because one or more of the business’s critical functions actually depends upon the availability, integrity, and accuracy of the recovery systems.

 Instant Answer   The parallel test includes the loading of data onto recovery systems without taking production systems down.

Page 11

Barnes, James C. and Rothstein, Philip Jan. A Guide to Business Continuity Planning. John Wiley & Sons, Inc.

Fulmer, Kenneth L. Business Continuity Planning: A Step-by-Step Guide with Planning Forms on CD-ROM. Rothstein Associates.

Myers, Kenneth N. Manager’s Guide to Contingency Planning for Disasters: Protecting Vital Facilities and Critical Operations. John Wiley & Sons, Inc.

Tipton, Harold F. and Krause, Micki. Information Security Management Handbook, 4th Edition, Chapter 24. Auerbach Publications.

Page 12

1.	The longest period of time that a business can survive without a critical function is called Downtime tolerability period Greatest tolerable downtime Maximum survivable downtime Maximum tolerable downtime
2.	Which of the following is NOT a natural disaster? Avalanche Stock market crash Fire Storage drought
3.	The impact of a disaster on business operations is contained in Local newspapers and online media Business Impact Assessment Operations Impact Assessment Vulnerability Assessment
4.	The decision whether to purchase an emergency generator is based upon Wholesale electric rates Retail electric rates The duration of a typical outage The income rate of affected systems
5.	The purpose of a UPS is To provide instantaneous power cutover when utility power fails A lower cost for overnight shipping The need to steer the vehicle after it’s moving again To restore electric power within 24 hours
6.	The Business Impact Assessment Describes the impact of disaster recovery planning on the budget Describes the impact of a disaster on business operations Is a prerequisite to the Vulnerability Assessment Is the first official statement produced after a disaster
7.	To maximize the safety of backup media, it should be stored At a specialized off-site media storage facility At the residences of various senior managers In the operations center in a locking file cabinet Between 50° F–60° F
8.	An alternate information processing facility with all systems, patches, and data mirrored from live production systems is known as a Warm site Hot site Recovery site Mutual Aid Center
9.	The greatest advantage of a cold site is It can be built nearly anywhere Its high responsiveness Its low cost Its close proximity to airports
10.	The most extensive test for a Disaster Recovery Plan Has dual failover Is a waste of paper Is known as a parallel test Is known as an interruption test

Answers

Page 13

In This Chapter

• Understanding major categories and types of laws

• Knowing the major categories of computer crime

• Researching U.S. and international laws that pertain to information security

• Handling investigations, forensics, evidence, and incident response

• Knowing basic ethical standards

Overview

Similar to police officers, information security professionals are expected to determine when a computer crime has occurred, secure the crime scene, and collect any evidence - to protect and to serve! In order to perform these functions effectively, the CISSP candidate must know what a computer crime is, how to conduct an investigation and collect evidence, and understand what laws may have been violated. Additionally, CISSP candidates are required to adhere to the (ISC) 2 Code of Ethics and must be able to apply these principles to resolve ethical dilemmas.

Further, CISSP candidates are expected to be familiar with the laws and regulations that are relevant in their country and industry. This could include national laws, local laws, and any laws that pertain to the type of activity performed by the organization.

Page 14

Our discussion of the major categories and types of laws consists of U.S. and international law, including many key concepts and terms that are important to understand for the CISSP exam.

U.S. common law

Under the common law system of the United States, three major categories of laws are defined at the federal and state levels: criminal, civil (or tort), and administrative (or regulatory) laws.

Criminal law

Criminal law defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public. As such, in the eyes of the court, the victim is incidental to the greater cause.

Criminal penalties

Penalties under criminal law have two main purposes:

• Punishment: Penalties may include jail/prison sentences, probation, fines, and/or financial restitution to the victim.

• Deterrence: Penalties must be severe enough to dissuade any further criminal activity by the offender or anyone else considering a similar crime.

Burden of proof under criminal law

To be convicted under criminal law, a judge or jury must believe beyond a reasonable doubt that the defendant is guilty. Therefore, the burden of proof in a criminal case rests firmly with the prosecution.

Classifications of criminal law

There are two main classifications of criminal law depending upon severity, such as type of crime/attack or total loss in dollars:

• Felony: More serious crimes, normally resulting in jail/prison terms of more than one year.

• Misdemeanor: Less serious crimes, normally resulting in fines or jail/ prison terms of less than one year.

Civil law

Civil (tort) law addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death.

Civil penalties

Unlike criminal penalties, civil penalties don’t include jail or prison terms. Instead, civil penalties provide financial restitution to the victim as follows:

• Compensatory damages: Actual damages to the victim including attorney/ legal fees, lost profits, investigative costs, and so on.

• Punitive damages: Determined by a jury and intended to punish the offender.

• Statutory damages: Mandatory damages determined by law and assessed for violating the law.

Burden of proof under civil law

Convictions under civil law are typically easier to obtain than under criminal law because the burden of proof is much less. To be convicted under civil law, a jury must believe based upon the preponderance of the evidence that the defendant is guilty. This simply means that the available evidence leads the judge or jury to a conclusion of guilt.

Liability and due care

The concepts of liability and due care are germane to civil law cases but are also applicable under administrative law, which we discuss in the next section.

The standard criteria for assessing the legal requirements for implementing recommended safeguards is to evaluate the cost of the safeguard and the estimated loss from the corresponding threat, if realized. If the cost is less than the estimated loss and the organization doesn’t implement a safeguard, then a legal liability may exist. This is based on the principle of proximate causation, in which an action taken or not taken was part of a sequence of events that resulted in negative consequences.

Under the Federal Sentencing Guidelines, senior corporate officers may be personally liable if their organization fails to comply with applicable laws. Such individuals must follow the prudent man rule, which requires them to perform their duties:

• In good faith,

• In the best interests of the enterprise, and

• With the care and diligence that ordinary, prudent persons in a like position would exercise under similar circumstances.

The concepts of due care and due diligence are related but distinctly different:

• Due care: The steps that an organization takes to implement security best practices

• Due diligence: The prudent management and execution of due care

Although the information in this sidebar is not tested on the CISSP examination, when attempting to learn the various laws and regulations in this domain, you’ll find it helpful to know the correct parlance (fancy-speak for jargon) used. For example:

18 U.S.C. § 1030 (1986)(the Computer Fraud and Abuse Act of 1986) refers to Section 1030 in Title 18 of the 1986 edition of the United States Code, not “18 University of Southern California squiggly-thingy 1030 (1986).”

Federal statutes and administrative laws are usually cited in the following format:

• The title number (titles are grouped by subject matter)

• The abbreviation for the code: For example, U.S.C. is United States Code; C.F.R. is Code of Federal Regulations

• The section number (§ means “The Word Formerly Known As Section”)

• The year of publication

Other important abbreviations to understand include:

• Fed. Reg.: Federal Register

• Fed. R. Evid.: Federal Rules of Evidence

• PL: Public Law

• §§: Sections; for example, 18 U.S.C. §§ 2701–11

• v.: versus; such as, United States v. Moore.
  Note: The rest of the civilized world understands vs. to mean versusand v. to mean version or volume, but remember two important points here: Lawyers are not part of the civilized world, and they apparently charge by the letter (as well as by the minute).

Another important aspect of due care is the principle of culpable negligence. If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent. In such cases, jury awards may be adjusted accordingly, and the organization’s insurance company may be required to pay only a portion of any loss.

Administrative law

Administrative (regulatory) laws define standards of performance and conduct for major industries (including banking, energy, and healthcare), organizations, and officials. These laws are typically enforced by various government agencies, and violations may result in financial penalties and/or imprisonment.

International law

Given the global nature of the Internet, it’s often necessary for many countries to cooperate in order to bring a computer criminal to justice. But because practically every country in the world has its own unique legal system, such cooperation is always difficult and often impossible. As a starting point, many countries disagree on exactly what justice is. Other problems include:

• Lack of universal cooperation: We can’t answer the question, “Why can’t we all just get along?” but we can tell you that it’s highly unlikely that a 14-year-old hacker in some remote corner of the world will commit some dastardly crime that unites us all in our efforts to take him down, bringing about a lasting world peace.

• Different interpretations of laws: What’s illegal in one country (or even in one state in the U.S.) is not necessarily illegal in another.

• Different rules of evidence: This problem can encompass different rules for obtaining and collecting evidence and different rules for admissibility of evidence.

• Low priority: Different nations have different views regarding the seriousness of computer crimes; and in the realm of international relations, computer crimes are usually of minimal concern.

• Outdated laws and technology: This is related to the “low priority” problem. Technology varies greatly throughout the world, and many countries (not only third-world countries) lag far behind others. For this reason and many others, computer crime laws are often a low priority and aren’t kept current. This problem is further exacerbated by the different technical capabilities of the various law enforcement agencies that may be involved in an international case.

• Extradition: Many countries don’t have extradition treaties and won’t extradite suspects to a country with different or controversial practices, such as capital punishment. Although capital punishment for a computer crime may sound extreme, recent events and the threat of cyber-terrorism make this a very real possibility.

Page 15

Computer crime consists of any criminal activity in which computer systems or networks are used as tools. Computer crime also includes crimes in which computer systems are targeted, or in which computers are the scene of the crime committed. That’s a pretty wide spectrum.

However, the real world has difficulties in dealing with computer crimes. Several reasons why computer crimes are hard to cope with include

• Lack of understanding: In general, legislators, judges, attorneys, law enforcement officials, and jurors don’t understand the many different technologies and issues involved in a computer crime.

• Inadequate laws: Laws are slow to change, and fail to keep pace with rapidly evolving new technology.

• Multiple roles of computers in crime: These include crimes committed against a computer (such as hacking into a system and stealing information) and crimes committed by using a computer (such as using a system to launch a Distributed Denial of Service attack).

Computer crimes are often difficult to prosecute for the reasons that we just listed and also because of the following issues:

• Lack of tangible assets: Traditional rules of property often don’t apply in a computer crime case. However, property rules have been extended in many countries to include electronic information. Computing resources, bandwidth, and data (in the form of magnetic particles) are often the only assets at issue. These can be very difficult to quantify and assign a value to. The asset valuation process, which we discuss in Chapter 6, can provide key information in such a case.

• Rules of evidence: Often, original documents aren’t available in a computer crime case. Most evidence in such a case is considered hearsay evidence (which we discuss later in the upcoming section “Hearsay rule”) and must meet certain requirements to be admissible in court. Often, evidence is a computer itself, or data on its hard drive.

• Lack of evidence: Many crimes are difficult to prosecute because law enforcement agencies lack the skills or resources to even identify the perpetrator, much less gather sufficient evidence to bring charges and successfully prosecute. Frequently, skilled computer criminals use a long trail of compromised computers through different countries in order to make it as difficult as possible for even diligent law enforcement agencies to identify them.

• Definition of loss: A loss of confidentiality or integrity of data goes far beyond the normal definition of loss in a criminal or civil case.

• Location of perpetrators: Often, the persons who commit computer crimes against specific organizations do so from locations outside of the victim’s country. Computer criminals do this, knowing that even if they make a mistake and create discoverable evidence that identifies them, the victim’s country law enforcement agencies will have difficulty apprehending the criminal.

• Criminal profiles: Computer criminals often aren’t hardened criminals and may include the following:

  • Juveniles: Juvenile laws in many countries aren’t taken seriously and are inadequate to deter crime. A busy prosecutor is unlikely to pursue a low-profile crime committed by a juvenile that results in a three-year probation sentence for the offender.

  • Trusted individuals: Many computer criminals are individuals that hold a position of trust within a company and have no prior criminal record. Such an individual will likely be able to afford a dream team for legal defense, and a judge may be inclined to levy a more lenient sentence for the first-time offender. However, recent corporate scandals in the U.S. have set a strong precedent for punishment at the highest levels.

Computer crimes are often classified under one of the following six major categories:

• Terrorist attacks

• Military and intelligence attacks

• Financial attacks

• Business attacks

• Grudge attacks

• “Fun” attacks

Terrorist attacks

Terrorism exists at many levels on the Internet. In April 2001, during a period of tense relations between China and the U.S. (resulting from the crash landing of a U.S. Navy reconnaissance plane on Hainan Island), Chinese hackers (cyberterrorists) launched a major effort to disrupt critical U.S. infrastructure, which included U.S. government and military systems.

Following the terrorist attacks against the U.S. on September 11, 2001, the general public became painfully aware of the extent of terrorism on the Internet. Terrorist organizations and cells are using online capabilities to coordinate attacks, transfer funds, harm international commerce, disrupt critical systems, disseminate propaganda, and gain useful information about developing techniques and instruments of terror, including nuclear, biological, and chemical weapons.

Military and intelligence attacks

Military and intelligence attacks are perpetrated by criminals, traitors, or foreign intelligence agents seeking classified law enforcement or military information. Such attacks may also be carried out by governments during times of war and conflict.

Financial attacks

Banks, large corporations, and e-commerce sites are the targets of financial attacks, all of which are motivated by greed. Financial attacks may seek to steal or embezzle funds, gain access to online financial information, extort individuals or businesses, or obtain the personal credit card numbers of customers.

Business attacks

Businesses are becoming the targets of more and more computer and Internet attacks. These attacks include competitive intelligence gathering, denial of service, and other computer-related attacks. Businesses are often targeted for several reasons including

• Lack of expertise: Despite heightened security awareness, a shortage of qualified security professionals still exists, particularly in private enterprise.

• Lack of resources: Businesses often lack the resources to prevent, or even detect, attacks against their systems.

• Lack of reporting or prosecution: Because of public relations concerns and the inability to prosecute computer criminals due to either a lack of evidence or a lack of properly handled evidence, the majority of business attacks still go unreported.

The cost to businesses can be significant, including loss of trade secrets or proprietary information, loss of revenue, and loss of reputation.

Grudge attacks

Grudge attacks are targeted at individuals or businesses and are motivated by a desire to take revenge against a person or organization. A disgruntled employee, for example, may steal trade secrets, delete valuable data, or plant a logic bomb in a critical system or application.

Fortunately, these attacks (at least in the case of a disgruntled employee) can be easier to prevent or prosecute than many other types of attacks because:

• The attacker is often known to the victim.

• The attack has a visible impact that produces a viable evidence trail.

• Most businesses (already sensitive to the possibility of wrongful termination suits) have well-established termination procedures.

• Specific laws (such as the U.S. Economic Espionage Act of 1996, which we discuss later in this chapter) provide very severe penalties for such crimes.

“Fun” attacks

“Fun” attacks are perpetrated by thrill seekers and script kiddies who are motivated by curiosity or excitement. Although these attackers may not intend to do any harm or use any of the information that they access, they’re still dangerous and their activities are still illegal.

These attacks can also be relatively easy to detect and prosecute. Because the perpetrators are often script kiddies or otherwise inexperienced hackers, they may not know how to cover their tracks effectively.

Also, because no real harm is normally done nor intended against the system, it may be tempting (although ill advised) for a business to prosecute the individual and put a positive public relations spin on the incident. You’ve seen the film at 11: “We quickly detected the attack, prevented any harm to our network, and prosecuted the responsible individual; our security is unbreakable!” Such action, however, will likely motivate others to launch a more serious and concerted grudge attack against the business.

Many computer criminals in this category only seek notoriety. Although it’s one thing to brag to a small circle of friends about defacing a public Web site, the wily hacker who appears on CNN reaches the next level of hacker celebrity-dom. These twisted individuals want to be caught to revel in their 15 minutes of fame.

 Cross-Reference   As we discuss in Chapter 7, script kiddies are novice hackers or less experienced (not too salty) crackers. Typically, script kiddies are new to the dark side and perhaps don’t realize just how dark (and illegal) the dark side really is. Script kiddies lack true hacking or programming skills, so they must rely on freely available tools that others have created and distributed on the Internet, often without knowing or understanding how much damage they may actually do to a system or network.

Page 16

Given the difficulties in defining and prosecuting computer crimes, many prosecutors seek to convict computer criminals on more traditional criminal statutes, such as theft, fraud, extortion, and embezzlement. Intellectual property rights and privacy laws, in addition to specific computer crime laws, also exist to protect the general public and assist prosecutors.

 Remember   The CISSP candidate should understand that because of the difficulty in prosecuting computer crimes, prosecutors often use more traditional criminal statutes, intellectual property rights, and privacy laws to convict criminals. In addition, you should also realize that specific computer crime laws do exist.

Intellectual property

Intellectual property is protected by U.S. law under one of four classifications, as follows:

• Patents

• Trademarks

• Copyrights

• Trade secrets

Intellectual property rights worldwide are agreed, defined, and enforced by various organizations and treaties, including the World Intellectual Property Organization (WIPO), World Customs Organization (WCO), World Trade Organization (WTO), United Nations Commission on International Trade Law (UNCITRAL), European Union (EU), and Trade-Related Aspects of Intellectual Property Rights (TRIPs).

Licensing violations are among the most prevalent examples of intellectual property rights infringement. Other examples include plagiarism, software piracy, and corporate espionage.

Patents

A patent, as defined by the U.S. Patent and Trademark Office (PTO) is “the grant of a property right to the inventor.” A patent grant confers upon the owner “the right to exclude others from making, using, offering for sale, selling, or importing the invention.” Examples of computer-related objects that may be protected by patents are computer hardware and physical devices in firmware.

A patent is granted by the U.S. PTO for an invention that has been sufficiently documented by the applicant and that has been verified as original by the PTO. A patent is generally valid for 20 years from the date of application and is effective only within the U.S., including territories and possessions. The owner of the patent may then grant a license to others for use of the invention or its design, often for a fee.

U.S. patent (and trademark) laws and rules are covered in 35 U.S.C. and 37
C.F.R., respectively. The Patent Cooperation Treaty (PCT) provides some international protection for patents. More than 130 countries worldwide have adopted the PCT.

 Remember   Patent grants were previously valid for only 17 years, but have recently been changed, for newly granted patents, to 20 years.

Trademark

A trademark, as defined by the U.S. PTO, is “any word, name, symbol, or device, or any combination, used, or intended to be used, in commerce to identify and distinguish the goods of one manufacturer or seller from goods manufactured or sold by others.” Computer-related objects that may be protected by trademarks include corporate brands and operating system logos. U.S. Public Law 105–330, the Trademark Law Treaty Implementation Act, provides some international protection for U.S. registered trademarks.

Copyright

A copyright is a form of protection granted to the authors of “original works of authorship,” both published and unpublished. A copyright protects a tangible form of expression rather than the idea or subject matter itself. Under the original Copyright Act of 1909, publication was generally the key to obtaining a federal copyright. However, the Copyright Act of 1976 changed this requirement, and copyright protection now applies to any original work of authorship immediately from the time that it’s created in a tangible form. Object code or documentation are examples of computer-related objects that may be protected by copyrights.

Copyrights can be registered through the Copyright Office of the Library of Congress, but a work doesn’t need to be registered to be protected by copyright. Copyright protection generally lasts for the lifetime of the author plus 70 years.

Trade secret

A trade secret is proprietary or business-related information that a company or individual uses and has exclusive rights to. To be considered a trade secret, the information must meet the following requirements:

• Must be genuine and not obvious: Any unique method of accomplishing a task would constitute a trade secret, especially if it is backed up by copyrighted, patented or copyrighted proprietary software or methods that give an organization a competitive advantage.

• Must provide the owner a competitive or economic advantage and, therefore, have value to the owner: Google’s indexing algorithms aren’t universally known. Some secrets are protected.

• Must be reasonably protected from disclosure: This doesn’t mean that it must be kept absolutely and exclusively secret, but the owner must exercise due care in its protection.

Software source code or firmware code are examples of computer-related objects that may be protected by trade secrets.

Privacy laws

Privacy laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse. Privacy laws are one area in which the United States lags behind many others, particularly the European Union (EU), which has defined more restrictive privacy regulations that prohibit the transfer of personal information to countries (including the United States) that don’t equally protect such information. The EU privacy rules include the following requirements about personal data and records:

• Must be collected fairly and lawfully.

• Must only be used for the purposes for which it was collected and only for a reasonable period of time.

• Must be accurate and kept up-to-date.

• Must be accessible to individuals who request a report on personal information held about themselves.

• Individuals must have the right to have any errors in their personal data corrected.

• Personal data can’t be disclosed to other organizations or individuals unless authorized by law or consent of the individual.

• Transmission of personal data to locations where equivalent privacy protection cannot be assured is prohibited.

Two important pieces of privacy legislation in the United States are the U.S. Federal Privacy Act of 1974 and the U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996.

U.S. Federal Privacy Act of 1974, 5 U.S.C. § 552A

The Federal Privacy Act of 1974 protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents. Except under certain specific conditions, no agency may disclose any record about an individual “except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act also has provisions for access and amendment of individual records by the individual, except in cases of “information compiled in reasonable anticipation of a civil action or proceeding.” The Privacy Act provides individual penalties for violation including a misdemeanor charge and fines up to $5,000.

U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996, PL 104-191

HIPAA was signed into law effective August 1996. The HIPAA legislation provided Congress three years from this date to pass comprehensive health privacy legislation. If Congress failed to pass legislation by this deadline, the Department of Health and Human Services (HHS) was given the authority to develop the privacy and security regulations for HIPAA. In October 1999, HHS released proposed HIPAA privacy and security regulations entitled “Privacy Standards for Individually Identifiable Health Information.” Organizations that must comply with HIPAA regulations are referred to as covered entities and include

• Payers (or health plan): An individual or group health plan that provides, or pays the cost of, medical care; for example, insurers

• Health care clearinghouses: A public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements, such as data warehouses

• Health providers: A provider of medical or other health services, such as hospitals, HMOs, doctors, specialists, dentists, and counselors

Civil penalties for HIPAA violations include fines of $100 per incident, up to $25,000 per provision, per calendar year. Criminal penalties include fines up to $250,000 and potential imprisonment of corporate officers for up to 10 years. Additional state penalties may also apply.

U.S. Gramm-Leach-Bliley Financial Services Modernization Act, PL 106-102

Gramm-Leach-Bliley (usually known as GLBA) opened up competition among banks, insurance companies, and securities companies. GLBA also requires financial institutions to better protect their customers’ personally identifiable information (PII) with three rules:

• Financial Privacy Rule: Requires each financial institution to provide information to each customer regarding the protection of customers’ private information.

• Safeguards Rule: Requires each financial institution to develop a formal written security plan that describes how the institution will protect its customers’ PII.

• Pretexting Protection: Requires each financial institution to take precautions to prevent attempts by social engineers to acquire private information about institutions’ customers.

Civil penalties for GLBA violations are up to $100,000 for each violation. Further, officers and directors of financial institutions are personally liable for civil penalties of not more than $10,000 for each violation.

Computer crime and information security laws

Important international computer crime and information security laws that the CISSP candidate should be familiar with include:

• U.S. Computer Fraud and Abuse Act of 1986

• U.S. Electronic Communications Privacy Act of 1986

• U.S. Computer Security Act of 1987

• U.S. Federal Sentencing Guidelines of 1991 (not necessarily specific to computer crime, but certainly relevant)

• U.S. Economic Espionage Act of 1996

• U.S. Child Pornography Prevention Act of 1996

• USA PATRIOT Act of 2001

• U.S. Sarbanes-Oxley Act of 2002

• U.S. CAN-SPAM Act of 2003

• The Council of Europe’s Convention on Cybercrime of 2001

• The Computer Misuse Act of 1990 (U.K.)

• Cybercrime Act of 2001 (Australia)

U.S. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (as amended)

In 1984, the first U.S. federal computer crime law, the U.S. Computer Fraud and Abuse Act, was passed. This intermediate act was narrowly defined and somewhat ambiguous. The law covered

• Classified national defense or foreign relations information

• Records of financial institutions or credit reporting agencies

• Government computers

The U.S. Computer Fraud and Abuse Act of 1986 enhanced and strengthened the 1984 law, clarifying definitions of criminal fraud and abuse for federal computer crimes and removing obstacles to prosecution.

The act established two new felony offenses for the unauthorized access of federal interest computers and a misdemeanor for unauthorized trafficking in computer passwords.

Major provisions of the act established three new crimes (two felonies and one misdemeanor) as follows:

• Felony: Unauthorized access, or access that exceeds authorization, of a federal interest computer to further an intended fraud, shall be punishable as a felony [Subsection (a)(4)].

• Felony: Altering, damaging, or destroying information in a federal interest computer or preventing authorized use of the computer or information, that causes an aggregate loss of $1,000 or more during a one-year period or potentially impairs medical treatment, shall be punishable as a felony [Subsection (a)(5)]. This provision was stricken in its entirety and replaced with a more general provision, which we discuss later in this section, in the 1994 amendment.

• Misdemeanor: Trafficking in computer passwords or similar information if it affects interstate or foreign commerce or permits unauthorized access to computers used by or for the U.S. government [Subsection (a)(6)].

 Tip   A federal interest computer (actually the term was changed to protected computer in the 1996 amendments to the act) is defined in the act as a computer:

• “exclusively for the use of a financial institution or the United States government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States government and the conduct constituting the offense affect that use by or for the financial institution or the government;”

  or

• “which is used in interstate or foreign commerce or communication.”

Several minor amendments to the U.S. Computer Fraud and Abuse Act were made in 1988, 1989, and 1990, and more significant amendments were made in 1994, 1996 (by the Economic Espionage Act of 1996), and 2001 (by the USA PATRIOT Act of 2001). The act, in its present form, establishes seven specific computer crimes. In addition to the three that we discuss above, these include the following five provisions [Subsection (a)(5) is reintroduced here in its current form]:

• Unauthorized access, or access that exceeds authorization, to a computer that results in disclosure of U.S. national defense or foreign relations information [Subsection (a)(1)].

• Unauthorized access, or access that exceeds authorization, to a protected computer to obtain any information on that computer [Subsection (a)(2)].

• Unauthorized access to a protected computer, or access that exceeds authorization, to a protected computer that affects the use of that computer by or for the U.S. government [Subsection (a)(3)].

• Unauthorized access to a protected computer causing damage or reckless damage, or intentionally transmitting malicious code which causes damage to a protected computer [Subsection (a)(5), as amended].

• Transmission of interstate or foreign commerce communication threatening to cause damage to a protected computer for the purpose of extortion [Subsection (a)(7)].

We discuss major amendments to the U.S. Computer Fraud and Abuse Act of 1986 (as amended), introduced in 2001 in the upcoming “USA PATRIOT Act of 2001” section.

 Instant Answer   The U.S. Computer Fraud and Abuse Act of 1986 is the major computer crime law currently in effect. The CISSP exam will likely test your knowledge of the act in its original 1986 form, but you should also be prepared for revisions to the exam that may cover the more recent amendments to the act.

U.S. Electronic Communications Privacy Act (ECPA) of 1986

The ECPA complements the U.S. Computer Fraud and Abuse Act of 1986 and prohibits eavesdropping, interception, or unauthorized monitoring of wire, oral, and electronic communications. However, the ECPA does provide specific statutory exceptions, allowing network providers to monitor their networks for legitimate business purposes when the network users are notified of the monitoring process.

The ECPA was amended extensively by the USA PATRIOT Act of 2001. These changes are discussed in the upcoming “USA PATRIOT Act of 2001” section.

 Instant Answer   The U.S. Electronic Communications Privacy Act (ECPA) provides the legal basis for network monitoring.

U.S. Computer Security Act of 1987

The U.S. Computer Security Act of 1987 requires federal agencies to take extra security measures to prevent unauthorized access to computers holding sensitive information. In addition to identifying and developing security plans for sensitive systems, the act requires those agencies to provide security-related awareness training for their employees. The act also assigns formal government responsibility for computer security to the National Institute of Standards and Technology (NIST) for information security standards in general and to the National Security Agency (NSA) for cryptography in classified government/military systems and applications.

U.S. Federal Sentencing Guidelines of 1991

In November 1991, the United States Sentencing Commission published Chapter 8, Federal Sentencing Guidelines for Organizations, of the U.S. Federal Sentencing Guidelines. These guidelines establish written standards of conduct for organizations, provide relief in sentencing for organizations that have demonstrated due diligence, and place responsibility for due care on senior management officials with penalties for negligence including fines of up to $290 million.

U.S. Economic Espionage Act of 1996

The U.S. Electronic Espionage Act (EEA) of 1996 was enacted to curtail industrial espionage, particularly when such activity benefits a foreign entity. The EEA makes it a criminal offense to take, download, receive, or possess trade secret information that has been obtained without the owner’s authorization. Penalties include fines of up to $10 million, up to 15 years in prison, and forfeiture of any property used to commit the crime. The EEA also enacted the 1996 amendments to the U.S. Computer Fraud and Abuse Act, which we discuss earlier in the section “U.S. Computer Fraud and Abuse Act of 1986, 18
U.S.C. § 1030 (as amended).”

U.S. Child Pornography Prevention Act of 1996

The U.S. Child Pornography Prevention Act (CPPA) of 1996 was enacted to combat the use of computer technology to produce and distribute pornography involving children, including adults portraying children.

 Warning   The USA PATRIOT Act of 2001, which we cover in the next section, changes many of the provisions in the computer crime laws, particularly the U.S. Computer Fraud and Abuse Act of 1986 (as amended) and the Electronic Communications Privacy Act of 1986, which we detail in the earlier section “U.S. Electronic Communications Privacy Act (ECPA) of 1986.” As a security professional, you must keep abreast of current laws and affairs to perform your job effectively.

USA PATRIOT Act of 2001

Following the terrorist attacks against the United States on September 11, 2001, the USA PATRIOT Act of 2001 (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) was enacted in October 2001 and renewed in March 2006 (many provisions originally set to expire have since been made permanent under the renewed Act). This Act takes great strides to strengthen and amend existing computer crime laws, including the U.S. Computer Fraud and Abuse Act and the U.S. Electronic Communications Privacy Act (ECPA), as well as to empower
U.S. law enforcement agencies, if only temporarily. U.S. federal courts have subsequently declared some of the Act’s provisions unconstitutional. The relevant sections of the Act are

• Section 202 - Authority to Intercept Wire, Oral, and Electronic Communications Relating to Computer Fraud and Abuse Offenses: Under previous law, investigators couldn’t obtain a wiretap order for violations of the Computer Fraud and Abuse Act. This amendment authorizes such action for felony violations of the Computer Fraud and Abuse Act.

• Section 209 - Seizure of Voice-Mail Messages Pursuant to Warrants: Under previous law, investigators could obtain access to e-mail under the ECPA but not voice-mail, which was covered by the more restrictive wiretap statute. This amendment authorizes access to voice-mail with a search warrant rather than a wiretap order.

• Section 210 - Scope of Subpoenas for Records of Electronic Communications: Under previous law, subpoenas of electronic records were restricted to very limited information. This amendment expands the list of records that can be obtained and updates technology-specific terminology.

• Section 211 - Clarification of Scope: This amendment governs privacy protection and disclosure to law enforcement of cable, telephone, and Internet service provider records that were extremely restrictive under previous law.

• Section 212 - Emergency Disclosure of Electronic Communications to Protect Life and Limb: Prior to this amendment, no special provisions existed that allowed a communications provider to disclose customer information to law enforcement officials in emergency situations, such as an imminent crime or terrorist attack, without exposing the provider to civil liability suits from the customer.

• Section 214 - Pen Register and Trap and Trace Authority under FISA (Foreign Intelligence Surveillance Act): This amendment clarifies law enforcement authority to trace communications on the Internet and other computer networks and authorizes the use of a pen/trap device nationwide instead of limiting it to the jurisdiction of the court.

• Section 217 - Interception of Computer Trespasser Communications: Under previous law, it was permissible for organizations to monitor activity on their own networks but not necessarily for law enforcement to assist these organizations in monitoring, even when such help was specifically requested. This amendment allows organizations to authorize persons “acting under color of law” to monitor trespassers on their computer systems.

• Section 220 - Nationwide Service of Search Warrants for Electronic Evidence: This removes jurisdictional issues in obtaining search warrants for e-mail. For an excellent example of this problem, read The Cuckoo’s Egg by Clifford Stoll (Doubleday).

• Section 814 - Deterrence and Prevention of Cyberterrorism: This amendment greatly strengthens the U.S. Computer Fraud and Abuse Act, including raising the maximum prison sentence from 10 years to 20 years.

• Section 815 - Additional Defense to Civil Actions Relating to Preserving Records in Response to Government Requests: This amendment clarifies the “statutory authorization” defense for violations of the ECPA.

• Section 816 - Development and Support of Cybersecurity Forensic Capabilities: This statute requires the Attorney General to establish regional computer forensic laboratories, maintain existing laboratories, and provide forensic and training capabilities.

U.S. Sarbanes-Oxley Act of 2002 (SOX)

In the wake of several major corporate and accounting scandals, SOX was passed in 2002 to restore public trust in publicly held corporations and public accounting firms by establishing new standards and strengthening existing standards for these entities including auditing, governance, and financial disclosures.

SOX established the Public Company Accounting Oversight Board (PCAOB), which is a private-sector, nonprofit corporation responsible for overseeing auditors in the implementation of SOX. PCAOB’s “Accounting Standard 2” recognizes the role of information technology as it relates to a company’s internal controls and financial reporting. The Standard identifies the responsibility of Chief Information Officers for the security of information systems that process and store financial data and has many implications for information technology security and governance.

U.S. CAN-SPAM Act of 2003

The U.S. CAN-SPAM Act (Controlling the Assault of non-Solicited Pornography and Marketing Act) establishes standards for sending commercial e-mail messages, charges the U.S. Federal Trade Commission (FTC) with enforcement of the provision, and provides penalties that include fines and imprisonment for violations of the Act.

Directive 95/46/EC on the protection of personal data (1995, EU)

In 1995 the European Parliament ratified this essential legislation that protects personal information for all European citizens. The directive states that personal data should not be processed at all, except when certain conditions are met.

A legitimate concern about the disposition of European citizens’ personal data when it leaves computer systems in Europe and enters computer systems in the U.S. led to the creation of . . .

Safe Harbor (1998)

In an agreement between the European Union and the U.S. Department of Commerce in 1998, the U.S. Department of Commerce developed a certification program called Safe Harbor. This permits U.S.-based organizations to certify themselves as properly handling private data belonging to European citizens.

The Council of Europe’s Convention on Cybercrime (2001)

The Convention on Cybercrime is an international treaty, currently signed by more than 40 countries (the U.S. ratified the treaty in 2006), requiring criminal laws to be established in signatory nations for computer hacking activities, child pornography, and intellectual property violations. The treaty also attempts to improve international cooperation with respect to monitoring, investigations, and prosecution.

The Computer Misuse Act 1990 (U.K.)

The Computer Misuse Act 1990 (U.K.) defines three criminal offenses related to computer crime: unauthorized access (whether successful or unsuccessful), unauthorized modification, and hindering authorized access (Denial of Service).

Cybercrime Act 2001 (Australia)

The Cybercrime Act 2001 (Australia) establishes criminal penalties, including fines and imprisonment, for persons committing computer crimes, including unauthorized access, unauthorized modification, or denial of service, with intent to commit a serious offense.

Page 17

Computer forensics is the science of conducting a computer crime investigation to determine what has happened and who is responsible, and to collect legally admissible evidence for use in a computer crime case.

The purpose of an investigation is to determine what happened, who is responsible, and collect evidence. Incident handling is done to determine what happened, contain and assess damage, and restore normal operations. Closely related to, but distinctly different from investigations, is incident handling (or response). Incident handling is discussed in detail later in this chapter.

Investigations and incident handling must often be conducted simultaneously in a well-coordinated and controlled manner to ensure that the initial actions of either activity don’t destroy evidence or cause further damage to the organization’s assets. For this reason, it’s important that Computer Incident (or Emergency) Response Teams (CIRT or CERT, respectively) be properly trained and qualified to secure a computer-related crime scene or incident while preserving evidence. Ideally, the CIRT includes individuals who will actually be conducting the investigation.

An analogy to this would be an example of a police patrolman who discovers a murder victim. It’s important that the patrolman quickly assesses the safety of the situation and secures the crime scene; but at the same time, he must be careful not to destroy any evidence. The homicide detective’s job is to gather and analyze the evidence. Ideally, but rarely, the homicide detective would be the individual who discovers the murder victim, allowing her to assess the safety of the situation, secure the crime scene, and begin collecting evidence. Think of yourself as a CSISSP!

Evidence

Evidence is information presented in a court of law to confirm or dispel a fact that’s under contention, such as the commission of a crime. A case can’t be brought to trial without sufficient evidence to support the case. Thus, properly gathering evidence is one of the most important and most difficult tasks of the investigator.

The types of evidence, rules of evidence, admissibility of evidence, chain of custody, and evidence life cycle comprise the main elements to be tested in the Investigations portion of this domain.

Types of evidence

Sources of legal evidence that can be presented in a court of law generally fall into one of four major categories:

• Direct evidence: Oral testimony or a written statement based on information gathered through the witness’s five senses (an eyewitness account) that proves or disproves a specific fact or issue.

• Real (or physical) evidence: Tangible objects from the actual crime, such as the tools or weapons used and any stolen or damaged property. May also include visual or audio surveillance tapes generated during or after the event. Physical evidence from a computer crime is rarely available.

• Documentary evidence: Includes originals and copies of business records, computer-generated and computer-stored records, manuals, policies, standards, procedures, and log files. Most evidence presented in a computer crime case is documentary evidence. The hearsay rule, which we discuss in an upcoming section, is an extremely important test of documentary evidence that must be understood and applied to this type of evidence.

• Demonstrative evidence: Used to aid the court’s understanding of a case. Opinions are considered demonstrative evidence and may be either expert (based on personal expertise and facts) or non-expert (based on facts only). Other examples include models, simulations, charts, and illustrations.

Other types of evidence that may fall into one or more of the above major categories include

• Best evidence: Original, unaltered evidence, which is preferred by the court over secondary evidence. Read more about this in its upcoming section “Best evidence rule.”

• Secondary evidence: A duplicate or copy of evidence, such as a tape backup, screen capture, or photograph.

• Corroborative evidence: Supports or substantiates other evidence presented in a case.

• Conclusive evidence: Incontrovertible and irrefutable: you know, the smoking gun.

• Circumstantial evidence: Relevant facts that can’t be directly or conclusively connected to other events but about which a reasonable inference can be made.

Rules of evidence

Important rules of evidence for computer crime cases include the best evidence rule and hearsay evidence rule. The CISSP candidate must understand both of these rules and their applicability to evidence in computer crime cases.

Best evidence rule

The best evidence rule, defined in the Federal Rules of Evidence, states that “to prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is [ordinarily] required.”

However, an exception to this rule is also defined in the Federal Rules of Evidence, as follows:

“[i]f data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an ‘original’.”

This means that data extracted from a computer - that is a fair and accurate representation of the original data - satisfies the best evidence rule and may normally be introduced into court proceedings as such.

Hearsay rule

Hearsay evidence is that evidence that is not based on personal, first-hand knowledge of the witness but rather was obtained through other sources. Under the Federal Rules of Evidence, hearsay evidence is normally not admissible in court. This rule exists to prevent unreliable statements by witnesses from improperly influencing the outcome of a trial.

Business records, including computer records, have traditionally, and perhaps mistakenly, been considered hearsay evidence by most courts because these records cannot be proven accurate and reliable. One of the most significant obstacles for a prosecutor to overcome in a computer crime case is seeking the admission of computer records as evidence.

A prosecutor may be able to introduce computer records as best evidence rather than hearsay evidence as we discuss in the preceding section.

Several courts have acknowledged that the hearsay rules are applicable to computer-stored records containing human statements but are not applicable to computer-generated records untouched by human hands.

Perhaps the most successful and commonly applied test of admissibility for computer records in general, has been the business records exception, established in the Federal Rules of Evidence, for records of regularly conducted activity, meeting the following criteria:

1. Made at or near the time of occurrence of the act

2. Made by a person with knowledge or from information transmitted by a person with knowledge

3. Made and relied upon during the regular conduct of business, as verified by the custodian or other witness familiar with their use

4. Kept for motives that tend to assure their accuracy

5. In the custody of the witness on a regular basis (as required by the chain of evidence)

Admissibility of evidence

Because computer-generated evidence can sometimes be easily manipulated, altered, or tampered with, and because it’s not easily and commonly understood, this type of evidence is usually considered suspect in a court of law. In order to be admissible, evidence must be

• Relevant: It must tend to prove or disprove facts that are relevant and material to the case.

• Reliable: It must be reasonably proven that what is presented as evidence is what was originally collected and that the evidence itself is reliable. This is accomplished, in part, through proper evidence handling and the chain of custody. (We discuss this in the upcoming section
  “Chain of custody and the evidence life cycle.”)

• Legally permissible: It must be obtained through legal means. Evidence that’s not legally permissible may include evidence obtained through the following means:

  • Illegal search and seizure: Law enforcement personnel must obtain a prior court order; however, non-law enforcement personnel, such as a supervisor or system administrator, may be able to conduct an authorized search under some circumstances.

  • Illegal wiretaps or phone taps: Anyone conducting wiretaps or phone taps must obtain a prior court order.

  • Entrapment or enticement: Entrapment encourages someone to commit a crime that the individual may have had no intention of committing. Conversely, enticement lures someone toward certain evidence (a honey pot, if you will) after that individual has already committed a crime. Enticement is not necessarily illegal but does raise certain ethical arguments and may not be admissible in court.

  • Coercion: Coerced testimony or confessions are not legally permissible.

  • Unauthorized or improper monitoring: Active monitoring must be properly authorized and conducted in a standard manner; users must be notified that they may be subject to monitoring.

Chain of custody and the evidence life cycle

The chain of custody (or evidence) provides accountability and protection for evidence throughout its entire life cycle and includes the following information, which is normally kept in an evidence log:

• Persons involved ( Who): Identify any and all individual(s) who discovered, collected, seized, analyzed, stored, preserved, transported, or otherwise controlled the evidence. Also identify any witnesses or other individuals present during any of the above actions.

• Description of evidence ( What): Ensure that all evidence is completely and uniquely described.

• Location of evidence ( Where): Provide specific information about the evidence’s location when it is discovered, analyzed, stored, or transported.

• Date/Time ( When): Record the date and time that evidence is discovered, collected, seized, analyzed, stored, or transported. Also, record date and time information for any evidence log entries associated with the evidence.

• Methods used ( How): Provide specific information about how evidence is discovered, collected, stored, preserved, or transported.

Any time that evidence changes possession or is transferred to a different media type, it must be properly recorded in the evidence log to maintain the chain of custody.

Law enforcement officials must strictly adhere to chain of custody requirements, and this adherence is highly recommended for anyone else involved in collecting or seizing evidence. Security professionals and incident response teams must fully understand and follow the chain of custody, no matter how minor or insignificant a security incident may initially appear.

Even properly trained law enforcement officials sometimes make crucial mistakes in evidence handling. Most attorneys won’t understand the technical aspects of the evidence that you may present in a case, but they will definitely know evidence-handling rules and will most certainly scrutinize your actions in this area. Improperly handled evidence, no matter how conclusive or damaging, will likely be inadmissible in a court of law.

The evidence life cycle describes the various phases of evidence from its initial discovery to its final disposition.

The evidence life cycle has the following five stages:

• Collection and identification

• Analysis

• Storage, preservation, and transportation

• Presentation in court

• Return to victim (owner)

Collection and identification

Collecting evidence involves taking that evidence into custody. Unfortunately, evidence can’t always be collected and must instead be seized. Many legal issues are involved in seizing computers and other electronic evidence. The publication Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (January 2001), published by the U.S. Department of Justice (DOJ) Computer Crime and Intellectual Property Section (CCIPS) provides comprehensive guidance on this subject. Find this publication available for download at www.cybercrime.gov.

In general, law enforcement officials can search and/or seize computers and other electronic evidence under any of four circumstances:

• Voluntary or consensual: The owner of the computer or electronic evidence can freely surrender the evidence.

• Subpoena: A court issues a subpoena to an individual ordering that individual to deliver the evidence to the court.

• Search warrant or Writ of Possession: A search warrant is issued to a law enforcement official by the court, allowing that official to search and seize specific evidence. A Writ of Possession is a similar order issued in civil cases.

• Exigent circumstances: If probable cause exists and the destruction of evidence is imminent, that evidence may be searched or seized without a warrant.

When evidence is collected, it must be properly marked and identified. This ensures that it can later be properly presented in court as actual evidence gathered from the scene or incident. The collected evidence must be recorded in an evidence log with the following information:

• A description of the particular piece of evidence including any specific information, such as make, model, serial number, physical appearance, material condition, and preexisting damage

• The name(s) of the person(s) who discovered and collected the evidence

• The exact date and time, specific location, and circumstances of the discovery/collection

Additionally, the evidence must be marked, using the following guidelines:

• Mark the evidence: If possible without damaging the evidence, mark the actual piece of evidence with the collecting individual’s initials, the date, and the case number (if known). Seal the evidence in an appropriate container and again mark the container with the same information.

• Or use an evidence tag: If the actual evidence cannot be marked, attach an evidence tag with the same information as above, seal the evidence and tag in an appropriate container, and again mark the container with the same information.

• Seal evidence: Seal the container with evidence tape and mark the tape in a manner that will clearly indicate any tampering.

• Protect evidence: Use extreme caution when collecting and marking evidence to ensure that it’s not damaged. If you’re using plastic bags for evidence containers, be sure that they’re static free.

Always collect and mark evidence in a consistent manner so that you can easily identify evidence and describe your collection and identification techniques to an opposing attorney in court, if necessary.

Analysis

Analysis involves examining the evidence for information pertinent to the case. Analysis should be conducted with extreme caution, by properly trained and experienced personnel only, to ensure the evidence is not altered, damaged, or destroyed.

Storage, preservation, and transportation

All evidence must be properly stored in a secure facility and preserved to prevent damage or contamination from various hazards, including intense heat or cold, extreme humidity, water, magnetic fields, and vibration. Evidence that’s not properly protected may be inadmissible in court, and the party responsible for collection and storage may be liable. Care must also be exercised during transportation to ensure that evidence is not lost, damaged, or destroyed.

Presentation in court

Evidence to be presented in court must continue to follow the chain of custody and be handled with the same care as at all other times in the evidence life cycle. This process continues throughout the trial until all testimony related to the evidence is completed and the trial is over.

Return to victim (owner)

After the conclusion of the trial or other disposition, evidence is normally returned to its proper owner. However, under some circumstances, certain evidence may be ordered destroyed, such as contraband, drugs, or paraphernalia. Any evidence obtained through a search warrant is legally under the control of the court, possibly requiring the original owner to petition the court for its return.

Conducting investigations

A computer crime investigation should begin immediately upon report of an alleged computer crime or incident. Any incident should be handled, at least initially, as a computer crime investigation until a preliminary investigation determines otherwise.

The CISSP candidate should be familiar with the general steps of the investigative process, which include the following steps:

• Detection and containment: Early detection is critical to a successful investigation. Unfortunately, passive or reactive detection techniques (such as the review of audit trails and accidental discovery) are usually the norm in computer crimes, which often leaves a cold evidence trail. Containment is essential to minimize further loss or damage. Enter the CIRT, which we discuss in the next section.

• Notification of management: Management must be notified of any investigations as soon as possible. Knowledge of the investigations should be limited to as few people as possible, on a need-to-know basis. Out-of-band communications methods (reporting in person) should be used to ensure that an intruder does not intercept sensitive communications about the investigation.

• Preliminary investigation: This is necessary to determine whether a crime has actually occurred. Most incidents are actually honest mistakes rather than criminal conduct. This step includes reviewing the complaint or report, inspecting damage, interviewing witnesses, examining logs, and identifying further investigation requirements.

• Disclosure determination: The first and most important determination is whether law requires disclosure of the crime or incident. Next, determine whether disclosure is desired. This should be coordinated with a public relations or public affairs official of the organization.

• Conduct the investigation:

  • Identify potential suspects. This includes insiders and outsiders to the organization. One standard discriminator to help determine or eliminate potential suspects is the MOM test: Did the suspect have the Motive, Opportunity, and Means to commit the crime?

  • Identify potential witnesses. Determine who will be interviewed and who will conduct the interviews. Be careful not to alert any potential suspects to the investigation; focus on obtaining facts, not opinions, in witness statements.

  • Prepare for search and seizure. This includes identifying the types of systems and evidence to be searched or seized, designating and training the search and seizure team members (CIRT), obtaining and serving proper search warrants (if required), and determining potential risk to the system during a search and seizure effort.

• Report findings: The results of the investigation, including evidence, should be reported to management and turned over to proper law enforcement officials or prosecutors, as appropriate.

 Instant Answer   MOM: Motive, Opportunity, and Means.

Incident handling (or response)

Incident response begins before an incident has actually occurred. Preparation is the key to a quick and successful response. A well-documented and regularly practiced incident response plan ensures effective preparation. The plan should include:

• Response procedures: Detailed procedures that address different contingencies and situations should be included.

• Response authority: Roles, responsibilities, and levels of authority for all members of the Computer Incident Response Team (CIRT) must be clearly defined.

• Available resources: People, tools, and external resources (consultants and law enforcement agents) that are available to the CIRT should be identified. Training should include use of these resources, when possible.

• Legal review: The incident response plan should be evaluated by appropriate legal counsel to determine compliance with applicable laws and to determine whether they’re enforceable and defensible.

Additional steps in incident response include:

• Determination: Has a security incident occurred? This is similar to the detection and containment step in the investigative process, and includes defining what constitutes a security incident for your organization. Upon determination that an incident has occurred, it’s important to immediately begin detailed documentation of every action taken throughout the incident response process.

• Notification: This step and specific procedures are identical to the notification of management step in the investigative process but also includes the disclosure determination step from the investigative process. All contact information should be documented before an incident, and all notifications and contacts during an incident should be documented in the incident log.

• Containment: Again similar to the detection and containment step in the investigative process, the purpose of this step is to minimize further loss or damage. This may include eradicating a virus, denying access, and disabling services.

• Assessment: This includes determining the scope and cause of damage, as well as the responsible (or liable) party.

• Recovery: This may include rebuilding systems, repairing vulnerabilities, improving safeguards, and restoring data and services. This step should be done in accordance with a business continuity plan (BCP) with priorities for recovery properly identified.

• Evaluation: This is the final phase of an incident response plan and includes the lessons learned. Lessons learned should include not only what went wrong but also what went right.

 Remember   Investigations and incident response have similar steps but different purposes: The distinguishing characteristic of an investigation is the gathering of evidence for possible prosecution, whereas incident response focuses on containing the damage and returning to normal operations.

Page 18

Ethics (or moral values) are not easily discerned, and a fine line often hovers between ethical and unethical activity. Unethical activity doesn’t necessarily equate to illegal activity. And what may be acceptable in some organizations, cultures, or societies may be unacceptable or even illegal in others.

Ethical standards can be based on a common or national interest, individual rights, laws, tradition, culture, or religion. One helpful distinction between laws and ethics is that laws define what we must do and ethics define what we should do.

Many common fallacies abound about computers and the Internet, which contribute to this gray area:

• The Computer Game Fallacy: Any system or network that’s not properly protected is fair game.

• The Law-Abiding Citizen Fallacy: If no physical theft is involved, an activity really isn’t stealing.

• The Shatterproof Fallacy: Any damage done will have a limited effect.

• The Candy-from-a-Baby Fallacy: It’s so easy, it can’t be wrong.

• The Hacker’s Fallacy: Computers provide a valuable means of learning that will, in turn, benefit society. The problem here lies in the distinction between hackers and crackers. Although both may have a genuine desire to learn, crackers do it at the expense of others.

• The Free Information Fallacy: Any and all information should be free and thus can be obtained through any means.

Almost every recognized group of professionals defines a code of conduct or standards of ethical behavior by which its members must abide. For the CISSP, it is the (ISC) 2 Code of Ethics. The CISSP candidate must be familiar with the (ISC) 2 Code of Ethics and Request for Comments (RFC) 1087 for professional guidance on ethics (and the exam).

(ISC) 2 Code of Ethics

As a requirement for (ISC) 2 certification, all CISSP candidates must subscribe to and fully support the (ISC) 2 Code of Ethics.

The (ISC) 2 Code of Ethics consists of a mandatory preamble and four mandatory canons. Additional guidance is provided for each of the canons on the (ISC) 2 Web site at www.isc2.org.

Internet Architecture Board (IAB) - “Ethics and the Internet” (RFC 1087)

Published by the Internet Architecture Board (IAB) in January 1989, RFC 1087 characterizes as unethical and unacceptable any activity that purposely:

1. Seeks to gain unauthorized access to the resources of the Internet.”

2. “Disrupts the intended use of the Internet.”

3. “Wastes resources (people, capacity, computer) through such actions.”

4. “Destroys the integrity of computer-based information.”

5. “Compromises the privacy of users.”

Other important tenets of RFC 1087 include

“Access to and use of the Internet is a privilege and should be treated as such by all users of [the] system.”

“Many of the Internet resources are provided by the U.S. Government. Abuse of the system thus becomes a Federal matter above and beyond simple professional ethics.”

“Negligence in the conduct of Internet-wide experiments is both irresponsible and unacceptable.”

“In the final analysis, the health and well-being of the Internet is the responsibility of its users who must, uniformly, guard against abuses which disrupt the system and threaten its long-term viability.”

Page 19

Allen, Julia H. The CERT Guide to System and Network Security Practices, Chapters 1 and 7. Addison-Wesley.

Krutz, Ronald L. and Vines, Russell Dean. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, Chapter 9. John Wiley & Sons, Inc.

Mandia, Kevin and Prosise, Chris. Incident Response: Investigating Computer Crime, Chapters 1–5 and Appendix C. Osborne/McGraw-Hill.

Parker, Donn B. Fighting Computer Crime: A New Framework for Protecting Information, Chapters 4, 6, and 15. John Wiley & Sons, Inc.

Pipkin, Donald L. Information Security: Protecting the Global Enterprise, Chapters 21–31. Prentice Hall PTR.

Tipton, Harold F. and Krause, Micki. Information Security Management Handbook, 4th Edition, Chapters 28–30. Auerbach Publications.

Page 20

1.	Penalties for conviction in a civil case can include Imprisonment Probation Fines Community service
2.	Possible damages in a civil case are classified as all the following except Compensatory Punitive Statutory Financial
3.	Computer attacks motivated by curiosity or excitement describes “Fun” attacks Grudge attacks Business attacks Financial attacks
4.	Intellectual property includes all the following except Patents and trademarks Trade secrets Copyrights Computers
5.	Under the Computer Fraud and Abuse Act of 1986 (as amended), which of the following is not considered a crime? Unauthorized access Altering, damaging, or destroying information Trafficking child pornography Trafficking computer passwords
6.	Which of the following is not considered one of the four major categories of evidence? Circumstantial evidence Direct evidence Demonstrative evidence Real evidence
7.	In order to be admissible in a court of law, evidence must be Conclusive Relevant Incontrovertible Immaterial
8.	What term describes the evidence-gathering technique of luring an individual toward certain evidence after that individual has already committed a crime; is this considered legal or illegal? Enticement/Legal Coercion/Illegal Entrapment/Illegal Enticement/Illegal
9.	In a civil case, the court may issue an order allowing a law enforcement official to seize specific evidence. This order is known as a(n) Subpoena Exigent Circumstances Doctrine Writ of Possession Search warrant
10.	The IAB “Ethics and the Internet” (RFC 1087) characterizes all the following activities as unethical except Seeking to gain unauthorized access to resources Wasting resources Compromising user privacy Downloading pornography

Answers

Page 21

In This Chapter

• Threats to physical security

• Planning your site and facility design

• Physical access, technical, administrative, and environmental and life safety controls

• Perimeter, interior, and operations/facility security

• Protecting and securing equipment

Overview

If you’ve already read Chapter 4, you may recall our analogy that castles are normally built in a strategic location with towering walls. But what makes a location strategic, and how high is towering? Exactly where should the battlements and bastions be positioned? Who should guard the entrance, and what are the procedures for raising and lowering the drawbridge? And what should you do after burning and pillaging? This is the realm of the physical (environmental) security domain.

For the Physical (Environmental) Security domain of the Common Body of Knowledge (CBK), the Certified Information Systems Security Professional (CISSP) candidate must fully understand the various threats to physical security, the elements of site and facility requirements planning and design, and the various physical security controls, including access controls, technical controls, environmental and life safety controls, and administrative controls, and how to support the implementation and operation of these controls, as covered in this chapter.

 Tip   Many CISSP candidates underestimate the physical security domain. As a result, exam scores are often lowest in this domain. Although much of the information in this domain is redundant and may seem to be common sense, the CISSP exam does ask very specific questions from this domain, and many candidates lack practical experience in fighting fires!

Page 22

Fire: Threats from fire can be potentially devastating and lethal. Proper precautions, preparation, and training not only help limit the spread of fire and damage but, more important, can also save lives. Saving human lives is the first priority in any life-threatening situation. Other hazards associated with fires include smoke, explosions, building collapse, release of toxic materials or vapors, and water damage.

Fire requires three elements to burn: heat, oxygen, and fuel. These three elements are sometimes referred to as the fire triangle. (See Figure 13-1.) Fire suppression and extinguishing systems fight fires by removing one of these three elements or by temporarily breaking up the chemical reaction between these three elements: that is, separating the fire triangle. Fires are classified according to the fuel type, as listed in Table 13-1.

Figure 13-1: A fire needs these three elements to burn.

Table 13-1: Fire Classes and Suppression/Extinguishing Methods

Open table as spreadsheet

Class	Description (Fuel)	Extinguishing Method
A	Common combustibles, such as paper, wood, furniture, and clothing	Water or soda acid
B	Burnable fuels, such as gasoline or oil	CO2, soda acid, or Halon. (We discuss this in the later section “Detection systems”)
C	Electrical fires, such as computers or electronics	CO2 or Halon. ( Note: Most important step to avoid a fire in this class: Turn off electricity first!)
D	Special fires, such as chemical or grease fires	May require total immersion or other special techniques

 Instant Answer   Saving human lives is the first priority in any life-threatening situation.

You must be able to describe Class A, B, and C fires and their primary extinguishing methods. Class D is less common and is not relevant to the CISSP exam.

Page 23

Astute organizations will involve security professionals during the design, planning, and construction of new or renovated locations and facilities. Proper site and facility requirements planning during the early stages of construction helps ensure that a new building or data center is adequate, safe, and secure - all of which can help an organization avoid costly situations later.

Choosing a secure location

Location, location, location! Although to a certain degree this bit of conventional business wisdom may be less important to profitability in the age of e-commerce, it’s still a critical factor in physical security. Important factors when considering a location include

• Climatology and natural disasters: Although an organization is unlikely to choose a geographic location based on the likelihood of hurricanes or earthquakes, these factors must be considered when designing a safe and secure facility. Other related factors may include flood plain avoidance, location of evacuation routes, and adequacy of civil and emergency preparedness.

• Local considerations: Is the location in a high crime area? Are there nearby hazards, such as hazardous materials storage, railway freight lines, or flight paths for the local airport? Is the area heavily industrialized: That is, will air and noise (including vibration) pollution affect your systems?

• Visibility: Will your employees and facilities be targeted for crime, terrorism, or vandalism? Is the site near another high visibility organization that may attract undesired attention? Is your facility located near a government or military target? Keeping a low profile is generally better; avoid external building markings if possible.

• Accessibility: Consider local traffic patterns, convenience to airports, proximity to emergency services (police, fire, and medical facilities), and availability of adequate housing. For example, will on-call employees have to drive for an hour to respond when needed?

• Utilities: Where is the facility located in the power grid? Is electrical power stable and clean? Is sufficient fiber optic cable already in place to support telecommunications requirements?

• Joint tenants: Will you have full access to all necessary environmental controls? Can (and should) boundary protection costs and responsibilities be shared between joint tenants?

Designing a secure facility

Many of the physical and technical controls that we discuss later in this chapter should be considered during the initial design of a secure facility. Doing so will often help reduce the costs and improve the overall effectiveness of these controls. Other building design considerations include

• Exterior walls: Ideally, exterior walls should be able to withstand high winds (tornadoes and hurricanes/typhoons) and reduce emanations. If possible, exterior windows should be avoided throughout the building, particularly on lower levels. Metal bars over windows on lower levels may be necessary. Any windows should be fixed (cannot be opened), shatterproof, and sufficiently opaque to conceal inside activities.

• Interior walls: Interior walls adjacent to secure or restricted areas must extend from the floor to the ceiling (through raised flooring and drop ceilings) and must comply with applicable building and fire codes. Walls adjacent to storage areas (such as closets containing janitorial supplies, paper, media, or other flammable materials) must meet minimum fire ratings, which are typically higher than for other interior walls. Ideally, Kevlar (bulletproof) walls should protect the most sensitive areas.

• Floors: Flooring (both slab and raised) must be capable of bearing loads in accordance with local building codes (typically 150 pounds per square foot). Additionally, raised flooring must have a nonconductive surface and be properly grounded.

• Ceilings: Weight bearing and fire ratings must be considered. Drop ceilings may temporarily conceal water leaks and intruders; conversely, drop ceilings can reveal leaks while impeding water damage.

• Doors: Doors and locks must be of sufficient strength and design to resist forcible entry and have a fire rating equivalent to adjacent walls. Emergency exits must remain unlocked from the inside and should also be clearly marked and monitored or alarmed. Electronic lock mechanisms and other access control devices should fail open in the event of an emergency to permit emergency egress. Many doors swing out to facilitate emergency egress; thus, door hinges are located on the outside.

These must be properly secured to prevent an intruder from easily lifting hinge pins and removing the door.

• Lighting: Exterior lighting for all physical spaces and buildings in the security perimeter (including entrances and parking areas) should be sufficient to provide personnel safety as well as to discourage prowlers and casual intruders.

• Wiring: All wiring, conduits, and cable runs must comply with building and fire codes and be properly protected. Plenum cabling must be used below raised floors and above drop ceilings because PVC cabling releases toxic chemicals when burning.

• Electricity and HVAC: Electrical load and HVAC requirements must be carefully planned to ensure that sufficient power is available in the right locations and that proper climate ranges (temperature and humidity) are maintained. We discuss additional controls later in the section
  “Environmental and life safety controls.”

• Pipes: Shutoff valves for water, steam, or gas pipes should be located and appropriately marked. Drains should have positive flow; that is, carry drainage away from the building.

Page 24

Physical (Environmental) security controls include a combination of physical access controls, technical controls, environmental and life safety controls, fire detection and suppression, and administrative controls.

Physical access controls

Physical access controls consist of the systems and techniques used to restrict access to a security perimeter and provide boundary protection. These include fencing, security guards, dogs, locks, storage areas, security badges, and biometric access controls.

Fencing

Fencing is the primary means for securing an outside perimeter or external boundary and an important element of physical security that the CISSP candidate must know for the exam. Fencing provides physical access control and includes fences, gates, turnstiles, and mantraps. The main disadvantages of fencing are cost and appearance. General fencing height requirements are listed in Table 13-3.

Mantraps

A mantrap is a physical access control method consisting of a double set of locked doors or turnstiles. The mantrap may be guarded or monitored, may require different levels of access to pass through both doors or in a different direction and, in more advanced systems, may have a weight-sensing floor to prevent more than one person from passing through at once.

Security guards

Throughout history, guards have been used to provide physical security for many different situations and environments. Although modern surveillance equipment, biometric access controls, and intrusion detection systems (IDS) may seem to diminish the role of security guards; on the contrary, these tools have increased the need for skilled physical security personnel capable of operating advanced technology and applying discerning judgment. The major advantages of security guards include

• Discernment: Guards can apply human judgment to different situations.

• Visibility: Guards provide a visible deterrent, response, and control capability.

• Dual functions: Guards can also perform reception and visitor escort functions.

Some disadvantages include

• Unpredictability: Preemployment screening and bonding doesn’t necessarily assure reliability or integrity.

• Imperfections: Along with human judgment comes the element of human error.

• Cost: Maintaining a full-time security force (including training) or out-sourcing these functions can be very expensive.

 Instant Answer   The main advantage of security guards is their ability to use human judgment when responding to different situations.

Dogs

Like human guards, dogs also provide a highly visible deterrent, response, and control capability. Additionally, dogs are typically more loyal and reliable than humans, with more acute sensory abilities (smell and hearing). However, the use of guard dogs is typically restricted to an outside security perimeter. Other considerations include

• Limited judgment capability

• Cost and maintenance

• Potential liability issues

Locks

Doors, windows, and other access points into secure or sensitive areas need to be protected. One of the simplest ways to accomplish this is with a lock. The three basic types of locks are

• Preset: These are basic mechanical locks that consist of latches, cylinders, and deadbolts; all require a key to open them.

• Programmable: These can be mechanical (such as dial combination or five-key pushbutton) or electronic (cipher lock or keypad). Shoulder surfing, a social engineering technique commonly used against these types of locks, involves casually observing an authorized individual entering an access code.

• Electronic: These locks utilize an electronic key (similar to the fancy keys found on expensive cars) that functions like a hybrid smart card (covered later in this section) and physical key.

Storage areas

Storage areas containing spare equipment and parts, consumables, and deliveries should be locked and controlled to help prevent theft. Additionally, you should be aware of any hazardous materials being stored in such areas and any environmental factors or restrictions that may affect the contents of the storage area.

Security badges

Security badges (or access cards) are used for identification and authentication of authorized personnel entering a secure facility or area.

A photo identification card (also referred to as a dumb card) is a simple ID card with a facial photograph of the bearer. Typically, no technology is embedded in these cards for authentication purposes, requiring that a security guard determines whether entry is permitted by the bearer.

Smart cards are digitally encoded cards that contain an integrated chip (IC) or magnetic stripe (possibly in addition to a photo). Various types of smart cards include

• Magnetic stripe: The most basic type of smart card. Information is encoded in a magnetic stripe. Common examples include credit cards and automatic teller machine (ATM) cards.

• Optical-coded: Similar to, but more reliable than, a magnetic stripe card.

  Information is encoded in a laser-burned lattice of digital dots. These are becoming more common on U.S. state driver’s licenses.

• Electric circuit: Contains printed electrical contacts on the card surface.

  These are true smart cards, commonly used for logical access control to computer systems.

• Proximity card: Doesn’t require the bearer to physically insert the card into the reader. Instead, the reader senses the card in the general area and takes the appropriate action. The three common types of system-sensing proximity cards are

  • Passive: These devices contain no battery or power on the card. They use the electromagnetic field transmitted by the reader to transmit access information (identification) at different frequency levels.

  • Field-powered: These devices contain active electronics, an RF transmitter, and power supply on the card.

  • Transponders: Both the card and reader contain a transceiver, control logic, and battery. The reader transmits an interrogating signal (challenge) causing the card to transmit an access code (response).

Although more common in logical access controls, smart cards can also provide two-factor authentication in physical access control systems by requiring the user to enter a personal identification number (PIN) or password, or by incorporating an authentication token or other challenge-response mechanism.

Smart cards, and their associated access control systems, can be programmed to permit multilevel access, restrict access to certain periods (day and time), and log access information.

 Warning   In the Physical (Environmental) Security domain, smart card is used as a general term to describe any security badge or access card with built-in identification and authentication features, such as embedded technology. This may be as simple as a magnetic stripe on an ID card that’s swiped through a card reader. However, in the Access Control domain, a smart card refers to a very specific, highly specialized type of access card: A magnetic stripe doesn’t qualify.

Biometric access controls

Biometrics provides the only absolute method for positively identifying an individual based on some unique physiological or behavioral characteristic of that individual (something you are). We discuss biometrics extensively in Chapter 4. Although biometrics in the Physical (Environmental) Security domain refers to physical access control devices (rather than logical access control devices, as in the Access Control domain), the underlying concepts and technologies are the same. To review, the major biometric systems in use today include

• Finger scan systems

• Hand geometry systems

• Retina pattern

• Iris pattern

• Voice recognition

• Signature dynamics

The accuracy of a biometric system is normally stated as a percentage, in the following terms:

• False Reject Rate (FRR) or Type I error: Authorized users who are incorrectly denied access, stated as a percentage.

• False Accept Rate (FAR) or Type II error: Unauthorized users who are incorrectly granted access, stated as a percentage.

• Crossover Error Rate (CER): The point at which the FRR equals the FAR, stated as a percentage.

Technical controls

Technical controls include monitoring and surveillance, intrusion detection systems (IDS), and alarms that alert personnel to physical security threats and allow them to respond appropriately.

Surveillance

Visual surveillance systems include photographic and electronic equipment that provide detective and deterrent controls. When used to monitor or record live events, they’re a detective control. The visible use of these systems also provides a deterrent control.

Electronic systems such as closed-circuit television (CCTV) are used to extend and improve the monitoring and surveillance capability of security guards. Photographic systems, including recording equipment, are used to record events for later analysis or as evidence for disciplinary action and prosecution.

Intrusion detection

Intrusion detection in the physical security domain refers to systems that detect attempts to gain unauthorized physical access to a building or area. Modern intrusion detection systems (IDS) commonly use the following types of sensors:

• Photoelectric sensors: A grid of visible or infrared light is projected over the protected area. If a beam of light within the grid is disturbed, an alarm is sounded.

• Dry contact switches and metallic tape: These systems are inexpensive and commonly used along a perimeter or boundary on door and window frames. For example, if the circuit switch is opened or the metallic tape broken, an alarm is sounded.

• Motion detectors: Three categories of motion detectors are

  • Wave pattern: Generates a low frequency, ultrasonic, or microwave field over a protected area up to 10,000 square feet (3,000 square meters). Any motion changes the frequency of the reflected wave pattern, causing an alarm to be sounded.

  • Capacitance: Monitors an electrical field for changes in electrical capacitance caused by motion. This type of motion detector is typically used for spot protection within a few inches of a protected object.

  • Audio: Passive system (doesn’t generate a wave pattern or electrical field) triggered by any abnormal sound. This type of device generates more false alarms and should only be used in areas with low ambient noise.

 Warning   Don’t confuse intrusion detection systems (IDS) used to detect physical intruders in the Physical (Environmental) Security domain with network-based and host-based intrusion detection systems (IDS) used to detect cyber-intruders.

Alarms

Alarms are activated when a certain condition is detected. Examples of systems employing alarms include fire and smoke detectors, motion sensors and intrusion detection systems (IDS), metal and explosives detectors, access control systems (physical and logical), environmental (for instance, standing water), and climate control monitoring systems.

Alarm systems should have separate circuitry and a backup power source. Line supervision, comprising technology and processes used to detect attempts to tamper with or disable an alarm system, should also be implemented.

The five general types of alarm systems are

• Local systems: An audible alarm is sounded on the local premises. These systems require a local response capability; that is, someone must call the police/fire department and/or respond directly.

• Central station systems: These systems are operated and monitored by private security organizations connected directly to the protected site via leased lines.

• Proprietary systems: These are similar to central station systems but are operated and monitored directly on the premises.

• Auxiliary station systems: These systems - which require prior authorization - use local municipal police or fire circuits to transmit an alarm to the appropriate police or fire headquarters. These systems are typically used in conjunction with one of the above systems (particularly central station systems) to improve response capabilities.

• Remote station systems: These systems are similar to auxiliary station systems but don’t use police and fire circuits and also don’t necessarily send the alarm to a police or fire department. An automatic dial-up fire alarm that dials a local police or fire department and plays a prerecorded message is an example of a remote station system.

Environmental and life safety controls

These are the controls necessary for maintaining a safe and acceptable operating environment for computers and personnel. These include electrical power, HVAC, smoke detection, and fire detection and suppression.

Electrical power

General considerations for electrical power include having a dedicated feeder(s) from one or more utility substations or power grids and also ensuring that adequate physical access controls are implemented for electrical distribution panels and circuit breakers. An Emergency Power Off (EPO) switch should be installed near major systems and exit doors to shut down power in case of fire or electrical shock. Additionally, a backup power source should be established, such as a diesel power generator. Backup power should only be provided for critical facilities and systems including emergency lighting, fire detection and suppression, mainframes and servers (and certain workstations), HVAC, physical access control systems, and telecommunications equipment.

Protective controls for ESD include

• Maintain proper humidity levels (40–60 percent)

• Ensure proper grounding

• Use anti-static flooring, anti-static carpeting, and floor mats

Protective controls for electrical noise include

• Install power line conditioners

• Ensure proper grounding

• Use shielded cabling

Using an Uninterruptible Power Supply (UPS) is perhaps the most important protection against electrical anomalies. A UPS provides clean power to sensitive systems and a temporary power source during electrical outages (black-outs, brownouts, and sags); it’s important that this power supply is sufficient to properly shut down the protected systems. Note: A UPS should not be used as a backup power source. A UPS - even a building UPS - is designed to provide temporary power, typically for 5–30 minutes, in order to give a diesel generator time to start up or to allow a controlled and proper shutdown of protected systems.

Surge protectors and surge suppressors provide only minimal protection for sensitive computer systems and are more commonly (and dangerously) used to overload an electrical outlet or as a daisy-chained extension cord. The protective circuitry in most of these units cost less than one dollar (compare the cost of a low-end surge protector with that of a 6-foot extension cord), and you get what you pay for - these glorified extension cords provide only minimal spike protection. True, a surge protector does provide more protection than nothing at all, but don’t be lured into complacency by these units - check them regularly for proper use and operation and don’t accept them as a viable alternative to a UPS.

HVAC

Heating, ventilation, and air conditioning (HVAC) systems maintain the proper environment for computers and personnel. HVAC requirements planning involves complex calculations based on numerous factors including the average BTUs (British Thermal Units) produced by the estimated computers and personnel occupying a given area, the size of the room, insulation characteristics, and ventilation systems.

The ideal temperature range for computer equipment is between 50–80° F (10–26° C). At temperatures as low as 100° F (38° C), magnetic storage media can be damaged.

 Instant Answer   The ideal temperature range for computer equipment is between 50–80° F (10–26° C).

The ideal humidity range for computer equipment is between 40–60 percent. Higher humidity causes condensation and corrosion. Lower humidity increases the potential for ESD or static electricity.

Doors and side panels on computer equipment racks should be kept closed (and locked, for physical access control) to ensure proper airflow for cooling and ventilation.

Heating and cooling systems should be properly maintained and air filters cleaned regularly to reduce dust contamination and fire hazards.

Most gas discharge fire suppression systems will automatically shut down HVAC systems prior to discharging, but a separate EPO should be installed near exits to facilitate a manual emergency shutdown.

Ideally, HVAC equipment should be dedicated, controlled, and monitored. If the systems aren’t dedicated or independently controlled, proper liaison with the building manager is necessary to ensure that escalation procedures are effective and understood. Monitoring systems should alert the appropriate personnel when operating thresholds are exceeded.

Fire detection and suppression

Fire detection and suppression systems are some of the most essential life safety controls for protecting facilities, equipment, and most important, human lives.

Detection systems

The three main types of fire detection systems are

• Heat-sensing: These devices either sense temperatures exceeding a predetermined level (fixed-temperature detectors) or rapidly rising temperatures (rate-of-rise detectors). The former are more common and exhibit a lower false alarm rate.

• Flame-sensing: These devices either sense the flicker (or pulsing) of flames or the infrared energy of a flame. These systems are relatively expensive but provide an extremely rapid response time.

• Smoke-sensing: These devices detect smoke, one of the by-products of fire. There are four types of smoke detectors:

  • Photoelectric: These sense variations in light intensity.

  • Beam: Similar to photoelectric by sensing when smoke interrupts beams of light.

  • Ionization: These detect disturbances in the normal ionization current of radioactive materials.

  • Aspirating: These draw air into a sampling chamber to detect minute amounts of smoke.

 Instant Answer   The three main types of fire detection systems are heat-sensing, flame-sensing, and smoke-sensing.

Suppression systems

The two primary types of fire suppression systems are

• Water sprinkler systems: Water extinguishes fire by removing the heat element from the fire triangle and is most effective against Class A fires. Water is the primary fire-extinguishing agent for all business environments. Although water can potentially damage equipment, it’s one of the most effective, inexpensive, readily available, and least harmful (to humans) extinguishing agents available. The four variations of water sprinkler systems are

  • Wet pipe (or closed head system): Most commonly used and considered the most reliable. Pipes are always charged with water and ready for activation. Typically a fusible link in the nozzle melts or ruptures, opening a gate valve that releases the water flow. Disadvantages include flooding because of nozzle or pipe failure and because of frozen pipes in cold weather.

  • Dry pipe: No standing water in the pipes. Upon activation, a clapper valve opens, air is blown out of the pipe, and water flows. This type of system is less efficient than the wet pipe system but reduces the risk of accidental flooding; the time delay provides an opportunity to shut down computer systems (or remove power), if conditions permit.

  • Deluge: Operates similarly to a dry pipe system but is designed to quickly deliver large volumes of water. Deluge systems are typically not used for computer equipment areas.

  • Preaction: Combines wet and dry pipe systems. Pipes are initially dry. When a heat-sensor is triggered, the pipes are charged with water, and an alarm is activated. Water isn’t actually discharged until a fusible link melts (like in wet pipe systems). This system is recommended for computer equipment areas because it reduces the risk of accidental discharge by permitting manual intervention.

   Instant Answer   The four main types of water sprinkler systems are wet pipe, dry pipe, deluge, and preaction.

• Gas discharge systems: Gas discharge systems may be portable (such as a CO2 extinguisher) or fixed (beneath a raised floor). These systems are typically classified according to the extinguishing agent that’s employed. These include

  • Carbon dioxide (CO2): CO2 is a commonly used colorless, odorless gas that extinguishes fire by removing the oxygen element from the fire triangle. (Refer to Figure 13-1.) CO2 is most effective against Class B and C fires. Because it removes oxygen, its use is potentially lethal and best suited for unmanned areas or with a delay action (with manual override) in manned areas.

  CO2 is also used in portable fire extinguishers, which should be located near all exits and within 50 feet (15 meters) of any electrical equipment. All portable fire extinguishers (CO2, water, and soda acid) should be clearly marked (listing the extinguisher type and the fire classes to be used for) and periodically inspected. Additionally, all personnel should receive training on proper fire extinguisher use.

  • Soda acid: This includes a variety of chemical compounds that extinguish fires by removing the fuel element (suppressing the flammable components of the fuel) of the fire triangle. (Refer to Figure 13-1.) Soda acid is most effective against Class A and B fires. It is not used for Class C fires because of the highly corrosive nature of many of the chemicals used.

  • Gas discharge: Gas discharge systems suppress fire by separating the elements of the fire triangle (a chemical reaction) and are most effective against Class B and C fires. (Refer to Figure 13-1.) Inert gases don’t damage computer equipment, leave no liquid or solid residue, mix thoroughly with the air, and spread extremely fast. However, these gases in concentrations above 10 percent are harmful if inhaled, and some types degrade into toxic chemicals (hydrogen fluoride, hydrogen bromide, and bromine) when used on fires with temperatures above 900°F (482°C).

  Halon used to be the gas of choice in gas-discharge fire suppression systems. However, because of Halon’s ozone-depleting characteristics, the Montreal Protocol of 1987 prohibited the further production and installation of Halon systems beginning in 1994, instead encouraging replacement of existing systems. Acceptable replacements for Halon include FM-200 (most effective), CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen.

 Instant Answer   Halon is an ozone-depleting substance. Acceptable replacements include FM-200, CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen.

Administrative controls

These include the policies and procedures necessary to ensure that physical access, technical controls, and environmental and life safety controls are properly implemented and achieve an overall physical security strategy.

Restricted areas

Areas in which sensitive information is handled or processed should be formally designated as restricted areas with additional security controls implemented. Restricted areas should be clearly marked, and all employees should know the difference between authorized and unauthorized personnel: specifically, how to detect whether someone on the premises is authorized or not.

Visitors

Visitor policies and escort requirements should be clearly defined in the organizational security policy. All visitors should be required to present proper identification to a security guard or receptionist, sign a visitor log, complete a nondisclosure agreement (when appropriate), and wear a conspicuous badge that both identifies them as a visitor and clearly indicates whether an escort is required (often done with color-coded badges). If an escort is required, the assigned escort should be identified by name and held responsible for the visitor at all times while on the premises.

Audit trails and access logs

Audit trails and access logs are detective controls that provide a record of events. These records can be analyzed for unauthorized access attempts and patterns of abuse; they can also potentially be used as evidence. We cover audit trails in Chapter 12.

Asset classification and control

Asset classification and control, particularly physical inventories, are an important detective control. The proliferation of desktop PCs, notebooks, personal digital assistants (PDAs), and wireless devices has made theft a very common and difficult physical security threat to counter. An accurate inventory helps identify missing equipment and may potentially be used as evidence.

Emergency procedures

Emergency procedures must be clearly documented, readily accessible (often posted in appropriate areas), periodically updated, and routinely practiced (in training and drills). Additional copies may also be kept at secure off-site facilities. Emergency procedures should include emergency system shutdown procedures, evacuation plans and routes, and business continuity plan/disaster recovery plan (BCP/DRP), which we cover in Chapter 11.

General housekeeping

Good housekeeping practices are an important aspect of physical security controls. Implementing and enforcing a no-smoking policy helps to reduce not only potential fire hazards but also contamination of sensitive systems. Cleaning dust and ventilation systems helps maintain a cleaner computing environment and also reduces static electricity and fire hazards. Keeping work areas clean and trash emptied reduces potential fire hazards (combustibles) and also helps identify and locate sensitive information that may have been improperly or carelessly handled.

Pre-employment and post-employment procedures

These include procedures for background and reference checks, obtaining security clearances, granting access, and termination procedures. These procedures are covered extensively in Chapters 6 and 10.

Page 25

Now that you understand the various threats to physical security and the tools and countermeasures available, let’s consider where these controls may need to be implemented and supported.

At the perimeter, which may include adjacent buildings or grounds, parking lots, and possibly a moat - well, that’s a stretch - physical security threats may include fire, water, vibration and movement, severe weather, sabotage and vandalism, and loss of communications or utilities.

And, of course, you were involved in the initial site selection and facility design planning when your building was built so you have no problem securing the perimeter, right? Well, for the other 99 percent that weren’t so fortunate and have to address physical security in a preexisting location and facility, begin by assessing what threats are most relevant and how to mitigate associated risks. Consider recommending physical security controls at the perimeter such as fencing, security guards, dogs, surveillance, and alarms, when applicable. If these controls already exist, ensure that they are adequate and assessed regularly. If physical security is not part of your responsibility, ensure that you have a good working relationship with whoever is responsible. Know who to call in an emergency (fire, police, and utilities) and don’t be a stranger - establish working relationships with these professionals before you need their help! Recommend appropriate security technologies that support physical and environmental security controls.

Interior security deals with . . . the inside of your facility! Many of the same physical security threats that affect the perimeter also affect the interior, but often in very different ways. A fire can be a far more life-threatening emergency inside a facility. Water damage may come from sources other than a flash flood, such as your own fire suppression system.

Again, under ideal circumstances, your employer’s interior designer consulted with a CISSP, but more often than not, you’ve got some work to do in this area as well! Consider the various aspects of the facility when recommending and supporting interior controls. These include the interior walls, ceilings, floors, doors, and storage areas. And don’t forget the lighting, electrical wiring, physical cabling, ventilation systems, and pipes.

Various controls for interior security may include locks, restricted areas, security badges, biometric access controls, surveillance, intrusion detection, motion detectors, alarms, and fire detection and suppression systems.

Operations/facility and equipment security will involve addressing many of the same threats as interior security and supporting many of the same security controls and countermeasures, but with a specific focus on how these threats may adversely affect your business and computer operations. Administrative controls, such as designating restricted areas, visitor policies, audit trails and access logs, and asset classification and control, are particularly important.

Page 26

Krutz, Ronald L. and Vines, Russell Dean. The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, Chapter 10. John Wiley & Sons, Inc.

Tipton, Harold F. and Krause, Micki. Information Security Management Handbook, 4th Edition, Chapter 31. Auerbach Publications.

Russell, Deborah and Gangemi Sr, G.T. Computer Security Basics, Chapter 9. O’Reilly and Associates.

Parker, Donn B. Fighting Computer Crime: A New Framework for Protecting Information, pages 249–252. John Wiley & Sons, Inc.