1. technology and computing
2. computer security
3. network security

Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Compliance and operational security
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
the summer semester of the year 2014/2015
Overview of context establishment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: All information about the organization relevant to the
information security risk management context
establishment.
Output: The specification of
basic criteria,
the scope and boundaries,
and the organization for the information security risk
management process.
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Remarks: It is essential to determine the purpose of the
information security risk management as this affects the
overall process and the context establishment in particular.
This purpose can be:
Supporting an Information Security Risk Management
Process,
Legal compliance and evidence of due diligence,
Preparation of a business continuity plan,
Preparation of an incident response plan,
Description of the information security requirements for
a product, a service or a mechanism.
Basic Criteria
Compliance
and
operational
security
At least:
Risk evaluation criteria,
Impact criteria,
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk acceptance criteria,
should be addressed.
Basic Criteria
Compliance
and
operational
security
At least:
Risk evaluation criteria,
Impact criteria,
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk acceptance criteria,
should be addressed.
Additionally, the organization should assess whether
necessary resources are available to:
Perform risk assessment and establish a risk treatment
plan
Define and implement policies and procedures,
including implementation of the controls selected
Monitor controls
Monitor the information security risk management
process
Basic Criteria
Risk evaluation criteria
Compliance
and
operational
security
Risk evaluation criteria should consider:
The strategic value of the business information process
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The criticality of the information assets involved
Legal and regulatory requirements, and contractual
obligations
Operational and business importance of availability,
confidentiality and integrity
Stakeholders expectations and perceptions, and
negative consequences for goodwill and reputation
Additionally, risk evaluation criteria can be used to specify
priorities for risk treatment.
Basic Criteria
Impact criteria
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Impact criteria should be developed and specified in terms
of the degree of damage or costs to the organization caused
by an information security event considering the following:
Level of classification of the impacted information asset
Breaches of information security (e.g., loss of
confidentiality, integrity and availability)
Impaired operations (internal or third parties)
Loss of business and financial value
Information security
risk communication
Disruption of plans and deadlines
Information security
risk monitoring and
review
Damage of reputation
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Breaches of legal, regulatory or contractual
requirements
Basic Criteria
Risk acceptance criteria
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An organization should define its own scales for levels of
risk acceptance. The following should be considered during
development:
Risk acceptance criteria may include multiple
thresholds, with a desired target level of risk.
Risk acceptance criteria may be expressed as the ratio
of estimated profit to the estimated risk.
...
Basic Criteria
Risk acceptance criteria
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Different risk acceptance criteria may apply to different
classes of risk (e.g., risks that could result in
noncompliance with regulations or laws may not be
accepted, while acceptance of high risks may be
allowed if this is specified as a contractual
requirement.)
Risk acceptance criteria may include requirements for
future additional treatment, e.g. a risk may be accepted
if there is approval and commitment to take action to
reduce it to an acceptable level within a defined time
period.
Basic Criteria
Risk acceptance criteria
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk acceptance criteria may differ according to how long
the risk is expected to exist, e.g., the risk may be associated
with a temporary or short term activity. Risk acceptance
criteria should be set up considering the following:
Business criteria
Legal and regulatory aspects
Operations
Technology
Finance
Social and humanitarian factors
The scope and boundaries
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Study of the organization,
List of the constraints affecting the organization,
List of the legislative and regulatory references
applicable to the organization,
List of the constraints affecting the scope.
The scope and boundaries
Study of the organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The study of the organization recalls the characteristic
elements defining the identity of an organization.
The organization’s main purpose: The main purpose
of an organization can be defined as the reason why it
exists (its field of activity, its market segment, etc.).
Its business: The organization’s business, defined by
the techniques and know-how of its employees,
enables it to accomplish its missions. It is specific to
the organization’s field of activity and often defines its
culture.
Its mission: The organization achieves its purpose by
accomplishing its mission. To identify its missions, the
services provided and/or products manufactured
should be identified in relation to the end users.
...
The scope and boundaries
Study of the organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
...
Its values: Values are major principles or a
well-defined code of conduct applied to the exercise of
a business. This may concern the personnel, relations
with outside agents (customers, etc.), the quality of
products supplied or services provided (e.g.,
punctuality and safety of delivery).
Structure of the organization:
Divisional structure: each division is placed under the
authority of a division manager responsible for the
strategic, administrative and operational decisions
concerning his unit
Functional structure: functional authority is exercised
on the procedures, the nature of the work and
sometimes the decisions or planning (e.g., production,
IT, human resources, marketing, etc.)
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
The scope and boundaries
Study of the organization
Compliance
and
operational
security
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Organization chart: The organization’s structure is
represented schematically in an organization chart.
This representation should highlight the lines of
reporting and delegation of authority, but should also
include other relationships, which, even if they are not
based on any formal authority, are nevertheless lines of
information flow.
The organization’s strategy: This requires a formal
expression of the organization’s guiding principles.
The scope and boundaries
List of the constraints affecting the organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The list of constraints includes but is not limited to:
Constraints of a political nature: These may concern
government administrations, public institutions or more
generally any organization that has to apply
government decisions.
Constraints of a strategic nature: Constraints can
arise from planned or possible changes to the
organization’s structures or orientation. They are
expressed in the organization’s strategic or operational
plans.
Territorial constraints: The organization’s structure
and/or purpose may introduce specific constraints such
as the distribution of sites over the entire national
territory or abroad.
...
The scope and boundaries
List of the constraints affecting the organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Constraints arising from the economic and political
climate: An organization’s operation may be
profoundly changed by specific events such as strikes
or national and international crises.
Structural constraints: For example, an international
structure should be able to reconcile security
requirements specific to each country.
Functional constraints: For example, an organization
that operates around the clock should ensure its
resources are continuously available. Functional
constraints arise directly from the organization’s
general or specific missions.
...
The scope and boundaries
List of the constraints affecting the organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Constraints concerning personnel: They are linked
to: level of responsibility, recruitment, qualification,
training, security awareness, motivation, availability,
etc.
For example, the entire personnel of a defence
organization should have authorisation to handle highly
confidential information.
Constraints arising from the organization’s
calendar: These constraints may result from
restructuring or setting up new national or international
policies imposing certain deadlines. For example, the
creation of a security division.
...
The scope and boundaries
List of the constraints affecting the organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Constraints related to methods: For example, a
typical constraint of this kind is the need to incorporate
the organization’s legal obligations into the security
policy.
Constraints of a cultural nature: In some
organizations work habits or the main business have
led to a specific “culture” within the organization, one
which may be incompatible with the security controls.
Budgetary constraints: While it is not always
appropriate to base security investments on
cost-effectiveness, economic justification is generally
required by the organization’s financial department. (cf.
the rule: the total cost of security controls should not
exceed the cost of the potential consequences of the
risks).
The scope and boundaries
List of the legislative and regulatory references applicable to the
organization
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The regulatory requirements applicable to the organization
should be identified. These may be laws, decrees, specific
regulations in the organization’s field or internal/external
regulations. This also concerns contracts and agreements
and more generally any obligations of a legal or regulatory
nature.
All or only the most relevant ones? Relavant for what? For
information security?
The scope and boundaries
List of the constraints affecting the scope
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Constraints arising from pre-existing processes:
Application projects are not necessarily developed
simultaneously. Some depend on pre-existing
processes. Even though a process can be broken down
into sub-processes, the process is not necessarily
influenced by all the sub-processes of another process.
Technical constraints: Generally arise from installed
hardware and software, and rooms or sites housing the
processes.
Financial constraints: The implementation of security
controls is often restricted by the budget that the
organization can commit. However, the financial
constraint should still to be the last to be considered as
the budget allocation for security can be negotiated on
the basis of the security study.
...
The scope and boundaries
List of the constraints affecting the scope
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Environmental constraints: Environmental
constraints arise from the geographical or economic
environment in which the processes are implemented:
country, climate, natural risks, geographical situation,
economic climate, etc.
Time constraints: The time required for implementing
security controls should be considered in relation to the
ability to upgrade the information system; if the
implementation time is very long, the risks for which the
control was designed may have changed. Time is a
determining factor for selecting solutions and priorities.
Constraints related to methods: Methods
appropriate to the organization’s know-how should be
used for project planning, specifications, development
and so on.
Organization for the information security risk
management process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The organization and responsibilities for the information
security risk management process should be set up and
maintained. This organization should be approved by the
appropriate managers of the organization.
Organization for the information security risk
management process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The organization and responsibilities for the information
security risk management process should be set up and
maintained. This organization should be approved by the
appropriate managers of the organization.
The main roles and responsibilities of this organization are:
Development of the information security risk
management process suitable for the organization
Identification and analysis of the stakeholders
Definition of roles and responsibilities of all parties both
internal and external to the organization
...
Organization for the information security risk
management process
Compliance
and
operational
security
The main roles and responsibilities of this organization are:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
...
Establishment of the required relationships between
the organization and stakeholders, as well as interfaces
to the organization’s high level risk management
functions (e.g., operational risk management), as well
as interfaces to other relevant projects or activities
Information security
risk communication
Definition of decision escalation paths
Information security
risk monitoring and
review
Specification of records to be kept
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: Basic criteria, the scope and boundaries, and the
organization for the information security risk management
process being established.
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: Basic criteria, the scope and boundaries, and the
organization for the information security risk management
process being established.
Action: Risks should be identified, quantified or qualitatively
described, and prioritized against risk evaluation criteria
and objectives relevant to the organization.
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: Basic criteria, the scope and boundaries, and the
organization for the information security risk management
process being established.
Action: Risks should be identified, quantified or qualitatively
described, and prioritized against risk evaluation criteria
and objectives relevant to the organization.
Output: A list of assessed risks prioritized according to risk
evaluation criteria.
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk assessment consists of the following activities:
Risk analysis, which comprises:
Risk identification
Risk estimation
Risk evaluation
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk assessment is often conducted in two (or more)
iterations:
First a high level assessment is carried out to identify
potentially high risks that needs further assessment.
The next iteration can involve further in-depth
investigation of potentially high risks indicated by the
previous iteration.
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk identification is conducted by the following activities:
Identification of assets,
Identification of threats,
Identification of existing controls,
Identification of vulnerabilities,
Identification of consequences,
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Identification of assets:
Input: Scope and boundaries for the risk assessment
to be conducted, list of constituents with owners,
location, function, etc.
Output: A list of assets to be risk-managed, and a list
of business processes related to assets and their
relevance.
An asset is anything that has value to the organization and
which therefore requires protection. For the identification of
assets it should be remembered that an information system
consists of more than hardware and software.
Overview of the information security risk
assessment process
Risk analysis - examples of asset identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Two kinds of assets can be distinguished:
The primary assets.
The supporting assets – on which the primary
elements of the scope rely.
Overview of the information security risk
assessment process
Risk analysis - examples of asset identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The primary assets:
Business processes & activities
Information.
Overview of the information security risk
assessment process
Risk analysis - examples of asset identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The supporting assets:
Software
Network
Personnel
Site
Organization’s structure
Overview of the information security risk
assessment process
Risk analysis - examples of asset identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The identification of primary assets is carried out by a mixed
work group representative of the process (managers,
information systems specialists and users).
Overview of the information security risk
assessment process
Risk analysis - examples of asset identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The identification of primary assets is carried out by a mixed
work group representative of the process (managers,
information systems specialists and users).
The primary assets are usually the core processes and
information of the activity in the scope. Other primary
assets such as the organization’s processes can also be
considered, which will be more appropriate for drawing up
an information security policy or a business continuity plan.
Depending on the purpose, some studies will not require an
exhaustive analysis of all the elements making up the
scope.
Overview of the information security risk
assessment process
Examples of asset identification - Business processes & activities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Business processes (or sub-processes) and activities, for
example:
Processes whose loss or degradation make it
impossible to carry out the mission of the organization
Processes that contain secret processes or processes
involving proprietary technology
Processes that, if modified, can greatly affect the
accomplishment of the organization’s mission
Processes that are necessary for the organization to
comply with contractual, legal or regulatory
requirements
Overview of the information security risk
assessment process
Examples of asset identification - Information
Compliance
and
operational
security
Primary information mainly comprises:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Vital information for the exercise of the organization’s
mission or business
Personal information, as can be defined specifically in
the sense of the national laws regarding privacy
Strategic information required for achieving objectives
determined by the strategic orientations
High-cost information whose gathering, storage,
processing and transmission require a long time and/or
involve a high acquisition cost
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets have vulnerabilities that are exploitable
by threats aiming to impair the primary assets of the scope
(processes and information). They are of various types:
Hardware:
Data processing equipment (active): automatic
information processing equipment including the items
required to operate independently.
Transportable equipment: portable computer
equipment. Examples: laptops, mobile phones and
PDAs.
Fixed equipment: Computer equipment used on the
organization’s area. Examples: server, microcomputer
used as a workstation.
...
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Hardware:
...
Processing peripherals: Equipment connected to a
computer via a communication port (serial, parallel link,
etc.) for entering, conveying or transmitting data.
Data medium (passive): these are media for storing
data or functions.
Electronic medium: An information medium that can be
connected to a computer or computer network for data
storage. These media may be of compact size and
contain a large amount of data. They can be used with
standard computing equipment. Examples: floppy disc,
CD ROM, back-up cartridge, removable hard disc,
memory key, tape.
Other media: Static, non-electronic media containing
data. Examples: paper, slide, transparency,
documentation, fax.
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Software:
Operating system: depending on the architecture, an
operating system may be monolithic or made up of a
micro-kernel and a set of system services. The main
elements of the operating system are all the equipment
management services (CPU, memory, disc, and
network interfaces), task or process management
services and user rights management services.
Service, maintenance or administration software:
software characterised by the fact that it complements
the operating system services and is not directly at the
service of the users or applications (even though it is
usually essential or even indispensable for the global
operation of the information system).
...
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Software:
...
Package software or standard software: Standard
software or package software are complete products
commercialised as such with medium, release and
maintenance. They provide services for users and
applications, but are not personalised or specific in the
way that business applications are. Examples: data
base management software, electronic messaging
software, groupware, directory software, web server
software, etc.
Business application:
Standard business application: This is commercial
software designed to give users direct access to the
services and functions they require from their
information system in their professional context.
Examples: accounts software, machine tool control
software, customer care software, etc.
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Software:
Business application:
...
Specific business application: This is software in which
various aspects (primarily support, maintenance,
upgrading, etc.) have been specifically developed to
give users direct access to the services and functions
they require from their information system.
Examples: Invoice management of telecom operators’
customers, real time monitoring application for rocket
launching.
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Supporting assets:
...
Network:
Medium and supports: Ethernet, GigabitEthernet,
ADSL, WiFi 802.11, FireWire, . . .
Passive or active relay: bridge, router, hub, switch,
automatic exchange,
Communication Interfaces: are connected to the
processing units, but are characterised by the media
and supported protocols. Examples: General Packet
Radio Service, Ethernet adaptor.
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Personel
Decision maker: the owners of the primary assets
(information and functions) and the managers of the
organization or specific project.
Users: the personnel who handle sensitive elements in
the context of their activity. They may have special
access rights to the information system to carry out
their everyday tasks.
Operation/ Maintenance staff – They have special
access rights to the information system to carry out
their everyday tasks. Examples: system administrator,
data administrator, back-up, Help Desk, application
deployment operator, security officers.
Developers: are in charge of developing the
organization’s applications. They have access to part of
the information system with high-level rights but do not
take any action on the production data
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Site - The site type comprises all the places containing
the scope or part of the scope, and the physical means
required for it to operate.
Location:
External environment: all locations in which the
organization’s means of security cannot be applied
(e.g., homes of the personnel, premises of another
organization).
Premises.
Zone: It is obtained by creating physical barriers around
the organization’s information processing
infrastructures (e.g., offices, reserved access zone,
secure zone).
Communication: Telecommunications services and
equipment provided by an operator (telephone line,
internal telephone network).
Utilities: power supply, water suply, waste disposal, etc.
Overview of the information security risk
assessment process
Examples of asset identification - supporting assets
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Supporting assets:
Organization:
Authorities: organizations from which the studied
organization derives its authority. They impose
constraints on the studied organization in terms of
regulations, decisions and actions.
Structure of the organization: this consists of the
various branches of the organization (e.g., human
resources management, IT management, purchasing
management, business unit management, building
safety service, fire service, audit management).
Project or system organization: concerns the
organization set up for a specific project or service
(e.g., new application development project, information
system migration project).
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Identification of assets - asset valuation:
The next step after asset identification is to agree upon
the scale to be used and the criteria for assigning a
particular location on that scale to each asset, based
on valuation.
Criteria: The criteria used as the basis for assigning a
value to each asset should be written out in
unambiguous terms. This might be difficult – values of
some assets may have to be subjectively determined
and many different individuals are likely to be making
the determination:
original cost
costs of replacement or re-creation
costs incured due to loss of confidentiality, integrity and
availability
costs of business implications of security incidents,
abstract values – e.g., organization’s reputation.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Assets may have several values assigned. For example a
business plan:
may be valued based on the labour expended to
develop the plan,
it might be valued on the labour to input the data,
it could be valued based on its value to a competitor.
Each of the assigned values will most likely differ
considerably. The assigned value may be e.g.:
the maximum of all possible values
or may be the sum of some or all of the possible values.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
At the end all asset values need to be reduced to a common
base. The criteria that may help:
Impairment of business performance
Negative effect on reputation
Breach associated with personal information
Endangerment of personal safety
Adverse effects on law enforcement
Breach of public order
Information security
risk communication
Breach of confidentiality
Information security
risk monitoring and
review
Financial loss
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Disruption to business activities
Endangerment of environmental safety
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
More detailed criteria:
Interruption of service (inability to provide the service)
Loss of customer confidence
loss of credibility in the internal information system
damage to reputation
Disruption of internal operation
disruption in the organization itself
additional internal cost
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Disruption of a third party’s operation:
Information security
risk communication
disruption in third parties transacting with the
organization
various types of injury
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
More detailed exemplary list of issues to be considered:
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Inability to fulfill legal obligations
Inability to fulfill contractual obligations
Danger to personnel / user safety
Attack on users’ private life
Financial losses
Financial costs for emergency or repair:
Information security
risk communication
in terms of personnel,
in terms of equipment,
in terms of studies, experts’ reports
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
More detailed criteria:
...
Loss of goods / funds / assets
Loss of customers, loss of suppliers
Judicial proceedings and penalties
Loss of a competitive advantage
Loss of technological / technical lead
Loss of effectiveness / trust
Loss of technical reputation
Weakening of negotiating capacity
Industrial crisis (strikes), government crisis, material
damage.
Overview of the information security risk
assessment process
risk identification: scale of asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
After establishing the criteria to be considered, the
organization should agree on a scale to be used
organization-wide.
The first step: decide on the number of levels to be
used.
No strict rules:
More levels provide a greater level of granularity
but a too fine differentiation may make consistent
assignments throughout the organization difficult
Normally, any number of levels between 3 (e.g. low,
medium, and high) and 10 can be used as long as it is
consistent with the approach the whole organization is
using.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Levels of the scale (e.g., “low”, “medium”, or “high”):
If consequences may be expressed in numerical values
(e.g. for possible financial loss, they should be given in
monetary values) then levels on the scale may
correspond to intervals of the values.
For considerations such as endangerment of personal
safety, monetary (numerical) valuation can be complex
and may not be appropriate for all organizations.
It is entirely up to the organization to decide what is
considered as being “low” or a “high” consequence. A
consequence that might be disastrous for a small
organization could be low or even negligible for a very
large organization.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Levels of the scale (e.g., “low”, “medium”, or “high”):
If consequencen may be expressed in numerical values
(e.g. for possible financial loss, they should be given in
monetary values) then levels on the scale may
correspond to intervals of the values.
For considerations such as endangerment of personal
safety, monetary (numerical) valuation can be complex
and may not be appropriate for all organizations.
It is entirely up to the organization to decide what is
considered as being “low” or a “high” consequence. A
consequence that might be disastrous for a small
organization could be low or even negligible for a very
large organization.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Dependencies: the more relevant and numerous the
business processes supported by an asset, the greater the
value of this asset.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Dependencies: the more relevant and numerous the
business processes supported by an asset, the greater the
value of this asset.
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Thus dependencies of assets on business processes and
other assets should be identified because this might
influence the values of the assets.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Examples of dependencies:
The confidentiality of data should be kept throughout its
life-cycle, at all stages, including storage and
processing, i.e. the security needs of data storage and
processing programmes should be directly related to
the value representing the confidentiality of the data
stored and processed.
If a business process is relying on the integrity of
certain data being produced by a programme, the input
data of this programme should be of appropriate
reliability.
The integrity of information will be dependent on the
hardware and software used for its storage and
processing. Also, the hardware will be dependent on
the power supply and possibly air conditioning.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information about dependencies will assist in the
identification of threats and particularly vulnerabilities.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information about dependencies will assist in the
identification of threats and particularly vulnerabilities.
It will help to assure that the true value of the assets
(through the dependency relationships) is assigned to the
assets, thereby indicating the appropriate level of protection.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information about dependencies will assist in the
identification of threats and particularly vulnerabilities.
It will help to assure that the true value of the assets
(through the dependency relationships) is assigned to the
assets, thereby indicating the appropriate level of protection.
If the values of the dependent assets (e.g., data) are lower
or equal to the value of the asset considered (e.g.,
software), its value remains the same.
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information about dependencies will assist in the
identification of threats and particularly vulnerabilities.
It will help to assure that the true value of the assets
(through the dependency relationships) is assigned to the
assets, thereby indicating the appropriate level of protection.
If the values of the dependent assets (e.g., data) are lower
or equal to the value of the asset considered (e.g.,
software), its value remains the same.
If the values of the dependent asset (e.g. data) is greater,
then the value of the asset considered (e.g. software)
should be increased according to:
The degree of dependency
The values of the other assets
Overview of the information security risk
assessment process
risk identification: asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Last but not least: an organization may have some assets
that are available more than once, like copies of software
programmes or the same type of computer used in most of
the offices:
In greater number the asset is available in the
organization, the greater value could be assigned
(consider e.g. support by the service).
On the other hand: asset redundancy may be used to
reduce availability problems.
Overview of the information security risk
assessment process
risk identification: output of the asset identification and valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The final output of this step is a list of assets and their
values relative to
disclosure (preservation of confidentiality),
modification (preservation of integrity, authenticity,
non-repudiation and accountability),
nonavailability and destruction (preservation of
availability and reliability), and replacement cost.
Overview of the information security risk
assessment process
risk identification: output of the asset identification and valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
The final output of this step is a list of assets and their
values relative to
disclosure (preservation of confidentiality),
modification (preservation of integrity, authenticity,
non-repudiation and accountability),
nonavailability and destruction (preservation of
availability and reliability), and replacement cost.
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
cf. page 7 in
http://www.podpisosobisty.pl/images/Wyniki_
projektu/analiza_bezpieczenstwa.pdf
Overview of the information security risk
assessment process
risk identification: remark for asset valuation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
We should distinguish between asset valuation and impact
assesment of a security incident:
An information security incident can impact more than
one asset or only a part of an asset.
Impact is related to the degree of success of the
incident.
Impact is considered as having either an immediate
(operational) effect or a future (business) effect that
includes financial and market consequences.
Follow asset dependencies in impact analysis!
However, implemented controls may reduce the impact,
but value of the assets remains unchanged.
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk identification is conducted by the following activities:
Identification of assets,
Identification of threats,
Identification of existing controls,
Identification of vulnerabilities,
Identification of consequences,
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
A threat has the potential to harm assets such as
information, processes and systems and therefore
organizations. Threats may be of natural or human origin,
and could be accidental or deliberate.
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
A threat has the potential to harm assets such as
information, processes and systems and therefore
organizations. Threats may be of natural or human origin,
and could be accidental or deliberate.
Identification of threats
Input: Information on threats obtained from incident
reviewing, asset owners, users and other sources,
including external threat catalogues.
Action: Threats and their sources should be identified.
Output: A list of threats with the identification of threat
type and source.
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat (notation):
deliberate (D): used for all deliberate actions aimed at
information assets,
accidental (A): used for all human actions that can
accidentally damage information assets,
environmental (E): used for all incidents that are not
based on human actions.
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - physical damage:
Fire (A, D, E),
Water damage (A, D, E),
Pollution (A, D, E),
Major accident (A, D, E),
Destruction of equipment or media (A, D, E),
Dust, corrosion, freezing (A, D, E),
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - natural events:
Climatic phenomenon (E),
Seismic phenomenon (E),
Volcanic phenomenon (E),
Meteorological phenomenon (E),
Flood (E).
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - Loss of essential services:
Failure of air-conditioning or water supply system (A,
D),
Loss of power supply (A, D, E),
Failure of telecommunication equipment (A, D).
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - disturbance due to radiation:
Electromagnetic radiation (A, D, E),
Thermal radiation (A, D, E),
Electromagnetic pulses (A, D, E),
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - Compromise of information:
Interception of compromising interference signals (D),
Remote spying (D),
Eavesdropping (D),
Theft of media or documents (D),
Theft of equipment (D),
Retrieval of recycled or discarded media (D),
Disclosure (A, D),
Data from untrustworthy sources (A, D),
Tampering with hardware (D),
Tampering with software (A, D),
Position detection (D).
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - Technical failures:
Equipment failure (A),
Equipment malfunction (A): LED burnout e.g.,
Saturation of the information system (A, D): DoS or
heavy traffic due to schedule,
Software malfunction (A),
Breach of information system maintainability (A, D),
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - Unauthorised actions:
Unauthorised use of equipment (D), e.g., monitoring
system or surveillance system,
Fraudulent copying of software (D),
Use of counterfeit or copied software (A, D),
Corruption of data (D), i.e., errors in data,
Illegal processing of data (D) - e.g., personal data,
Overview of the information security risk
assessment process
risk identification: identification of threats
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Type of threat - Compromise of functions:
Error in use (A),
Abuse of rights (A, D): for private matters for example.
Forging of rights (D),
Denial of actions (D),
Breach of personnel availability (A, D, E).
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk identification is conducted by the following activities:
Identification of assets,
Identification of threats,
Identification of existing controls,
Identification of vulnerabilities,
Identification of consequences,
Overview of the information security risk
assessment process
risk identification: Identification of existing controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: Documentation of controls, risk treatment
implementation plans
Action: Existing and planned controls should be
identified
Output: A list of all existing and planned controls, their
implementation status and usage status
Overview of the information security risk
assessment process
risk identification: Identification of existing controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Identification of existing controls should be made to
avoid unnecessary work or cost, e.g. in the duplication
of controls,
its an opportunity to make a check to ensure that the
controls are working correctly (information from
previous audits),
Consideration should be given to the situation where a
selected control (or strategy) fails in operation and
therefore complementary controls are required to
address the identified risk effectively.
A way to estimate the effect of the control is to see how
it reduces the threat likelihood and ease of exploiting
the vulnerability, or impact of the incident.
Controls that are planned to be implemented should be
considered in the same way like those already
implemented.
Overview of the information security risk
assessment process
risk identification: Identification of existing controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An existing or planned control might be identified as
ineffective, or not sufficient, or not justified. the control
should be checked to determine recommendations: remove,
replace or let to stay for cost reasons.
Overview of the information security risk
assessment process
risk identification: Identification of existing controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
For the identification of existing or planned controls the
following activites should be considered:
Reviewing documents containing information about the
controls (for example, risk treatment implementation
plans) – depends on quality of ISMS.
Checking with the people responsible for information
security and the users as to which controls are really
implemented for the information process or information
system under consideration.
Conducting an on-site review of the physical controls,
comparing those implemented with the list of what
controls should be there, and checking those
implemented as to whether they are working correctly
and effectively.
Reviewing results of internal audits.
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk identification is conducted by the following activities:
Identification of assets,
Identification of threats,
Identification of existing controls,
Identification of vulnerabilities,
Identification of consequences,
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: A list of known threats, lists of assets and
existing controls.
Action: Vulnerabilities that can be exploited by threats
to cause harm to assets or to the organization should
be identified
Output: A list of vulnerabilities in relation to assets,
threats and controls; a list of vulnerabilities that do not
relate to any identified threat for review.
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Vulnerabilities may be identified in following areas:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Organization
Processes and procedures
Management routines
Personnel
Physical environment
Information system configuration
Hardware, software or communications equipment
Dependence on external parties
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The presence of a vulnerability does not cause harm in
itself, as there needs to be a threat present to exploit it. A
vulnerability that has no corresponding threat may not
require the implementation of a control, but should be
recognized and monitored for changes. That is why the
output has two subcomponents.
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Proactive methods such as information system testing can
be used to identify vulnerabilities depending on the criticality
of the system and available resources (e.g., allocated funds,
available technology, persons with the expertise to conduct
the test)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Test methods:
Automated vulnerability scanning tool
Information security
risk communication
Security testing and evaluation
Information security
risk monitoring and
review
Penetration testing
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Code review
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Automated vulnerability scanning tool
It is used to scan a group of hosts or a network for
known vulnerable services.
Some of the potential vulnerabilities identified by the
automated scanning tool may not represent real
vulnerabilities (false positives).
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Security testing and evaluation (STE)
It includes the development and execution of a test plan
(e.g. test script, test procedures, and expected test
results).
The purpose of system security testing is to test the
effectiveness of the security controls.
The objective is to ensure that the applied controls
meet the approved security specification for the
software and hardware and implement the
organization’s security policy or meet industry
standards.
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Penetration testing:
When used in the risk assessment process, can be
used to assess system’s ability to withstand intentional
attempts to circumvent system security.
Penetration tools and techniques can give false results
unless the vulnerability is successfully exploited. To
effectively exploit particular vulnerabilities one needs to
know the exact system/ application/ patches setup on
tested system.
Ability not only to exploit but to crash or restart a tested
process or system is a vulnerability as well.
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Code review:
Code review is the most thorough (but also most expensive)
way of vulnerability assessment.
Overview of the information security risk
assessment process
risk identification: Identification of vulnerabilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Other activities in identification of vulnerabilities:
Interview people and users
Questionnaires
Physical inspection
Document analysis
Overview of the information security risk
assessment process
Risk analysis - step one: risk identification
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk identification is conducted by the following activities:
Identification of assets,
Identification of threats,
Identification of existing controls,
Identification of vulnerabilities,
Identification of consequences,
Overview of the information security risk
assessment process
risk identification: Identification of consequences
Compliance
and
operational
security
Identification of consequences:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: A list of assets, a list of business processes, and
a list of threats and vulnerabilities, where appropriate,
related to assets and their relevance.
Action: The consequences that losses of
confidentiality, integrity and availability may have on the
assets should be identified.
Output: A list of incident scenarios with their
consequences related to assets and business
processes.
Overview of the information security risk
assessment process
risk identification: Identification of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Action - implementation guidance:
Damage or consequences to the organization that
could be caused by an incident scenario should be
identified. An incident scenario is the description of a
threat exploiting a certain vulnerability or set of
vulnerabilities in an information security incident.
Overview of the information security risk
assessment process
risk identification: Identification of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Action - implementation guidance:
Damage or consequences to the organization that
could be caused by an incident scenario should be
identified. An incident scenario is the description of a
threat exploiting a certain vulnerability or set of
vulnerabilities in an information security incident.
The impact of the incident scenarios is to be
determined considering impact criteria defined during
the context establishment activity. It may affect one or
more assets or part of an asset.
Overview of the information security risk
assessment process
risk identification: Identification of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Action - implementation guidance:
Damage or consequences to the organization that
could be caused by an incident scenario should be
identified. An incident scenario is the description of a
threat exploiting a certain vulnerability or set of
vulnerabilities in an information security incident.
The impact of the incident scenarios is to be
determined considering impact criteria defined during
the context establishment activity. It may affect one or
more assets or part of an asset.
Thus assets may have assigned values both for their
financial cost and because of the business
consequences if they are damaged or compromised.
Overview of the information security risk
assessment process
risk identification: Identification of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Action - implementation guidance:
Damage or consequences to the organization that
could be caused by an incident scenario should be
identified. An incident scenario is the description of a
threat exploiting a certain vulnerability or set of
vulnerabilities in an information security incident.
The impact of the incident scenarios is to be
determined considering impact criteria defined during
the context establishment activity. It may affect one or
more assets or part of an asset.
Thus assets may have assigned values both for their
financial cost and because of the business
consequences if they are damaged or compromised.
Consequences may be of a temporary nature or may
be permanent as in the case of the destruction of an
asset.
Overview of the information security risk
assessment process
risk identification: Identification of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Exemplary categories of operational consequences of
incident scenarios:
Investigation and repair time
(Work)time lost
Opportunity lost
Health and Safety
Financial cost of specific skills to repair the damage
Image reputation and goodwill
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk analysis, which comprises:
Risk identification
Risk estimation
Risk evaluation
Overview of the information security risk
assessment process
Risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk estimation
Risk estimation methodologies
Assessment of consequences
Assessment of incident likelihood
Level of risk estimation
Overview of the information security risk
assessment process
Risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk estimation methodologies
Assessment of consequences
Assessment of incident likelihood
Level of risk estimation
Overview of the information security risk
assessment process
Risk estimation - methodologies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An estimation methodology may be qualitative or
quantitative, or a combination of these, depending on the
circumstances.
Qualitative estimation uses a scale of qualifying
attributes to describe the magnitude of potential
consequences (e.g. Low, Medium and High) and the
likelihood that those consequences will occur. (easy to
understand, but subjective).
Quantitative estimation uses a scale with numerical
values (rather than the descriptive scales used in
qualitative estimation) for both consequences and
likelihood, using data from a variety of sources.
Overview of the information security risk
assessment process
Risk estimation - methodologies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Qualitative estimation is often used first to obtain a general
indication of the level of risk and to reveal the major risks.
Later it may be necessary to undertake more specific or
quantitative analysis on the major risks because it is usually
less complex and less expensive to perform qualitative than
quantitative analysis.
Overview of the information security risk
assessment process
Risk estimation - methodologies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Quantitative estimation:
The quality of the analysis depends on the accuracy
and completeness of the numerical values and the
validity of the models used.
Quantitative estimation in most cases uses historical
incident data.
A disadvantage is the lack of such data on new risks or
information security weaknesses.
If factual data are not available then quantitative
estimation creates an illusion of accuracy of the risk
assessment.
Overview of the information security risk
assessment process
Risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk estimation
Risk estimation methodologies
Assessment of consequences
Assessment of incident likelihood
Level of risk estimation
Overview of the information security risk
assessment process
Risk estimation - assessment of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Assessment of consequences
Input: A list of identified relevant incident scenarios,
including identification of threats, vulnerabilities,
affected assets, consequences to assets and business
processes.
Action: The business impact upon the organization
that might result from possible or actual information
security incidents should be assessed.
Output: A list of assessed consequences of an
incident scenario expressed with respect to assets and
impact criteria.
Overview of the information security risk
assessment process
Risk estimation - assessment of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Assessment of consequences - implementation guidance:
Values of assets should be taken into account while
assessing the consequences.
Asset valuation begins with classification of assets
according to their criticality, in terms of the importance
of assets to fulfilling the business objectives of the
organization. Valuation is then determined using two
measures:
Information security
risk assessment
the replacement value of the asset: the cost of recovery
cleanup and replacing the information (if at all possible),
and
the business consequences of loss or compromise of
the asset, such as the potential adverse business
and/or legal or regulatory consequences from the
disclosure, modification, non-availability and/or
destruction
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Overview of the information security risk
assessment process
Risk estimation - assessment of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Assessment of consequences - implementation guidance:
...
Asset valuation is a key factor in the impact
assessment of an incident scenario, because the
incident may affect more than one asset (e.g.
dependent assets), or only a part of an asset.
Consequences or business impact may be determined
by modelling the outcomes of an event or set of events,
or by extrapolation from experimental studies or past
data.
Consequences may be expressed in terms of
monetary, technical or human impact criteria, or other
criteria relevant to the organization. In some cases,
more than one numerical value is required to specify
consequences for different times, places, groups or
situations.
Overview of the information security risk
assessment process
Risk estimation - assessment of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
There is an important difference between the asset
value and the impact resulting from the incident: an
information security incident can impact more than one
asset or only a part of an asset.
Impact is considered as having either an immediate
(operational) effect or a future (business) effect
(financial and market consequences). Immediate
(operational) impact is either direct or indirect.
Note that the first assessment (with no controls of any
kind) will estimate an impact as very close to the
(combination of the) concerned asset value(s). For any
next iteration, the impact will be different (normally
much lower) due to the presence and the effectiveness
of the implemented controls
Overview of the information security risk
assessment process
Risk estimation - assessment of consequences
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Direct impact:
The financial replacement value of lost (part of) asset
The cost of acquisition, configuration and installation of
the new asset or back-up
The cost of suspended operations due to the incident
until the service provided by the asset(s) is restored
Impact results in a information security breach
Overview of the information security risk
assessment process
Risk estimation - assessment of consequences
Compliance
and
operational
security
Indirect impact:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Opportunity cost (financial resources needed to replace
or repair an asset would have been used elsewhere)
The cost of interrupted operations
Potential misuse of information obtained through a
security breach
Violation of statutory or regulatory obligations
Violation of ethical codes of conduct
Overview of the information security risk
assessment process
Risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk estimation
Risk estimation methodologies
Assessment of consequences
Assessment of incident likelihood
Level of risk estimation
Overview of the information security risk
assessment process
Risk estimation - assessment of incident likelihood
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Assessment of incident likelihood:
Input: A list of identified relevant incident scenarios,
including identification of threats, affected assets,
exploited vulnerabilities and consequences to assets
and business processes. Furthermore, lists of all
existing and planned controls, their effectiveness,
implementation and usage status.
Action: The likelihood of the incident scenarios should
be assessed.
Output: Likelihood of incident scenarios (quantitative
or qualitative).
Overview of the information security risk
assessment process
Risk estimation - assessment of incident likelihood
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
How often the threats occur and how easily the
vulnerabilities may be exploited? Use:
experience and applicable statistics for threat
likelihood,
for deliberate threat sources: the motivation and
capabilities, which will change over time, and resources
available to possible attackers
for accidental threat sources: geographical factors e.g.
proximity to chemical or petroleum plants, the
possibility of extreme weather conditions, and factors
that could influence human errors and equipment
malfunction
consider vulnerabilities, both individually and in
aggregation
existing controls and how effectively they reduce
vulnerabilities
Overview of the information security risk
assessment process
Risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk estimation
Risk estimation methodologies
Assessment of consequences
Assessment of incident likelihood
Level of risk estimation
Overview of the information security risk
assessment process
Risk estimation - level of risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Level of risk estimation:
Input: A list of incident scenarios with their
consequences related to assets and business
processes and their likelihood.
Action: The level of risk should be estimated for all
relevant incident scenarios.
Output: A list of risks with value levels assigned.
Overview of the information security risk
assessment process
Risk estimation - level of risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Examples given on the blackboard.
Overview of the information security risk
assessment process
Risk estimation - level of risk estimation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Overview of the information security risk
assessment process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk assessment consists of the following activities:
Risk analysis, which comprises:
Risk identification
Risk estimation
Risk evaluation
Overview of the information security risk
assessment process
Risk evaluation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk evaluation:
Input: A list of risks with value levels assigned and risk
evaluation criteria.
Action: Level of risks should be compared against risk
evaluation criteria and risk acceptance criteria
Output: A list of risks prioritized according to risk
evaluation criteria in relation to the incident scenarios
that lead to those risks.
Overview of the information security risk
assessment process
Risk evaluation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk evaluation - implementation guidance:
Risk evaluation criteria used to make decisions should
be consistent with the defined external and internal
information security risk management context and take
into account the objectives of the organization and
stakeholder views etc.
Decisions as taken in the risk evaluation activity are
mainly based on the acceptable level of risk.
Consequences, likelihood, and the degree of
confidence in the risk identification and analysis should
be considered as well.
Aggregation of multiple low or medium risks may result
in much higher overall risks and need to be addressed
accordingly.
Overview of the information security risk
assessment process
Risk evaluation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk evaluation - considerations should include:
Information security properties: if one criterion is not
relevant for the organization (e.g. loss of
confidentiality), then all risks impacting this criterion
may not be relevant
The importance of the business process or activity
supported by a particular asset or set of assets: if the
process is determined to be of low importance, risks
associated with it should be given a lower consideration
than risks that impact more important processes or
activities.
Contractual, legal and regulatory requirements.
Overview of the information security risk
assessment process
Risk evaluation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk evaluation uses the understanding of risk obtained by
risk analysis to make decisions about future actions.
Decisions should include:
Whether an activity should be undertaken.
Priorities for risk treatment considering estimated levels
of risks.
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
High-level information security risk assessment:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
For various reasons, such as budget, it may not be
possible to implement all controls simultaneously – only
the most critical risks can be addressed.
Another reason to start with the high-level assessment
is to synchronize with other plans related to change
management (or business continuity) – high-level
assessment allows definition of the priorities and
chronology in the actions.
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
High-level information security risk assessment:
The high-level risk assessment may address a more
global view of the organization and its information
systems. The context analysis concentrates more on
the business and operational environment than
technological elements (considering the technology
aspects as independent from the business issues).
The high-level risk assessment may address a more
limited list of threats, and vulnerabilities grouped in
defined domains.
Risks presented in a high-level risk assessment are
frequently more general risk domains than specific
identified risks. As the scenarios or the threats are
grouped in domains, the risk treatment proposes lists of
controls in this domain.
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
High-level information security risk assessment advantages:
The incorporation of an initial simple approach is likely
to gain acceptance of the risk assessment program.
It should be possible to build a strategic picture of an
organizational information security program, i.e. it will
act as a good planning aid.
Resources and money can be applied where they are
most beneficial, and systems likely to be in the greatest
need of protection will be addressed first.
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
High-level information security risk assessment disadvantage:
The initial risk analyses are at a high level, and potentially
less accurate – some business processes or systems may
not be identified as requiring a second, detailed risk
assessment.
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
At the first decision point (see the main picture of
information security risk management process), several
factors helps to determine if the high-level assessment is
adequate to treat risks. These factors may include:
The business objectives to be achieved by using
various information assets.
The degree to which the organization’s business
depends on each information asset, i.e. whether
functions that the organization considers critical to its
survival or the effective conduct of business are
dependent on each asset, or on the confidentiality,
integrity, availability of the information stored and
processed on this asset.
...
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
At the first decision point (see the main picture of
information security risk management process), several
factors helps to determine if the high-level assessment is
adequate to treat risks. These factors may include:
...
The level of investment in each information asset, in
terms of developing, maintaining, or replacing the
asset.
The information assets, for which the organization
directly assigns value.
Overview of the information security risk
assessment process
Alternative approach: high-level information security risk assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
High-level information security risk assessment:
If the objectives of an asset are extremely important to
an organization’s conduct of business, or if the assets
are at high risk, then a second iteration, the detailed
risk assessment, should be conducted for the particular
information asset (or its part).
A general rule to apply is: if the lack of information
security can result in significant adverse consequences
to an organization, its business processes or its assets,
then a second iteration risk assessment, at more
detailed level, is necessary to identify potential risks.
Information security risk treatment
Outline
Compliance
and
operational
security
Information security risk treatment:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
General description of risk treatment.
Risk reduction.
Risk retention (if at acceptable level - do nothing).
Risk avoidance (avoid activity or condition that gives
raise to a particular risk).
Risk transfer (by insurance or by sub-contracting a
partner).
Information security risk treatment
Outline
Compliance
and
operational
security
Information security risk treatment - general description:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: A list of risks prioritized according to risk
evaluation criteria in relation to the incident scenarios
that lead to those risks.
Action: Controls to reduce, retain, avoid, or transfer
the risks should be selected and a risk treatment plan
defined.
Output: Risk treatment plan and residual risks subject
to the acceptance decision of the organization’s
managers.
Information security risk treatment
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information security risk treatment - implementation
guidance:
When large reductions in risks may be obtained with
relatively low expenditure, such options should be
implemented.
The four options for risk treatment are not mutually
exclusive. Sometimes the organization can benefit
substantially by a combination of options such as
reducing the likelihood of risks, reducing their
consequences, and transferring or retaining any
residual risks.
Some risk treatments can effectively address more
than one risk (e.g. information security training and
awareness). A risk treatment plan should define
priorities for the treatments and define timeframes.
Information security risk treatment
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information security risk treatment - implementation
guidance:
The identification of existing controls may determine
that existing controls exceed current needs, in terms of
cost comparisons, including maintenance.
On the other hand, since controls may influence each
other, removing redundant controls might reduce the
overall security in place.
In addition, it may be cheaper to leave redundant or
unnecessary controls in place than to remove them.
Information security risk treatment
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk treatment options should be considered taking into
account:
How risk is perceived by affected parties
The most appropriate ways to communicate to those
parties.
Information security risk treatment
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Once the risk treatment plan has been defined, residual
risks need to be determined. This involves an update or
re-iteration of the risk assessment, taking into account the
expected effects of the proposed risk treatment. Should the
residual risk still not meet the organization’s risk acceptance
criteria, a further iteration of risk treatment may be
necessary before proceeding to risk acceptance
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information security risk treatment:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
General description of risk treatment.
Risk reduction.
Risk retention (if at acceptable level - do nothing).
Risk avoidance (avoid activity or condition that gives
raise to a particular risk).
Risk transfer (by insurance or by sub-contracting a
partner).
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information security risk treatment - risk reduction:
Action: The level of risk should be reduced through the
selection of controls so that the residual risk can be
reassessed as being acceptable.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - implementation guidance:
In general, controls may provide one or more of the
following types of protection: correction, elimination,
prevention, impact minimization, deterrence, detection,
recovery, monitoring and awareness.
During control selection it is important to weigh the cost
of acquisition, implementation, administration,
operation, monitoring, and maintenance of the controls
against the value of the assets being protected.
The return on investment in terms of risk reduction and
potential to exploit new business opportunities afforded
by certain controls should be considered.
Consideration should be given to specialized skills that
may be needed to define and implement new controls
or modify existing ones.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Various constraints should be taken into account when
selecting controls and during implementation. Typically, the
following are considered:
Time constraints
Financial constraints
Technical constraints
Operational constrains
Cultural constraints
...
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Various constraints should be taken into account when
selecting controls and during implementation. Typically, the
following are considered:
...
Ethical constraints
Environmental constraints
Legal constraints
Ease of use
Personnel constraints
Constraints for integrating new and existing controls
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Risk reduction - time constraints:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
For example, controls should be implemented within a
time period acceptable for the organization’s managers.
Another type of time constraint is whether a control can
be implemented within the lifetime of the information or
system.
Time constraint may be the period of time the
organization’s managers decides is an acceptable
period to be exposed to a particular risk.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - financial constraints:
Controls should not be more expensive to implement or
to maintain than the value of risks they are designed to
protect, except where compliance is mandatory (e.g.,
with legislation).
Effort should be made not to exceed assigned budgets
and achieve financial advantage through the use of
controls.
In some cases it may not be possible to achieve the
desired security and level of risk acceptance due to
budget constraints. This becomes an organization’s
managers’ decision if increase the budget or not.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Risk reduction - technical constraints:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Technical problems, like the compatibility of
programmes or hardware, should be taken into account
during the selection of controls.
Retrospective implementation of controls to an existing
process or system is often hindered by technical
constraints.
These difficulties may move the balance of controls
towards the procedural and physical aspects of
security.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - operational constraints:
Operational constraints such as the need to operate
24x7 yet still perform back-ups can result in complex
and costly implementation of controls unless they are
built into the design right from the start.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - cultural constraints:
Not all controls can be applied in all countries. For
example, it may be possible to implement bag searches
in parts of Europe but not in parts of the Middle East.
Many controls rely on the active support of the staff. If
the staff does not understand the need for the control
or do not find it culturally acceptable, the control will
become ineffective over time.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - ethical constraints:
Can prevent implementing controls such as email
scanning in some countries.
Privacy of information can also change dependent on
the ethics of the region or government.
These constraints may have greater effect in some
industry sectors than others, for example, government
and healthcare.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - environmental constraints:
Examples: space availability, extreme climate
conditions, surrounding natural and urban geography.
E.g., some earthquake protection may be required in
some countries but unnecessary in others.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - legal constraints:
Legal factors such as personal data protection could
affect the selection of controls.
Legislative and regulatory compliance can mandate
certain types of control including data protection and
financial audit; they can also prevent the use of some
controls, e.g. encryption.
Other laws and regulations such as labour relations
legislation, fire department, health and safety, and
economic sector regulations, etc., could affect control
selection as well.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - ease of use:
A poor human-technology interface will result in human
error and may render the control useless.
Controls should be selected to provide optimal ease of
use while achieving an acceptable level of residual risk
to the business.
Controls that are difficult to use will impact their
effectiveness, as users may try to circumvent or ignore
them as much as possible.
Complex access controls within an organization could
encourage users to find alternate, unauthorized
methods of access.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - personnel constraints:
The availability and salary cost of specialized skill, and
the ability to move staff between locations in adverse
operating conditions, should be considered.
Expertise may not be readily available to implement
planned controls or the expertise may be costly for the
organization.
Other aspects such as the tendency of some staff to
discriminate other staff members who are not security
screened can have major implications for security
policies and practices.
The need to hire the right people for the work, and
finding the right people, may result in hiring before
security screening is completed. On the other hand the
requirement for security screening to be completed
before hiring is the normal, and safest, practice.
Information security risk treatment
Risk reduction
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk reduction - constraints of integrating new and existing
controls:
Integration of new controls in the existing infrastructure
and the interdependencies between controls are often
overlooked.
For example, a plan to use biometric tokens for physical
access control may cause conflict with an existing
PIN-pad based system for access control.
The cost of changing controls from existing controls to
the planned controls should include elements to be
added to the overall costs of risk treatment.
Information security risk treatment
Risk retention
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk retention:
If the level of risk meets the risk acceptance criteria, there is
no need for implementing additional controls and the risk
can be retained.
Information security risk treatment
Risk avoidance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk avoidance:
When the identified risks are considered too high, or the
costs of implementing other risk treatment options exceed
the benefits, a decision may be made to avoid the risk
completely, by withdrawing from a planned or existing
activity or set of activities, or changing the conditions under
which the activity is operated.
Information security risk treatment
Risk transfer
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk transfer:
Risk transfer involves a decision to share certain risks
with external parties.
Risk transfer can create new risks or modify existing,
identified risks. Therefore, additional risk treatment
may be necessary.
Transfer can be done by
insurance that will support the consequences,
or by sub-contracting a partner whose role will be to
monitor the information system and take immediate
actions to stop an attack.
Information security risk treatment
Risk transfer
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
It should be noted that it may be possible to transfer the
responsibility to manage risk but it is not normally possible
to transfer the liability of an impact. Customers will usually
attribute an adverse impact as being the fault of the
organization.
Information security risk acceptance
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: Risk treatment plan and residual risk
assessment subject to the acceptance decision of the
organization’s managers.
Action: The decision to accept the risks and
responsibilities for the decision should be made and
formally recorded.
Output: A list of accepted risks with justification for
those that do not meet the organization’s normal risk
acceptance criteria.
Information security risk acceptance
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Implementation guidance (see Fig.1):
In some cases the level of residual risk may not meet
risk acceptance criteria because the criteria being
applied do not take into account prevailing
circumstances. For example, it might be argued that it
is necessary to accept risks because the benefits
accompanying the risks are very attractive, or because
the cost of risk reduction is too high.
Such circumstances indicate that risk acceptance
criteria are inadequate and should be revised if
possible.
However, it is not always possible to revise the risk
acceptance criteria in a timely manner. In such cases,
decision makers may have to accept some risks and
make a written justification for the decision to override
normal risk acceptance criteria.
Information security risk communication
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: All risk information obtained from the risk
management activities.
Action: Information about risk should be exchanged
and/or shared between the decision-maker and other
stakeholders.
Output: Continual understanding of the organization’s
information security risk management process and
results.
Information security risk communication
Implementation guidance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk communication is an activity to achieve agreement
on how to manage risks by exchanging and/or sharing
information about risk between the decision-makers
and other stakeholders. The information includes, but is
not limited to the existence, nature, form, likelihood,
severity, treatment, and acceptability of risks.
Effective communication among stakeholders may have
a significant impact on decisions that must be made.
Those who are responsible for implementing risk
management should understand the basis on which
decisions are made and why particular actions are
required.
Perceptions of risk can vary due to differences in
assumptions, concepts and the needs. Stakeholders
are likely to make judgments on the acceptability of risk
based on their perception of risk.
Information security risk communication
Implementation guidance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk communication should be carried out in order to
achieve the following:
To provide assurance of the outcome of the
organization’s risk management
To collect risk information
To share the results from the risk assessment and
present the risk treatment plan
To avoid or reduce both occurrence and consequence
of information security breaches due to the lack of
mutual understanding among decision makers and
stakeholders
...
Information security risk communication
Implementation guidance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk communication should be carried out in order to
achieve the following:
...
To support decision-making
To obtain new information security knowledge
To co-ordinate with other parties and plan responses to
reduce consequences of any incident
To give decision makers and stakeholders a sense of
responsibility about risks
To improve awareness
Information security risk communication
Implementation guidance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk communication activity should be performed
continually.
An organization should develop risk communication
plans for normal operations as well as for emergency
situations.
It is important to cooperate with the appropriate public
relations unit within the organization to coordinate all
tasks related to risk communication (crucial in the event
of crisis in communication).
Information security risk monitoring and review
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Monitoring and review of risk factors.
Risk management monitoring, reviewing and improving.
Information security risk monitoring and review
Outline
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Monitoring and review of risk factors.
Risk management monitoring, reviewing and improving.
Information security risk monitoring and review
Monitoring and review of risk factors – outline:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: All risk information obtained from the risk
management activities
Action: Risks and their factors (i.e., value of assets,
impacts, threats, vulnerabilities, likelihood of
occurrence) should be monitored and reviewed to
identify any changes in the context of the organization
at an early stage, and to maintain an overview of the
complete risk picture.
Output: Continual alignment of the management of
risks with the organization’s business objectives, and
with risk acceptance criteria.
Information security risk monitoring and review
Monitoring and review of risk factors – implementation guidance: ...
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risks are not static. Threats, vulnerabilities, likelihood
or consequences may change without any indication.
Constant monitoring is necessary to detect these
changes.
Organizations should ensure that the following are
continually monitored:
New assets that have been included in the risk
management scope
Necessary modification of asset values, e.g., due to
changed business requirements
New threats that could be active both outside and inside
the organization and that have not been assessed
...
Information security risk monitoring and review
... Monitoring and review of risk factors – implementation guidance:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Organizations should ensure that the following are
continually monitored:
...
Possibility that new or increased vulnerabilities could
allow threats to exploit these new or changed
vulnerabilities
Identified vulnerabilities to determine those becoming
exposed to new or re-emerging threats
Increased impact or consequences of assessed
threats, vulnerabilities and risks in aggregation resulting
in an unacceptable level of risk
Information security incidents
Information security risk monitoring and review
Risk management monitoring, reviewing and improving – outline:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Input: All risk information obtained from the risk
management activities.
Action: The information security risk management
process should be continually monitored, reviewed and
improved as necessary and appropriate.
Output: Continual relevance of the information security
risk management process to the organization’s
business objectives or updating the process.
Information security risk monitoring and review
Risk management monitoring, reviewing and improving - implementation
guidance:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The organization should regularly verify that the criteria
used to measure the risk and its elements are still valid
and consistent with business objectives, strategies and
policies, and that changes to the business context are
taken into account during the information security risk
management process.
This monitoring should address at least:
Legal and environmental context
Competition context
...
Information security risk monitoring and review
Risk management monitoring, reviewing and improving - implementation
guidance:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The organization should regularly verify that . . .
This monitoring should address at least:
...
Risk assessment approach
Asset value and categories
Impact criteria
Risk evaluation criteria
Risk acceptance criteria
Total cost of ownership
Necessary resources
Information security risk monitoring and review
Risk management monitoring, reviewing and improving - implementation
guidance:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The organization should ensure that risk assessment and
risk treatment resources are continually available to
review risk,
to address new or changed threats or vulnerabilities,
and to advise management accordingly.
Information security risk monitoring and review
Risk management monitoring, reviewing and improving - implementation
guidance:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Risk management monitoring can result in modifying or
adding the approach, methodology or tools used depending
on:
Changes identified
Risk assessment iteration
Aim of the information security risk management
process (e.g., business continuity, resilience to
incidents, compliance)
Object of the information security risk management
process (e.g., organization, business unit, information
process, its technical implementation, application,
connection to the internet)
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency Planning Guide for Federal Information
Systems (according to NIST SP 800-34)
Contingency Planning Guide (NIST SP 800-34)
Introduction:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency planning refers to interim measures to recover
information system services after a disruption. Interim
measures may include
relocation of information systems and operations to an
alternate site,
recovery of information system functions or
performance using alternate equipment,
of information system functions using manual methods.
Contingency Planning Guide (NIST SP 800-34)
Introduction:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
NIST SP 800-34 addresses specific contingency planning
recommendations for three platform types and provides
strategies and techniques common to all systems:
Client/server systems,
Telecommunications systems,
Mainframe systems.
Contingency Planning Guide (NIST SP 800-34)
Mainframe
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
(According to Wikipedia) Modern mainframe design is
generally less defined by single-task computational speed
and more by:
Redundant internal engineering and resulting high
reliability and security
Extensive input-output facilities
Strict backward compatibility with older software
High hardware and computational utilization rates to
support massive throughput
Their high stability and reliability enables these machines to
run uninterrupted for long periods of time.
Contingency Planning Guide (NIST SP 800-34)
.. Introduction...:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An organization must be able to sustain its mission
through environmental changes.
Changes can be gradual, such as economic or mission
changes, or sudden, as in a disaster event.
Rather than just working to identify and mitigate
threats, vulnerabilities, and risks, organizations can
work toward building a resilient infrastructure,
minimizing the impact of any disruption on mission
essential functions.
Resilience is the ability to quickly adapt and recover
from any known or unknown changes to the
environment (resiliency is not a process, but rather an
end-state for organizations).
Contingency Planning Guide (NIST SP 800-34)
.. Introduction...:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Effective contingency planning begins with the
development of an organization contingency planning
policy and subjection of each information system to a
business impact analysis (BIA).
This facilitates prioritizing the systems and processes
based on the FIPS 199 impact level and develops
priority recovery strategies for minimizing loss.
FIPS 199 provides guidelines on determining
information and information system impact to
organizational operations and assets, individuals, other
organizations and the nation through a formula that
examines three security objectives:
confidentiality,
integrity,
availability.
Contingency Planning Guide (NIST SP 800-34)
.. Introduction...:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Potential impact - see page 6 of FIPS 199
Security categorization - see page 3 (information
types), 4 (information systems) of FIPS 199
Contingency Planning Guide (NIST SP 800-34)
Types of Plans:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information system contingency planning fits into broader
set of activities that include:
organizational and business process continuity,
disaster recovery planning,
incident management.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Continuity Planning: normally applies to the
mission/business itself; it concerns the ability to
continue critical functions and processes during and
after an emergency event.
Contingency Planning: normally applies to
information systems, and provides the steps needed to
recover the operation of all or part of designated
information systems at an existing or new location in an
emergency.
Cyber Incident Response Planning: is a type of plan
that normally focuses on detection, response, and
recovery to a computer security incident or event.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Business Continuity Plan (BCP):
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Business Continuity Plan (BCP):
The BCP focuses on sustaining an organization’s
mission/business processes during and after a
disruption.
Example of a mission/business process: organization’s
payroll process or customer service process.
A BCP may be used for long-term recovery in
conjunction with the COOP plan, allowing for additional
functions to come online as resources or time allow.
A BCP may be written for mission/business processes
within a single business unit or may address the entire
organization’s processes.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Continuity of Operations (COOP) Plan:
Compliance
and
operational
security
Continuity of Operations (COOP) Plan:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
COOP focuses on restoring an organization’s mission
essential functions (MEF) at an alternate site and
performing those functions for up to 30 days before
returning to normal operations.
Additional functions, or those at a field office level, may
be addressed by a BCP.
Minor threats or disruptions that do not require
relocation to an alternate site are typically not
addressed in a COOP plan.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Continuity of Operations (COOP) Plan:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Standard elements of a COOP plan include:
Program plans and procedures.
Risk management.
Budgeting and acquisition of resources.
Essential functions.
Order of succession.
Delegation of authority.
Continuity facilities.
Continuity communications.
Vital records management.
Human capital.
Test, training, and exercise.
Devolution (see
http://www.bhs.idaho.gov/Pages/Plans/
COOP%20T%20and%20T/TT%20Devolution.pdf).
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Continuity of Operations (COOP) Plan:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Continuity of Operations (COOP) Plan:
Nongovernment organizations typically use BCPs
rather than COOP plans to address mission/business
processes.
COOP plans are mandated in USA for organizations by
HSPD-20/NSPD-51, National Continuity Policy and
FCD 1, Federal Executive Branch National Continuity
Program and Requirements (see http://www.fema.
gov/pdf/about/offices/fcd1.pdf).
COOP vs. ISCP (Information System Contingency
Plan) – The Basic Facts:
COOP plans address national, primary, or mission
essential functions; ISCPs address federal information
systems.
COOP functions have specific criteria; not all
government mission/business processes meet COOP
criteria.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Continuity of Operations (COOP) Plan:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Continuity of Operations (COOP) Plan:
...
...
COOP planning applies to mission essential functions
of federal government departments and agencies.
ISCPs apply to all information systems in federal
organizations.
COOP is mandated for federal organizations by
HSPD-20/NSPD-51, FCDs 1 and 2, and the National
Continuity Policy Implementation Plan (NCPIP); ISCPs
are mandated for federal organizations by FISMA.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Crisis Communications Plan:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Organizations should document standard procedures
for internal and external communications in the event of
a disruption using a crisis communications plan.
A crisis communications plan is often developed by the
organization responsible for public outreach.
The crisis communications plan typically designates
specific individuals as the only authority for answering
questions from or providing information to the public
regarding emergency response.
It may also include procedures for disseminating
reports to personnel on the status of the incident and
templates for public press releases.
The crisis communication plan procedures should be
communicated to COOP and BCP planners to ensure
that the plans ensure that only approved statements
are released to the public by authorized officials.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Critical Infrastructure Protection (CIP) Plan:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Critical Infrastructure Protection (CIP) Plan:
Critical infrastructure and key resources (CIKR) are
those components of the national infrastructure that is
so vital that their loss would have a debilitating effect of
the safety, security, economy, and/or health of the state.
A CIP plan is a set of policies and procedures that
serve to protect and recover these national assets and
mitigate risks and vulnerabilities.
CIP plans define
the roles and responsibilities for protection,
develop partnerships and information sharing
relationships,
implement the risk management framework defined in
appropriate documents.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Cyber Incident Response Plan:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Cyber Incident Response Plan:
The cyber incident response plan establishes
procedures to address cyber attacks against an
organization’s information system(s).
These procedures are designed to enable security
personnel to identify, mitigate, and recover from
malicious computer incidents, such as unauthorized
access to a system or data, denial of service, or
unauthorized changes to system hardware, software, or
data.
This plan may be included as an appendix of the BCP.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Disaster Recovery Plan (DRP):)
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Disaster Recovery Plan:
The DRP applies to major, usually physical disruptions
to service that deny access to the primary facility
infrastructure for an extended period.
A DRP is an information system-focused plan designed
to restore operability of the target system, application,
or computer facility infrastructure at an alternate site
after an emergency.
The DRP may be supported by multiple information
system contingency plans to address recovery of
impacted individual systems once the alternate facility
has been established.
...
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Disaster Recovery Plan (DRP):)
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Disaster Recovery Plan:
...
A DRP may support a BCP or COOP plan by
recovering supporting systems for mission/business
processes or mission essential functions at an
alternate location.
The DRP only addresses information system
disruptions that require relocation.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Information System Contingency Plan (ISCP):
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information System Contingency Plan (ISCP)
An ISCP provides established procedures for the
assessment and recovery of a system following a
system disruption.
The ISCP provides key information needed for system
recovery, including roles and responsibilities, inventory
information, assessment procedures, detailed recovery
procedures, and testing of a system.
The ISCP differs from a DRP primarily in that the
information system contingency plan procedures are
developed for recovery of the system regardless of site
or location.
...
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Information System Contingency Plan (ISCP):
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Information System Contingency Plan (ISCP)
...
In contrast, a DRP is primarily a site-specific plan
developed with procedures to move operations of one
or more information systems from a damaged or
uninhabitable location to a temporary alternate location.
Once the DRP has successfully transferred an
information system site to an alternate site, each
affected system would then use its respective ISCP to
restore, recover, and test systems, and put them into
operation.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans – Occupant Emergency Plan (OEP):
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The OEP outlines first-response procedures for
occupants of a facility in the event of a threat or incident
to the health and safety of personnel, the environment,
or property.
Such events include a fire, bomb threat, chemical
release, domestic violence in the workplace, or a
medical emergency.
Shelter-in-place procedures for events requiring
personnel to stay inside the building rather than
evacuate are also addressed in an OEP.
OEPs are developed at the facility level, specific to the
geographic location and structural design of the
building.
The facility OEP may be appended to the COOP or
BCP, but is executed separately and as a first response
to the incident.
Contingency Planning Guide (NIST SP 800-34)
Types of Plans:
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Summary – see page 11 of NIST SP 800-34.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Develop the contingency planning policy
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
To be effective and to ensure that personnel fully
understand the organization’s contingency planning
requirements, the contingency plan must be based on
a clearly defined policy.
The contingency planning policy statement should
define the organization’s overall contingency objectives
and establish the organizational framework and
responsibilities for system contingency planning.
Key policy elements are as follows:
Roles and responsibilities;
Scope as applies to common platform types and
organization functions (i.e., telecommunications, legal,
media relations) subject to contingency planning;
...
Contingency Planning Guide (NIST SP 800-34)
Develop the contingency planning policy
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Key policy elements are as follows:
Roles and responsibilities;
Scope as applies to common platform types and
organization functions (i.e., telecommunications, legal,
media relations) subject to contingency planning;
Resource requirements;
Training requirements;
Exercise and testing schedules;
Plan maintenance schedule;
Minimum frequency of backups and storage of backup
media.
Contingency Planning Guide (NIST SP 800-34)
Develop the contingency planning policy
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The ISCPs must be written in coordination with other plans
associated with each target system as part of
organization-wide resilience strategy. Such plans include
the following:
Information system security plans,
Facility-level plans, such as the OEP and DRP
MEF support such as the COOP plan
Organization-level plans, such as CIP plans
Contingency Planning Guide (NIST SP 800-34)
Conduct the Business Impact Analysis
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The BIA is a key step in implementing the CP controls.
The BIA enables the ISCP Coordinator to characterize
the system components, supported mission/business
processes, and interdependencies.
The BIA purpose is to correlate the system with the
critical mission/business processes and services
provided, and based on that information, characterize
the consequences of a disruption.
The ISCP Coordinator can use the BIA results to
determine contingency planning requirements and
priorities.
Contingency Planning Guide (NIST SP 800-34)
Conduct the Business Impact Analysis
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Three steps are typically involved in accomplishing the BIA:
Determine mission/business processes and recovery
criticality.
Identify resource requirements.
Identify recovery priorities for system resources.
Contingency Planning Guide (NIST SP 800-34)
Conduct the Business Impact Analysis
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Three steps are typically involved in accomplishing the BIA:
Determine mission/business processes and
recovery criticality.
Identify resource requirements.
Identify recovery priorities for system resources.
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An information system can be very complex and often
supports multiple mission/business processes,
resulting in different perspectives on the importance of
system services or capabilities.
ISCP Coordinator should work with management and
internal and external points of contact (POC) to identify
and validate mission/business processes and
processes that depend on or support the information
system.
(When identifying POCs, it is important to include
organizations that provide or receive data from the
system as well as POCs of any interconnected
systems)
...
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
The identified processes’ impacts are then further
analyzed in terms of availability, integrity, confidentiality,
and the established FIPS 199 impact level for the
information system.
Further identification of additional mission/business
processes and impacts captures the unique purpose of
the system. Organizational and system uniqueness are
important considerations for contingency planning and
business impact. Adding information types to address
this uniqueness will enhance the prioritization of
system component impacts.
Unique processes and impacts can be expressed in
values or units of measurement that are meaningful to
the organization.
...
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The ISCP Coordinator should next analyze the
supported mission/business processes and with the
process owners, leadership and business managers
determine the acceptable downtime if a given process
or specific system data were disrupted or otherwise
unavailable.
Downtime can be identified in several ways:
Maximum Tolerable Downtime (MTD).
Recovery Time Objective (RTO).
Recovery Point Objective (RPO).
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Maximum Tolerable Downtime (MTD):
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The MTD represents the total amount of time the
system owner/authorizing official is willing to accept for
a mission/business process outage or disruption and
includes all impact considerations.
Determining MTD is important because it could leave
contingency planners with imprecise direction on:
selection of an appropriate recovery method
the depth of detail which will be required when
developing recovery procedures, including their scope
and content.
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Recovery Time Objective (RTO):
RTO defines the maximum amount of time that a
system resource can remain unavailable before there is
an unacceptable impact on other system resources,
supported mission/business processes, and the MTD.
Determining the information system resource RTO is
important for selecting appropriate technologies that
are best suited for meeting the MTD.
When it is not feasible to immediately meet the RTO
and the MTD is inflexible, a Plan of Action and
Milestone should be initiated to document the situation
and plan for its mitigation.
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Recovery Point Objective (RPO)
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The RPO represents the point in time, prior to a
disruption or system outage, to which mission/business
process data can be recovered (given the most recent
backup copy of the data) after an outage.
Unlike RTO, RPO is not considered as part of MTD.
Rather, it is a factor of how much data loss the
mission/business process can tolerate during the
recovery process.
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Because the RTO must ensure that the MTD is not
exceeded, the RTO must normally be shorter than the
MTD. For example, a system outage may prevent a
particular process from being completed, and because
it takes time to reprocess the data, that additional
processing time must be added to the RTO to stay
within the time limit established by the MTD.
The ISCP Coordinator, working with management,
should determine the optimum point to recover the
information system while balancing the cost of system
inoperability against the cost of resources required for
restoring the system and its overall support for critical
business processes:
The longer a disruption is allowed to continue, the more
costly it can become.
The shorter the RTO, the more expensive the recovery
solutions cost to implement.
Contingency Planning Guide (NIST SP 800-34)
BIA - Determine business processes and recovery criticality
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
See Fig. 3-3.
Contingency Planning Guide (NIST SP 800-34)
Conduct the Business Impact Analysis
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Three steps are typically involved in accomplishing the BIA:
Determine mission/business processes and recovery
criticality.
Identify resource requirements.
Identify recovery priorities for system resources.
Contingency Planning Guide (NIST SP 800-34)
BIA - Identify resource requirements
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Realistic recovery efforts require a thorough evaluation
of the resources required to resume mission/business
processes as quickly as possible.
Working with management and internal and external
POCs associated with the system, the ISCP
Coordinator should ensure that the complete
information system resources are identified.
A simple table such as the one shown in Table 3-1 can
be used to capture relevant information system
resources.
Contingency Planning Guide (NIST SP 800-34)
Conduct the Business Impact Analysis
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Three steps are typically involved in accomplishing the BIA:
Determine mission/business processes and recovery
criticality.
Identify resource requirements.
Identify recovery priorities for system resources.
Contingency Planning Guide (NIST SP 800-34)
BIA - Identify recovery priorities for system resources
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Recovery priorities can be effectively established taking
into consideration mission/business process criticality,
outage impacts, tolerable downtime, and system
resources.
The result is an information system recovery priority
hierarchy.
The ISCP Coordinator should consider system
recovery measures and technologies to meet the
recovery priorities.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Identify preventive controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
In some cases, the outage impacts identified in the BIA
may be mitigated or eliminated through preventive
measures that deter, detect, and/or reduce impacts to
the system.
Where feasible and cost-effective, preventive methods
are preferable.
Some common measures include (see NIST SP
800-53 for more details):
Appropriately sized uninterruptible power supplies
(UPS) to provide short-term backup power to all system
components (including environmental and safety
controls).
Gasoline- or diesel-powered generators to provide
long-term backup power.
...
Contingency Planning Guide (NIST SP 800-34)
Identify preventive controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Some common measures include (see NIST SP
800-53 for more details):
Appropriately sized uninterruptible power supplies
(UPS) to provide short-term backup power to all system
components (including environmental and safety
controls).
Gasoline- or diesel-powered generators to provide
long-term backup power.
Air-conditioning systems with adequate excess capacity
to prevent failure of certain components, such as a
compressor
Fire suppression systems
Fire and smoke detectors
Water sensors in the computer room ceiling and floor
...
Contingency Planning Guide (NIST SP 800-34)
Identify preventive controls
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Some common measures include (see NIST SP
800-53 for more details):
...
Fire and smoke detectors
Water sensors in the computer room ceiling and floor
Heat-resistant and waterproof containers for backup
media and vital non electronic records
Emergency master system shutdown switch
Offsite storage of backup media, non electronic
records, and system documentation
Technical security controls, such as cryptographic key
management
Frequent scheduled backups including where the
backups are stored (onsite or offsite) and how often
they are recirculated and moved to storage
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency strategies are created to cover the full range of
backup, recovery, contingency planning, testing, and
ongoing maintenance:
Backup and recovery
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup and recovery.
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - backup and recovery
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
A variety of recovery approaches may be considered,
with the appropriate choice being highly dependent
upon the incident, type of system, BIA/FIPS 199 impact
level, and the system’s operational requirements.
(Chapter 5 of NIST SP 800-34 provides detailed
discussion of recovery methods applicable to specific
types of information systems.)
Several alternative approaches should be considered
when developing and comparing strategies, including
cost, maximum downtimes, security, recovery priorities,
and integration with larger, organization-level
contingency plans.
Table 3-2 is an example that can assist in identifying
the linkage of FIPS 199 impact level for the availability
security objective, recovery priority, backup, and
recovery strategy.
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup and recovery.
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Backup Methods and Offsite Storage
Compliance
and
operational
security
System data should be backed up regularly.
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Policies should specify the minimum frequency and
scope of backups (e.g., daily or weekly, incremental or
full) based on data criticality and the frequency that
new information is introduced.
Data backup policies should designate
the location of stored data,
file-naming conventions,
media rotation frequency,
and method for transporting data offsite
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Backup Methods and Offsite Storage
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Data may be backed up on:
magnetic disk,
tape,
or optical disks, such as compact disks (CDs).
The specific method chosen for conducting backups
should be based on system and data availability and
integrity requirements.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Backup Methods and Offsite Storage
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
It is good business practice to store backed-up data
offsite.
If using offsite storage, data is
backed up at the organization’s facility
and then labeled,
packed,
and transported to the storage facility.
If the data is required for recovery or testing purposes,
the organization contacts the storage facility requesting
specific data to be transported to the organization or to
an alternate facility.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Backup Methods and Offsite Storage
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup tapes should be tested regularly to ensure that
data are being stored correctly and that the files may
be retrieved without errors or lost data.
Also, the ISCP Coordinator should test the backup
tapes at the alternate site, if applicable, to ensure that
the site supports the same backup configuration that
the organization has implemented.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Backup Methods and Offsite Storage
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
When selecting an offsite storage facility and vendor, the
following criteria should be considered:
Geographic area: distance from the organization and
the probability of the storage site being affected by the
same disaster as the organization’s primary site.
Accessibility: length of time necessary to retrieve the
data from storage and the storage facility’s operating
hours.
Security: security capabilities of the shipping method,
storage facility, and personnel; all must meet the data’s
security requirements.
Environment: structural and environmental conditions
of the storage facility (i.e., temperature, humidity, fire
prevention, and power management controls).
Cost: cost of shipping, operational fees, and disaster
response/recovery services.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Table 2-1 summarizes NIST SP 800-53 Contingency
Planning controls for information systems.
The FIPS 199 security categorization for the availability
security objective determines which controls apply to a
particular system.
Eg., an information system with a moderate-availability
security objective requires the system backup and
testing the backup.
For all FIPS 199 moderate- or high-impact systems, the
plan should include a strategy to recover and perform
system operations at an alternate facility for an
extended period.
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup and recovery.
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The most common types of alternate sites:
Cold Sites are typically facilities with adequate space
and infrastructure (electric power, telecommunications
connections, and environmental controls) to support
information system recovery activities,
Warm Sites are partially equipped office spaces that
contain some or all of the system hardware, software,
telecommunications, and power sources,
Hot Sites are facilities appropriately sized to support
system requirements and configured with the
necessary system hardware, supporting infrastructure,
and support personnel.
Summary – see Table 3-34.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Variations or hybrid mixtures of the above are possible.
Examples:
Mobile Sites are self-contained, transportable shells
custom-fitted with specific telecommunications and
system equipment necessary to meet system
requirements
Mirrored Sites are fully redundant facilities with
automated real-time information mirroring. Mirrored
sites are identical to the primary site in all technical
respects.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Alternate sites may be owned and operated by the
organization (internal recovery), or commercial sites
may be available under contract.
If contracting for the site with a commercial vendor,
adequate testing time, work space, security
requirements, hardware requirements,
telecommunications requirements, support services,
and recovery days (how long the organization can
occupy the space during the recovery period) must be
negotiated and clearly stated in the contract.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Customers should be aware that multiple organizations
may contract with a vendor for the same alternate site;
as a result, the site may be unable to accommodate all
of the customers if a disaster affects enough of those
customers simultaneously.
The vendor’s policy on how this situation should be
addressed and how priority status is determined should
be negotiated.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Two or more organizations with similar or identical
system configurations and backup technologies may
enter into a formal agreement to serve as alternate
sites for each other or enter into a joint contract for an
alternate site.
This type of site is set up via a reciprocal agreement or
memorandum of understanding (MOU).
A reciprocal agreement should be entered into carefully
because each site must be able to support the other, in
addition to its own workload, in the event of a disaster.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
This type of agreement requires the recovery sequence
for the systems from both organizations to be prioritized
from a joint perspective, favorable to both parties.
Testing should be conducted at the partnering sites to
evaluate the extra processing thresholds, compatible
system and backup configurations, sufficient
telecommunications connections, compatible security
measures, and the sensitivity of data that might be
accessible by other privileged users, in addition to
functionality of the recovery strategy.
Consideration should also be given to system
interconnections and possible interconnection security
agreements (ISAs).
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An MOU or an SLA for an alternate site should be
developed specific to the organization’s needs and the
partner organization’s capabilities. In general, the
agreement should address at a minimum, each of the
following elements:
Contract/agreement duration;
Cost/fee structure for disaster declaration and
occupancy (daily usage), administration, maintenance,
testing, annual cost/fee increases, transportation
support cost (receipt and return of offsite data/supplies,
as applicable), cost/expense allocation (as applicable),
and billing and payment schedules;
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
...
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Disaster declaration (i.e., circumstances constituting a
disaster, notification procedures);
Site/facility priority access and/or use;
Site availability;
Site guarantee;
Other clients subscribing to same resources and site,
and the total number of site subscribers, as applicable;
Contract/agreement change or modification process;
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
...
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contract/agreement termination conditions;
Process to negotiate extension of service;
Guarantee of compatibility;
Information system requirements (including data and
telecommunication requirements) for hardware,
software, and any special system needs (hardware and
software);
Change management and notification requirements,
including hardware, software, and infrastructure;
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
...
Security requirements, including special security
needs;
Staff support provided/not provided;
Facility services provided/not provided (use of onsite
office equipment, cafeteria, etc.);
Testing, including scheduling, availability, test time
duration, and additional testing, if required;
Records management (onsite and offsite), including
electronic media and hardcopy;
Service-level management (performance measures
and management of quality of information system
services provided);
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Alternate Sites
Compliance
and
operational
security
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Work space requirements (e.g., chairs, desks,
telephones, personal computers);
Supplies provided/not provided (e.g., office supplies);
Additional costs not covered elsewhere;
Other contractual issues, as applicable; and
Other technical requirements, as applicable.
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup and recovery.
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
If the information system is damaged or destroyed or the
primary site is unavailable, necessary hardware and
software will need to be activated or procured quickly and
delivered to the alternate location. Three basic strategies
exist to prepare for equipment replacement.
Vendor Agreements;
Equipment Inventory;
Existing Compatible Equipment.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
Vendor Agreements:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
As the contingency plan is being developed, SLAs with
hardware, software, and support vendors may be made
for emergency maintenance service.
The SLA should specify how quickly the vendor must
respond after being notified.
The agreement should also give the organization
priority status for the shipment of replacement
equipment over equipment being purchased for normal
operations.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
Vendor Agreements:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
SLAs should further discuss what priority status the
organization will receive in the event of a catastrophic
disaster involving multiple vendor clients.
In such cases, organizations with health- and
safety-dependent processes will often receive the
highest priority for shipment.
The details of these negotiations should be
documented in the SLA, which should be maintained
with the contingency plan.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Equipment Inventory:
Required equipment may be purchased in advance and
stored at a secure offsite location, such as an alternate
site where recovery operations will take place (warm or
mobile site) or at another location where they will be
stored and then shipped to the alternate site.
This solution has certain drawbacks.
An organization must commit financial resources to
purchase this equipment in advance,
and the equipment could become obsolete or
unsuitable for use over time because system
technologies and requirements change.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Existing Compatible Equipment:
Equipment currently housed and used by the
contracted hot site or by another organization within the
organization may be used.
Agreements made with hot sites and reciprocal internal
sites stipulate that similar and compatible equipment
will be available for contingency use by the
organization.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
When evaluating the choices:
the ISCP Coordinator should consider that purchasing
equipment when needed is cost-effective but can add
significant overhead time to recovery while waiting for
shipment and setup;
conversely, storing unused equipment is costly, but
allows recovery operations to begin more quickly.
When selecting the most appropriate strategy, note that
the availability of transportation may be limited or
temporarily halted in the event of a catastrophic
disaster.
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Equipment replacement
Compliance
and
operational
security
When evaluating the choices:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Based on impacts discovered through the BIA,
consideration should be given to the possibility of a
widespread disaster entailing mass equipment
replacement and transportation delays that would
extend the recovery period.
Regardless of the strategy selected, detailed lists of
equipment needs and specifications should be
maintained within the contingency plan.
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup and recovery.
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Cost considerations
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The ISCP Coordinator should ensure that the strategy
chosen can be implemented effectively with available
personnel and financial resources.
The cost of each type of alternate site, equipment
replacement, and storage option under consideration
should be weighed against budget limitations.
The coordinator should determine known contingency
planning expenses, such as alternate site contract fees,
the cost of implementing an agency-wide contingency
awareness program and contractor support.
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Cost considerations
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
The budget must be sufficient to encompass software,
hardware, travel and shipping, testing, plan training
programs, awareness programs, labor hours, other
contracted services, and any other applicable
resources (e.g., desks, telephones, fax machines,
pens, and paper).
The organization should perform a cost-benefit analysis
to identify the optimum contingency strategy.
Table 3-5 provides a template for evaluating cost
considerations.
Contingency Planning Guide (NIST SP 800-34)
Create contingency strategies
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Backup and recovery.
Backup methods and offside storage.
Alternate sites.
Equipment replacement.
Cost considerations.
Roles and responsibilities
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Having selected and implemented the backup and
system recovery strategies, the ISCP Coordinator must
designate appropriate teams to implement the strategy.
Each team should be trained and ready to respond in
the event of a disruptive situation requiring plan
activation.
Recovery personnel should be assigned to one of
several specific teams that will respond to the event,
recover capabilities, and return the system to normal
operations.
To do so, recovery team members need to clearly
understand the team’s recovery effort goal, individual
procedures the team will execute, and how
interdependencies between recovery teams may affect
overall strategies.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The types of teams required are based on the
information system affected and could be tailored
according to FIPS 199 impact levels to reflect specific
differences in requirements and backup procedures.
The size of each team, team titles, and hierarchy
designs depend on the organization.
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
In addition to a single authoritative role for overall
decision-making responsibility, including plan
activation, a capable strategy will require some or all of
the following groups:
Management team (including the ISCP Coordinator);
Outage assessment team;
Operating system administration team;
Server recovery team (e.g., client server, Web server);
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
In addition to a single authoritative role for overall
decision-making responsibility, including plan
activation, a capable strategy will require some or all of
the following groups:
...
Local Area Network/Wide Area Network (LAN/WAN)
recovery team;
Database recovery team;
Network operations recovery team;
Application recovery team(s);
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
In addition to a single authoritative role for overall
decision-making responsibility, including plan
activation, a capable strategy will require some or all of
the following groups:
...
Telecommunications team;
Test team;
Transportation and relocation team;
Media relations team;
Legal affairs team;
Physical/personnel security team; and
Procurement team (equipment and supplies).
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Personnel should be chosen to staff these teams based
on their skills and knowledge.
Ideally, teams are staffed with personnel responsible for
the same or similar functions under normal conditions.
For example, server recovery team members should
include the server administrators.
Team members must understand not only the
contingency plan purpose, but also the procedures
necessary for executing the recovery strategy.
...
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Teams should be sufficient in size to remain viable if
some members are unavailable to respond or alternate
team members may be designated.
Similarly, team members should be familiar with the
goals and procedures of other teams to facilitate
cross-team coordination.
The ISCP Coordinator should also consider that a
disruption could render some personnel unavailable to
respond.
In this situation, executing the plan may be possible
only by using personnel from another geographic area
of the organization or by hiring contractors or vendors.
Such personnel may be coordinated and trained as an
alternate team
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Each team is led by a team leader who directs overall
team operations, acts as the team’s representative to
management, and liaises with other team leaders.
The team leader disseminates information to team
members and approves any decisions that must be
made within the team.
Team leaders should have a designated alternate to act
as the leader if the primary leader is unavailable.
Contingency Planning Guide (NIST SP 800-34)
Contingency strategies - Roles and responsibilities
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
For most systems, a management team is necessary
for providing overall guidance following a major system
disruption or emergency.
The team is responsible for activating the contingency
plan and supervising the execution of contingency
operations.
The management team also facilitates communications
among other teams and supervises information system
contingency plan tests and exercises.
Some or all of the management team may lead
specialized recovery teams.
A senior management official, such as the CIO, has the
ultimate authority to activate the plan and to make
decisions regarding spending levels, acceptable risk,
and interagency coordination. The senior management
official typically leads the management team.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An ISCP should be maintained in a state of readiness.
That includes:
having personnel trained to fulfill their roles and
responsibilities within the plan,
having plans exercised to validate their content,
having systems and system components tested to
ensure their operability in the environment specified in
the ISCP
In addition, as indicated in Step 4 (Assess Security
Controls) of the Risk Management Framework (RMF is
described in draft NIST SP 800-39, Managing Risk from
Information Systems: An Organizational Perspective)
the effectiveness of the information system controls
should be assessed by using the procedures
documented in NIST SP 800-53A (Guide for Assessing
the Security Controls in Federal Information Systems).
...
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
IST SP 800-84, Guide to Test, Training and Exercise
Programs for Information Technology Plans and
Capabilities, provides guidelines on designing,
developing, conducting, and evaluating test, training,
and exercise (TT&E) events so that organizations can
improve their ability to prepare for, respond to, manage,
and recover from adverse events.
While the majority of TT&E activities occur during the
Operations/Maintenance phase, initial TT&E events
should be conducted during the
Implementation/Assessment phase of the SDLC
(system development life cycle) to validate ISCP
recovery procedures.
...
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Organizations should conduct TT&E events
periodically, following organizational or system
changes, or the issuance of new TT&E guidance, or as
otherwise needed.
Execution of TT&E events assists organizations in
determining the plan’s effectiveness, and that all
personnel know what their roles are in the conduct of
each information system plan.
TT&E event schedules are often dictated in part by
organizational requirements. For example, NIST SP
800-53 includes a control (CP-4) for federal
organizations to conduct exercises or tests for their
systems’ contingency plans around an
organization-defined frequency.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
For each TT&E activity conducted, results are
documented in an after-action report, and Lessons
Learned corrective actions are captured for updating
information in the ISCP.
While NIST SP 800-84 provides detailed information on
how to plan and conduct TT&E activities for information
systems, the following sections provide summarized
details:
Testing
Training
Exercises
TT&E Program Summary
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
TT&E:
Testing
Training
Exercises
TT&E Program Summary
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Testing
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
ISCP testing is a critical element of a viable
contingency capability.
Testing enables plan deficiencies to be identified and
addressed by validating one or more of the system
components and the operability of the plan.
Testing can take on several forms and accomplish
several objectives but should be conducted in as close
to an operating environment as possible.
Each information system component should be tested
to confirm the accuracy of individual recovery
procedures.
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Testing
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The following areas should be addressed in a contingency
plan test, as applicable:
Notification procedures;
System recovery on an alternate platform from backup
media;
Internal and external connectivity;
System performance using alternate equipment;
Restoration of normal operations
Other plan testing (where coordination is identified, i.e.,
COOP, BCP).
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Testing
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The following areas should be addressed in a contingency
plan test, as applicable:
Notification procedures;
System recovery on an alternate platform from backup
media;
Internal and external connectivity;
System performance using alternate equipment;
Restoration of normal operations
Other plan testing (where coordination is identified, i.e.,
COOP, BCP).
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Testing
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
To derive the most value from the test, the ISCP
Coordinator should develop a test plan designed to
examine the selected element(s) against explicit test
objectives and success criteria.
The use of test objectives and success criteria enable
the effectiveness of each system element and the
overall plan to be assessed.
The test plan should include a schedule detailing the
time frames for each test and test participants.
The test plan should also clearly delineate scope,
scenario, and logistics.
The scenario chosen may be a worst-case incident or
an incident most likely to occur. It should mimic reality
as closely as possible.
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Testing
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Tests are evaluation tools that use quantifiable metrics
to validate the operability of an information system or
system component in an operational environment.
For example, an organization could test call tree lists to
determine if calling can be executed within prescribed
time limits; another test may be removing power from a
system or system component.
A test is conducted in as close to an operational
environment as possible; if feasible, an actual test of
the components or systems used to conduct daily
operations for the organization should be used
(Consideration should be given to Industrial Control
Systems, where systems have a need for real-time
response and extremely high availability, predictability,
and reliability. Thorough testing of these systems may
not be possible during a single testing event.).
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Testing
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The scope of testing can range from individual system
components or systems to comprehensive tests of all
systems and components that support an ISCP.
Tests often focus on recovery and backup operations;
however, testing varies depending on the FIPS 199
impact level, the goal of the test, and its relation to a
specific ISCP.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
TT&E:
Testing
Training
Exercises
TT&E Program Summary
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Training
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Training for personnel with contingency plan
responsibilities should focus on familiarizing them with
ISCP roles and teaching skills necessary to accomplish
those roles.
This approach helps ensure that staff is prepared to
participate in tests and exercises as well as actual
outage events.
Training should be provided at least annually.
Personnel newly appointed to ISCP roles should
receive training shortly thereafter.
Ultimately, ISCP personnel should be trained to the
extent that that they are able to execute their respective
recovery roles and responsibilities without aid of the
actual ISCP document (important!: in the event that
paper or electronic versions of the plan are unavailable
for the first few hours, as a result of the disruption).
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Training
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Recovery personnel should be trained on the following plan
elements:
Purpose of the plan;
Cross-team coordination and communication;
Reporting procedures;
Security requirements;
Team-specific processes (Activation and Notification,
Recovery, and Reconstitution Phases); and
Individual responsibilities (Activation and Notification,
Recovery, and Reconstitution Phases).
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Training
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
For the purposes of NIST SP 800-34 publication and as
documented in NIST SP 800-84, training refers only to
informing personnel of their roles and responsibilities
within a particular information system plan and
teaching them skills related to those roles and
responsibilities, thereby preparing them for participation
in exercises, tests, and actual emergency situations
related to the ISCP.
Training personnel on their roles and responsibilities
before an exercise or test event is typically split
between a presentation on their roles and
responsibilities and activities that allow personnel to
demonstrate their understanding of the subject matter.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
TT&E:
Testing
Training
Exercises
TT&E Program Summary
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
NIST SP 800-84 identifies the following types of exercises
widely used in information system TT&E programs by single
organizations:
Tabletop Exercises
Functional Exercises
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Exercises/Tabletop Exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Tabletop exercises are discussion-based exercises
where personnel meet in a classroom setting or in
breakout groups to discuss their roles during an
emergency and their responses to a particular
emergency situation.
A facilitator presents a scenario and asks the exercise
participants questions related to the scenario, which
initiates a discussion among the participants of roles,
responsibilities, coordination, and decision making. A
tabletop exercise is discussion-based only and does
not involve deploying equipment or other resources.
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Exercises/Functional Exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Functional exercises allow personnel to validate their
operational readiness for emergencies by performing
their duties in a simulated operational environment.
Information security
risk communication
Functional exercises are designed to exercise the roles
and responsibilities of specific team members,
procedures, and assets involved in one or more
functional aspects of a plan (e.g., communications,
emergency notifications, system equipment setup).
Information security
risk monitoring and
review
...
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Exercises/Functional Exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Functional exercises vary in complexity and scope,
from validating specific aspects of a plan to full-scale
exercises that address all plan elements (Planned and
unplanned maintenance activities may also present
opportunities to execute and document a Functional
Exercise. This is often applicable to operational
systems (such as ICS) where it may be otherwise
disruptive to test certain aspects of the system or
contingency plan). Functional exercises allow staff to
execute their roles and responsibilities as they would in
an actual emergency situation, but in a simulated
manner.
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - Exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An exercise is a simulation of an emergency designed
to validate the viability of one or more aspects of an
ISCP.
In an exercise, personnel with roles and responsibilities
in a particular ISCP meet to validate the content of a
plan through discussion of their roles and their
responses to emergency situations, execution of
responses in a simulated operational environment, or
other means of validating responses that do not involve
using the actual operational environment.
Exercises are scenario-driven, such as a power failure
in one of the organization’s data centers or a fire
causing certain systems to be damaged, with additional
situations often being presented during the course of
an exercise.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan testing, training, and exercises
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
TT&E:
Testing
Training
Exercises
TT&E Program Summary
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - TT&E Program Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
A TT&E program provides an overall framework for
determining, scheduling, and setting objectives for
TT&E activities.
Guidance on establishing an effective ISCP TT&E
program and the various methods and approaches for
conducting TT&E activities is provided in NIST SP
800-84.
The depth and rigor of ISCP TT&E activities increases
with the FIPS 199 availability security objective.
All tests and exercises should include some kind of
determination of the effects on the organization’s
operations and provide for a mechanism to update and
improve the plan as a result.
Contingency Planning Guide (NIST SP 800-34)
Ensure TT&E - TT&E Program Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Each of the three ISCP Templates (FIPS 199 low, moderate,
and high) included as appendices to NIST SP 800-34
contain details for conducting TT&E activities appropriate to
their respective impact level – see page 30 of NIST SP
800-34.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
To be effective, the plan must be maintained in a ready
state that accurately reflects system requirements,
procedures, organizational structure, and policies.
uring the Operation/Maintenance phase of the SDLC
(System Development Life Cycle), information systems
undergo frequent changes because of shifting business
needs, technology upgrades, or new internal or
external policies.
Therefore, it is essential that the ISCP be reviewed and
updated regularly as part of the organization’s change
management process.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
As identified as part of RMF (Risk Management
Framework) Step 6 (Continuous Monitoring), a
continuous monitoring process can provide
organizations with an effective tool for plan
maintenance, producing ongoing updates to security
plans, security assessment reports, and plans of action
and milestone documents.
As a general rule, the plan should be reviewed for
accuracy and completeness at an organization-defined
frequency or whenever significant changes occur to
any element of the plan.
Certain elements, such as contact lists, will require
more frequent reviews. The plans for moderate- or
high-impact systems should be reviewed more often.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
At a minimum, plan reviews should focus on the following
elements:
Operational requirements;
Security requirements;
Technical procedures;
Hardware, software, and other equipment (types,
specifications, and amount);
Names and contact information of team members;
Names and contact information of vendors, including
alternate and offsite vendor POCs;
Alternate and offsite facility requirements; and
Vital records (electronic and hardcopy).
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Because the ISCP contains potentially sensitive
operational and personnel information, its distribution
should be marked accordingly and controlled.
Typically, copies of the plan are provided to recovery
personnel for storage.
A copy should also be stored at the alternate site and
with the backup media.
Storing a copy of the plan at the alternate site ensures
its availability and good condition in the event local plan
copies cannot be accessed because of disaster.
The ISCP Coordinator should maintain a record of
copies of the plan and to whom they were distributed.
Other information that should be stored with the plan
includes contracts with vendors (SLAs and other
contracts), software licenses, system user manuals,
security manuals, and operating procedures.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Changes made to the plan, strategies, and policies
should be coordinated through the ISCP Coordinator,
who should communicate changes to the
representatives of associated plans or programs, as
necessary.
The ISCP Coordinator should record plan modifications
using a record of changes, which lists the page
number, change comment, and date of change.
The record of changes, depicted in Table 3-7, should
be integrated into the plan as discussed in Section 4.1
of NIST SP 800-34.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The ISCP Coordinator should coordinate frequently
with associated internal and external organizations and
system POCs to ensure that impacts caused by
changes within any organization will be reflected in the
contingency plan.
Strict version control must be maintained by requesting
old plans or plan pages to be returned to the ISCP
Coordinator in exchange for the new plan or plan
pages.
The ISCP Coordinator also should evaluate supporting
information to ensure that the information is current and
continues to meet system requirements adequately.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
This information includes the following:
Alternate site contract, including testing times;
Offsite storage contract;
Software licenses;
MOUs or vendor SLAs;
Hardware and software requirements;
...
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
This information includes the following:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
System interconnection agreements;
Security requirements;
Recovery strategy;
Contingency policies;
Training and awareness materials;
Testing scope; and
Other plans, e.g., COOP, BCP.
Contingency Planning Guide (NIST SP 800-34)
Ensure plan maintenance
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Although some changes may be quite visible, others
will require additional analysis. When a significant
change occurs, the BIA should be updated with the
new information to identify new contingency
requirements or priorities.
As new technologies become available, preventive
controls may be enhanced and recovery strategies may
be modified.
Finally, plan maintenance should be continued as the
information system passes through the Disposal phase
of its life cycle to ensure that the plan accurately
reflects recovery priorities and concurrent processing
changes.
Contingency Planning Guide (NIST SP 800-34)
Information System Contingency Planning Process
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The process is common to all information systems. The
seven steps in the process are:
Develop the contingency planning policy;
Conduct the business impact analysis (BIA);
Identify preventive controls;
Create contingency strategies;
Develop an information system contingency plan;
Ensure plan testing, training, and exercises;
Ensure plan maintenance.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
ISCP development is a critical step in the process of
implementing a comprehensive contingency planning
program.
The plan contains detailed roles, responsibilities,
teams, and procedures associated with restoring an
information system following a disruption.
The ISCP should document technical capabilities
designed to support contingency operations and should
be tailored to the organization and its requirements.
Plans need to balance detail with flexibility; usually, the
more detailed the plan, the less scalable and versatile
the approach.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Appendix A of NIST SP 800-34 provides templates that
organizations may use to develop ISCPs for their
information systems at the appropriate FIPS 199
impact level.
The information and templates provided are guides and
may be modified, customized, and/or adapted as
necessary to best meet the specific system,
operational, and organizational requirements for
contingency planning.
Appendix D discusses planning considerations
regarding personnel which should be coordinated with
the ISCP development.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Figure 4-1 of NIST SP 800-34 identifies five main
components of the contingency plan.
The supporting information and plan appendices
provide essential information to ensure a
comprehensive plan.
The Activation and Notification, Recovery, and
Reconstitution Phases address specific actions that the
organization should take following a system disruption
or emergency.
Each plan component is discussed on the subsequent
slides.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plans should be formatted to provide quick and clear
directions in the event that personnel unfamiliar with the
plan or the systems are called on to perform recovery
operations.
Plans should be clear, concise, and easy to implement
in an emergency.
Where possible, checklists and step-by-step
procedures should be used.
A concise and well-formatted plan reduces the
likelihood of creating an overly complex or confusing
plan.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plan components
Supporting Information.
Activation and Notification Phase.
Recovery Phase.
Reconstitution Phase.
Appendices.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plan components
Supporting Information.
Activation and Notification Phase.
Recovery Phase.
Reconstitution Phase.
Appendices.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The supporting information component includes an
introduction and concept of operations section
providing essential background or contextual
information that makes the contingency plan easier to
understand, implement, and maintain.
These details aid in understanding the applicability of
the guidance, in making decisions on how to use the
plan, and in providing information on where associated
plans and information outside the scope of the plan
may be found.
The introduction section orients the reader to the type
and location of information contained in the plan.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Introduction section:
Generally, the section includes
the background
scope
assumptions
Such plan format is meant to guide the contingency
plan developer. Individuals may choose to add, delete,
or modify this format as required, to best fit the system
and organization’s contingency planning requirements.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Introduction section:
Background: This subsection establishes the reason
for developing the ISCP and defines the plan
objectives.
Scope: The scope identifies the FIPS 199 impact level
and associated RTOs as well as the alternate site and
data storage capabilities (as applicable).
Assumptions: This section includes the list of
assumptions that were used in developing the ISCP as
well as a list of situations that are not applicable. See
Appendix A Sample Information System Contingency
Plan Templates, for a sample of assumptions and
situations.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Concept of operations section:
The section provides additional details about the
information system:
the three phases of the contingency plan (Activation
and Notification, Recovery, and Reconstitution),
a description of the information system contingency
plan roles and responsibilities.
This section may include the following subsections:
system description, overview of three phases, roles
and responsibilities.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Concept of operations section - system description
subsection:
It is necessary to include a general description of the
information system addressed by the contingency plan.
The description should include the information system
architecture, location(s), and any other important
technical considerations.
An input/output (I/O) diagram and system architecture
diagram, including security devices (e.g., firewalls,
internal and external connections) are useful.
The content for the system description can usually be
taken from the System Security Plan (NIST SP 800-18,
Rev. 1, Guide for Developing Security Plans for Federal
Information Systems, contains details concerning
information system documentation).
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Concept of operations section - overview of three phases
subsection:
The ISCP recovery is implemented in three phases:
Activation and Notification
Recovery
Reconstitution
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Supporting Information
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Concept of operations section - roles and responsibilities
subsection:
This section presents the overall structure of
contingency teams, including the hierarchy and
coordination mechanisms and requirements among the
teams.
The section also provides an overview of team member
roles and responsibilities in a contingency situation.
Teams and team members should be designated for
specific response and recovery roles during
contingency plan activation.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plan components
Supporting Information.
Activation and Notification Phase.
Recovery Phase.
Reconstitution Phase.
Appendices.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The phase defines initial actions taken once a system
disruption or outage has been detected or appears to
be imminent.
This phase includes activities to notify recovery
personnel, conduct an outage assessment, and
activate the plan.
At the completion of the Activation and Notification
Phase, ISCP staff will be prepared to perform recovery
measures to restore system functions.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Activation and Notification:
Activation Criteria and Procedure
Notification Procedures
Outage Assessment
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Activation and Notification:
Activation Criteria and Procedure
Notification Procedures
Outage Assessment
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Activation Criteria and Procedure
The ISCP should be activated if one or more of the
activation criteria for that system are met.
If an activation criterion is met, the designated authority
should activate the plan. The designated authority
(typically a senior manager or CIO) has the authority to
activate the contingency plan. That authority may vary
based on the organization or system, but the individual
with this authority should be designated clearly in the
plan. Only one individual should have this authority,
and a successor should be clearly identified to assume
that responsibility if necessary.
Activation criteria for system outages or disruptions are
unique for each organization and should be stated in
the contingency planning policy.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Activation Criteria and Procedure. Criteria may be based
on:
Extent of any damage to the system (e.g., physical,
operational, or cost)
Criticality of the system to the organization’s mission
(e.g., critical infrastructure protection asset)
Expected duration of the outage lasting longer than the
RTO
The appropriate recovery teams may be notified once the
system outage or disruption has been identified and the
ISCP Coordinator has determined that activation criteria
have been met.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Activation and Notification:
Activation Criteria and Procedure
Notification Procedures
Outage Assessment
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures:
An outage or disruption may occur with or without prior
notice.
For example, advance notice is often given that a
hurricane is predicted to affect an area or that a
computer virus is expected on a certain date.
However, there may be no notice of equipment failure
or a criminal act.
Notification procedures should be documented in the
plan for both types of situation.
The procedures should describe the methods used to
notify recovery personnel during business and non
business hours.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures:
Prompt notification is important for reducing the effects
of a disruption on the system.
In some cases, it may provide enough time to allow
system personnel to shut down the system gracefully to
avoid a hard crash.
...
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Notification Procedures:
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Following the outage or disruption, notification should
be sent to the Outage Assessment Team (The Outage
Assessment Team is a representative title. Depending
on how the organization establishes their roles and
responsibilities, other names and titles may be used) so
that it may determine the status of the situation and
appropriate next steps.
Outage assessment procedures are described further.
When outage assessment is complete, the appropriate
recovery and system support personnel should be
notified.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures:
Notifications can be accomplished through a variety of
methods, either automated or manual and include
telephone, pager, electronic mail (email), cell phone,
and messaging.
Automated notification systems follow established
protocols and criteria and can include rapid
authentication and acceptance and secure messaging.
Automated notification systems require up-front
investment and learning curve, but may be an effective
way for some organizations to ensure prompt and
accurate delivery.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures:
Notifications sent via email should be done with caution
because there is no way to ensure receipt and
acknowledgement.
Although email has potential as an effective method of
disseminating notifications to work or personal
accounts, there is no way to guarantee that the
message will be read.
If using an email notification method, recovery
personnel should be informed of the necessity to
frequently and regularly check their accounts.
Notifications sent during business hours should be sent
to the work address, whereas personal email
messaging may be useful in the event that the local
area network (LAN) is down.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Notification Procedures:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
The notification strategy should define procedures to
be followed in the event that specific personnel cannot
be contacted.
Notification procedures should be documented clearly
in the contingency plan.
Information security
risk communication
Copies of the procedures can be made and located
securely at alternate locations.
Information security
risk monitoring and
review
A common manual notification method is a call tree.
Information security
risk acceptance
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Notification Procedures:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The call tree technique involves assigning notification
duties to specific individuals, who in turn are
responsible for notifying other recovery personnel.
The call tree should account for primary and alternate
contact methods and should discuss procedures to be
followed if an individual cannot be contacted.
Figure 4-2 (NIST SP 800-34) presents a sample call
tree.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Notification Procedures:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Personnel to be notified should be clearly identified in
the contact lists appended to the plan.
This list should identify personnel by their team
position, name, and contact information (e.g., home,
work, cell phone, email addresses, and home
addresses).
An entry may resemble the format depicted on page 38
of NIST SP 800-34.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures:
Notifications also should be sent to POCs of external
organizations or interconnected system partners that
may be adversely affected if they are unaware of the
situation.
Depending on the type of outage or disruption, the
POC may have recovery responsibilities.
For each system interconnection with an external
organization, a POC should be identified.
These POCs should be listed in an appendix to the
plan.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures:
The type of information to be relayed to those being
notified should be documented in the plan.
The amount and detail of information relayed may
depend on the specific team being notified.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Notification Procedures. As necessary, notification
information may include the following:
Nature of the outage or disruption that has occurred or
is impending;
Any known outage estimates;
Response and recovery details;
Where and when to convene for briefing or further
response instructions;
Instructions to prepare for relocation for estimated time
period (if applicable)
Instructions to complete notifications using the call tree
(if applicable).
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Activation and Notification:
Activation Criteria and Procedure
Notification Procedures
Outage Assessment
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Outage Assessment:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
To determine how the ISCP will be implemented
following a system disruption or outage, it is essential
to assess the nature and extent of the disruption.
The outage assessment should be completed as
quickly as the given conditions permit, with personnel
safety remaining the highest priority.
When possible, the Outage Assessment Team is the
first team notified of the disruption.
Contingency Planning Guide (NIST SP 800-34)
ISCP - Activation and Notification Phase - Outage Assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Outage assessment procedures may be unique for the
particular system, but the following minimum areas should
be addressed:
Cause of the outage or disruption;
Potential for additional disruptions or damage;
Status of physical infrastructure (e.g., structural
integrity of computer room, condition of electric power,
telecommunications, and heating, ventilation and
air-conditioning [HVAC]);
Inventory and functional status of system equipment
(e.g., fully functional, partially functional, nonfunctional);
...
Contingency Planning Guide (NIST SP 800-34)
ISCP - Activation and Notification Phase - Outage Assessment
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Outage assessment procedures may be unique for the
particular system, but the following minimum areas should
be addressed:
...
Type of damage to system equipment or data (e.g.,
water, fire and heat, physical impact, electrical surge);
Information security
risk communication
Items to be replaced (e.g., hardware, software,
firmware, supporting materials);
Information security
risk monitoring and
review
Estimated time to restore normal services.
Information security
risk acceptance
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Activation and Notification Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Outage Assessment:
Personnel with outage assessment responsibilities
should understand and be able to perform these
procedures in the event the plan is inaccessible during
the situation.
Once impact to the system has been determined, the
appropriate teams should be notified of updated
information and the planned response to the situation.
Based upon the results of the outage assessment,
ISCP notifications may be revisited and expanded
using the procedures described in “Notification
Procedures” section.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plan components
Supporting Information.
Activation and Notification Phase.
Recovery Phase.
Reconstitution Phase.
Appendices.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Formal recovery operations begin after the ISCP has
been activated, outage assessments have been
completed (if possible), personnel have been notified,
and appropriate teams have been mobilized.
Recovery Phase activities focus on implementing
recovery strategies to restore system capabilities,
repair damage, and resume operational capabilities at
the original or new alternate location.
At the completion of the Recovery Phase, the
information system will be functional and capable of
performing the functions identified in the plan.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Depending on the recovery strategies defined in the
plan, these functions (i.e., the functions identified in the
plan) could include temporary manual processing,
recovery and operation at an alternate system, or
relocation and recovery at an alternate site.
It is feasible that only system resources identified as
high priority in the BIA will be recovered at this stage.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The following aspects shall be discussed:
Sequence of Recovery Activities
Recovery Procedures
Recovery Escalation and Notification
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Sequence of Recovery Activities
Recovery Procedures
Recovery Escalation and Notification
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Sequence of Recovery Activities:
When recovering a complex system, such as a wide
area network (WAN) or virtual local area network
(VLAN) involving multiple independent components,
recovery procedures should reflect system priorities
identified in the BIA.
The sequence of activities should reflect the system’s
Maximum Tolerable Downtime (MTD) to avoid
significant impacts to related systems.
Procedures should be written in a stepwise, sequential
format so system components may be restored in a
logical manner.
For example, if a LAN is being recovered after a
disruption, then the most critical servers should be
recovered before other, less critical devices, such as
printers.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Sequence of Recovery Activities:
Similarly, to recover an application server, procedures
first should address operating system restoration and
verification before the application and its data are
recovered.
The procedures should also include escalation steps
and instructions to coordinate with other teams where
relevant when certain situations occur, such as:
An action is not completed within the expected time
frame;
A key step has been completed;
Item(s) must be procured;
Other system-specific concerns exist.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Sequence of Recovery Activities:
If conditions require the system to be recovered at an
alternate site, certain materials will need to be
transferred or procured.
These items may include shipment of data backup
media from offsite storage, hardware, copies of the
recovery plan, and software programs.
Procedures should designate the appropriate team or
team members to coordinate shipment of equipment,
data, and vital records.
References to applicable appendices, such as
equipment lists or vendor contact information, should
be made in the plan where necessary.
Procedures should clearly describe requirements to
package, transport, and purchase materials required to
recover the system.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Sequence of Recovery Activities
Recovery Procedures
Recovery Escalation and Notification
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Recovery Procedures:
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
To facilitate Recovery Phase operations, the ISCP
should provide detailed procedures to restore the
information system or components to a known state.
Given the extensive variety of system types,
configurations, and applications, this planning guide
does not provide specific recovery procedures.
Recovery considerations are detailed for each of the
platform types in Chapter 5 of NIST SP 800-34.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Procedures should be assigned to the appropriate recovery
team and typically address the following actions:
Obtaining authorization to access damaged facilities
and/or geographic area;
Notifying internal and external business partners
associated with the system;
Obtaining necessary office supplies and work space;
Obtaining and installing necessary hardware
components;
...
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Procedures should be assigned to the appropriate recovery
team and typically address the following actions:
...
Obtaining and loading backup media;
Restoring critical operating system and application
software;
Restoring system data to a known state;
Testing system functionality including security controls;
Connecting system to network or other external
systems; and
Operating alternate equipment successfully.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Recovery Procedures:
Recovery procedures should be written in a
straightforward, step-by-step style.
To prevent difficulty or confusion in an emergency, no
procedural steps should be assumed or omitted.
A checklist format is useful for documenting the
sequential recovery procedures and for troubleshooting
problems if the system cannot be recovered properly.
Figure 4-3 in NIST SP 800-34 provides a partial
example of a procedural checklist for a LAN Recovery
Team.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Sequence of Recovery Activities
Recovery Procedures
Recovery Escalation and Notification
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Recovery Escalation and Notification:
As identified as part of the BIA, system components,
infrastructure, and associated facilities are critical
components supporting daily mission/business
processes.
The systems, applications, and infrastructure that
connect users to these are subject to events causing
service interruptions and outages.
Including an escalation and notification component
within the Recovery Phase helps to ensure that overall,
a repeatable, structured, consistent, and measurable
recovery process is followed.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Recovery Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Recovery Escalation and Notification:
Effective escalation and notification procedures should
define and describe the events, thresholds, or other
types of triggers that are necessary for additional
action.
Actions would include additional notifications for more
recovery staff, messages and status updates to
leadership, and notices for additional resources.
Procedures should be included to establish a clear set
of events, actions and results, and should be
documented for teams or individuals as appropriate.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plan components
Supporting Information.
Activation and Notification Phase.
Recovery Phase.
Reconstitution Phase.
Appendices.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The Reconstitution Phase is the third and final phase of
ISCP implementation and defines the actions taken to
test and validate system capability and functionality.
During Reconstitution, recovery activities are
completed and normal system operations are resumed.
If the original facility is unrecoverable, the activities in
this phase can also be applied to preparing a new
permanent location to support system processing
requirements.
This phase consists of two major activities: validating
successful recovery and deactivation of the plan.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Validation of recovery typically includes these steps:
Concurrent Processing.
Validation Data Testing.
Validation Functionality Testing.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Concurrent processing is the process of running a system
at two separate locations concurrently until there is a level
of assurance that the recovered system is operating
correctly and securely. According to NIST SP 800-53
Contingency Plan security controls, information systems are
not required to have concurrent processing capabilities.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Validation Data Testing. Data testing is the process of
testing and validating recovered data to ensure that data
files or databases have been recovered completely and are
current to the last available backup.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Validation Functionality Testing. Functionality testing is a
process for verifying that all system functionality has been
tested, and the system is ready to return to normal
operations.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
At the successful completion of the validation testing,
ISCP personnel will be prepared to declare that
reconstitution efforts are complete and that the system
is operating normally.
This declaration may be made in a
recovery/reconstitution log or other documentation of
reconstitution activities.
The ISCP Coordinator, in coordination with the
Information System Owner, ISSO (Information System
Security Officers), SAISO (Senior Agency Information
Security Officers) and with the concurrence of the
Authorizing Official, must determine if the system has
undergone significant change and will require
reassessment and reauthorization.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Examples of significant changes that would possibly apply
in a contingency situation and will require reassessment
and reauthorization are:
new or upgraded hardware platform
moving to a new facility
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The utilization of a continuous monitoring
strategy/program can guide the scope of the
reauthorization to focus on those environment/facility
controls and any other controls which would be
impacted by the reconstitution efforts.
Assessment and authorization guidance is available in
NIST SP 800-37, Rev. 1 Guide for Applying the Risk
Management Framework to Federal Information
Systems: A Security Life Cycle Approach.
Deactivation of the plan is the process of returning the
system to normal operations and finalizing
reconstitution activities to prepare the system against
another outage or disruption.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
These activities include:
Notifications.
Cleanup.
Offsite Data Storage.
Data Backup.
Event Documentation.
Notifications: Upon return to normal operations, users
should be notified by the ISCP Coordinator (or
designee) using predefined notification procedures.
Cleanup: Cleanup is the process of cleaning up work
space or dismantling any temporary recovery locations,
restocking supplies, returning manuals or other
documentation to their original locations, and readying
the system for another contingency event.
Offsite Data Storage: If offsite data storage is used,
procedures should be documented for returning
retrieved backup or installation media to its offsite data
storage location. According to NIST SP 800-53
Contingency Plan security controls, a low-impact
system is not required to have offsite data storage
capabilities.
Data Backup: As soon as reasonable following
reconstitution, the system should be fully backed up
and a new copy of the current operational system
stored for future recovery efforts. This full backup
should be stored with other system backups and
comply with applicable security controls.
Event Documentation: All recovery and reconstitution
events should be well documented, including actions
taken and problems encountered during the recovery
and reconstitution efforts. An after-action report with
lessons learned should be documented and included
for updating the ISCP.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Reconstitution Phase
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Once all activities and steps have been completed and
documentation has been updated, the ISCP can be formally
deactivated. An announcement with the declaration should
be sent to all business and technical contacts.
Contingency Planning Guide (NIST SP 800-34)
Develop an information system contingency plan
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Plan components
Supporting Information.
Activation and Notification Phase.
Recovery Phase.
Reconstitution Phase.
Appendices.
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Plan Appendices
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Contingency plan appendices provide key details not
contained in the main body of the plan. Common
contingency plan appendices include the following:
Contact information for contingency planning team
personnel;
Vendor contact information, including offsite storage
and alternate site POCs;
BIA;
Detailed recovery procedures and checklists;
Detailed validation testing procedures and checklists;
...
Contingency Planning Guide (NIST SP 800-34)
Develop an ISCP - Plan Appendices
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Equipment and system requirements lists of the
hardware, software, firmware, and other resources
required to support system operations. Details should
be provided for each entry, including model or version
number, specifications, and quantity;
Alternate mission/business processing procedures that
may occur while recovery efforts are being done to the
system;
ISCP testing and maintenance procedures;
System interconnections (systems that directly
interconnect or exchange information); and
Vendor SLAs, reciprocal agreements with other
organizations, and other vital records.
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Computer Security Incident Handling
Guide (according to NIST SP 800-61)
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Computer security incident response has become an
important component of information technology (IT)
programs.
Security-related threats have become not only more
numerous and diverse but also more damaging and
disruptive.
New types of security-related incidents emerge
frequently.
Preventative activities based on the results of risk
assessments can lower the number of incidents, but
not all incidents can be prevented.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An incident response capability is therefore necessary
for rapidly detecting incidents, minimizing loss and
destruction, mitigating the weaknesses that were
exploited, and restoring computing services.
To that end, the NIST SP 800-61 provides guidelines
for incident handling, particularly for analyzing
incident-related data and determining the appropriate
response to each incident.
The guidelines can be followed independently of
particular hardware platforms, operating systems,
protocols, or applications.
Because performing incident response effectively is a
complex undertaking, establishing a successful incident
response capability requires substantial planning and
resources.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Continually monitoring threats through intrusion
detection systems (IDSs) and other mechanisms is
essential.
Establishing clear procedures for assessing the current
and potential business impact of incidents is critical, as
is implementing effective methods of collecting,
analyzing, and reporting data.
Building relationships and establishing suitable means
of communication with other internal groups (e.g.,
human resources, legal) and with external groups (e.g.,
other incident response teams, law enforcement) are
also vital.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
NIST SP 800-61 discusses the following items:
Organizing a computer security incident response
capability
Handling incidents from initial preparation through the
post-incident lessons learned phase
Handling specific types of incidents.
Organizing a computer security incident response
capability:
Creating an incident response policy
Developing procedures for performing incident handling
and reporting, based on the incident response policy
Setting guidelines for communicating with outside
parties regarding incidents
Selecting a team structure and staffing model
Establishing relationships between the incident
response team and other groups, both internal (e.g.,
legal department) and external (e.g., law enforcement
agencies)
Determining what services the incident response team
should provide
Staffing and training the incident response team.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Handling specific types of incidents:
Denial of Service (DoS)
Malicious Code
Unauthorized Access
Inappropriate Usage
Multiple Component
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Organizations should reduce the frequency of incidents by
effectively securing networks, systems, and applications:
Preventing problems is normally less costly and more
effective than reacting to them after they occur.
Incident handling can be performed more effectively if
organizations complement their incident response
capability with adequate resources to actively maintain
the security of networks, systems, and applications,
freeing the incident response team to focus on handling
serious incidents.
Organizations should document their guidelines for
interactions with other organizations regarding incidents:
During incident handling, the organization may need to
communicate with outside parties, including other
incident response teams, law enforcement, the media,
vendors, and external victims.
Because such communications often need to occur
quickly, organizations should predetermine
communication guidelines so that only the appropriate
information is shared with the right parties.
If sensitive information is released inappropriately, it
can lead to greater disruption and financial loss than
the incident itself.
Creating and maintaining a list of internal and external
POCs, along with backups for each contact, should
assist in making communications among parties easier
and faster.
Organizations should emphasize the importance of incident
detection and analysis throughout the organization:
In an organization, thousands or millions of possible
signs of incidents may occur each day, recorded mainly
by logging and computer security software.
Automation is needed to perform an initial analysis of
the data and select events of interest for human review.
Event correlation software and centralized logging can
be of great value in automating the analysis process.
However, the effectiveness of the process depends on
the quality of the data that goes into it.
Organizations should establish logging standards and
procedures to ensure that adequate information is
collected by logs and security software and that the
data is reviewed regularly.
Organizations should create written guidelines for
prioritizing incidents:
Prioritizing the handling of individual incidents is a
critical decision point in the incident response process.
Incidents should be prioritized based on the following:
Criticality of the affected resources (e.g., public Web
server, user workstation)
Current and potential technical effect of the incident
(e.g., root compromise, data destruction).
Combining the criticality of the affected resources and
the current and potential technical effect of the incident
determines the business impact of the incident—for
example, data destruction on a user workstation might
result in a minor loss of productivity, whereas root
compromise of a public Web server might result in a
major loss of revenue, productivity, access to services,
and reputation, as well as the release of confidential
data (e.g., credit card numbers, Social Security
numbers).
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Incident handlers may be under great stress during
incidents, so it is important to make the prioritization
process clear.
Organizations should decide how the incident response
team should react under various circumstances, and
then create a Service Level Agreement (SLA) that
documents the appropriate actions and maximum
response times.
This documentation is particularly valuable for
organizations that outsource components of their
incident response programs.
Documenting the guidelines should facilitate faster and
more consistent decision-making.
Organizations should use the lessons learned process to
gain value from incidents
After a major incident has been handled, the
organization should hold a lessons learned meeting to
review how effective the incident handling process was
and identify necessary improvements to existing
security controls and practices.
Lessons learned meetings should also be held
periodically for lesser incidents.
The information accumulated from all lessons learned
meetings should be used to identify systemic security
weaknesses and deficiencies in policies and
procedures.
Follow-up reports generated for each resolved incident
can be important not only for evidentiary purposes but
also for reference in handling future incidents and in
training new incident response team members.
An incident database, with detailed information on each
incident that occurs, can be another valuable source of
information for incident handlers.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Organizations should strive to maintain situational
awareness during large-scale incidents
Organizations typically find it very challenging to
maintain situational awareness for the handling of
large-scale incidents because of their complexity.
Many people within the organization may play a role in
the incident response, and the organization may need
to communicate rapidly and efficiently with various
external groups.
Collecting, organizing, and analyzing all the pieces of
information, so that the right decisions can be made
and executed, are not easy tasks.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The key to maintaining situational awareness is preparing to
handle large-scale incidents, which should include the
following:
Establishing, documenting, maintaining, and exercising
on-hours and off-hours contact and notification
mechanisms for various individuals and groups within
the organization (e.g., chief information officer [CIO],
head of information security, IT support, business
continuity planning) and outside the organization (e.g.,
incident response organizations, counterparts at other
organizations).
Planning and documenting guidelines for the
prioritization of incident response actions based on
business impact.
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Executive Summary
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The key to maintaining situational awareness is preparing to
handle large-scale incidents, which should include the
following:
...
Preparing one or more individuals to act as incident
leads who are responsible for gathering information
from the incident handlers and other parties, and
distributing relevant information to the parties that need
it.
Practicing the handling of large-scale incidents through
exercises and simulations on a regular basis; such
incidents happen rarely, so incident response teams
often lack experience in handling them effectively.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
One of the first considerations should be to create an
organization-specific definition of the term ”incident´so
that the scope of the term is clear.
The organization should decide what services the
incident response team should provide, consider which
team structures and models can provide those
services, and select and implement one or more
incident response teams.
Incident response policy and procedure creation is an
important part of establishing a team, so that incident
response is performed effectively, efficiently, and
consistently.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Events and Incidents:
An event is any observable occurrence in a system or
network.
Events include a user connecting to a file share, a
server receiving a request for a Web page, a user
sending electronic mail (e-mail), and a firewall blocking
a connection attempt.
Adverse events are events with a negative
consequence, such as system crashes, network packet
floods, unauthorized use of system privileges,
defacement of a Web page, and execution of malicious
code that destroys data.
The NIST SP 800-61 addresses only adverse events
that are computer security-related and excludes
adverse events caused by sources such as natural
disasters and power failures.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The definition of a computer security incident has
evolved.
In the past, a computer security incident was thought of
as a security-related adverse event in which there was
a loss of data confidentiality, disruption of data or
system integrity, or disruption or denial of availability.
New types of computer security incidents have
emerged since then, necessitating an expanded
definition of an incident.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
An incident can be thought of as a violation or imminent
threat of violation (an “imminent threat of violation” refers to
a situation in which the organization has a factual basis for
believing that a specific incident is about to occur. For
example, the antivirus software maintainers may receive a
bulletin from the software vendor, warning them of a new
worm that is rapidly spreading across the Internet.) of
computer security policies, acceptable use policies, or
standard security practices.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Examples of today’s incidents are as follows:
Denial of Service
An attacker sends specially crafted packets to a Web
server, causing it to crash.
An attacker directs hundreds of external compromised
workstations to send as many Internet Control Message
Protocol (ICMP) requests as possible to the
organization’s network.
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Examples of today’s incidents are as follows:
...
Malicious Code
A worm uses open file shares to quickly infect several
hundred workstations within an organization.
An organization receives a warning from an antivirus
vendor that a new virus is spreading rapidly via e-mail
throughout the Internet. The virus takes advantage of a
vulnerability that is present in many of the
organization’s hosts. Based on previous antivirus
incidents, the organization expects that the new virus
will infect some of its hosts within the next three hours.
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Examples of today’s incidents are as follows:
Information
security risk
management
process
(ISO/IEC
27005:2008)
...
Unauthorized Access
An attacker runs an exploit tool to gain access to a
server’s password file.
A perpetrator obtains unauthorized administrator-level
access to a system and then threatens the victim that
the details of the break-in will be released to the press if
the organization does not pay a designated sum of
money.
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Organizing A Computer Security Incident Response Capability
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Examples of today’s incidents are as follows:
...
Inappropriate Usage
A user provides illegal copies of software to others
through peer-to-peer file sharing services.
A person threatens another person through e-mail.
Incident response has become necessary because
attacks frequently cause the compromise of personal
and business data.
The following are benefits of having an incident
response capability:
Responding to incidents systematically so that the
appropriate steps are taken
Helping personnel to recover quickly and efficiently
from security incidents, minimizing loss or theft of
information, and disruption of services.
Using information gained during incident handling to
better prepare for handling future incidents and to
provide stronger protection for systems and data
Dealing properly with legal issues that may arise during
incidents.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Incident Response Policy and Procedure Creation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Policy governing incident response is highly individualized to
the organization. However, most policies include the same
key elements, regardless of whether the organization’s
incident response capability is indigenous or outsourced:
Statement of management commitment.
Purpose and objectives of the policy.
Scope of the policy (to whom and what it applies and
under what circumstances).
Definition of computer security incidents and their
consequences within the context of the organization.
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Incident Response Policy and Procedure Creation
Compliance
and
operational
security
Most policies include the same key elements:
...
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Organizational structure and delineation of roles,
responsibilities, and levels of authority; should include
the authority of the incident response team to
confiscate or disconnect equipment and to monitor
suspicious activity, and the requirements for reporting
certain types of incidents
Information security
risk communication
Prioritization or severity ratings of incidents
Information security
risk monitoring and
review
Performance measures
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Reporting and contact forms.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Incident Response Policy and Procedure Creation
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Procedures should be based on the incident response
policy.
Standard operating procedures (SOPs) are a
delineation of the specific technical processes,
techniques, checklists, and forms used by the incident
response team. SOPs should be comprehensive and
detailed to ensure that the priorities of the organization
are reflected in response operations.
In addition, following standardized responses should
minimize errors, particularly those that might be caused
by incident handling tempo and stress.
SOPs should be tested to validate their accuracy and
usefulness, then distributed to all team members.
Training should be provided for SOP users; the SOP
documents can be used as an instructional tool.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The organization may need to communicate with
outside parties regarding an incident.
This includes reporting incidents to organizations such
as the CERT Coordination Center (CERT/CC),
contacting law enforcement, and fielding inquiries from
the media.
Incident handlers may also need to discuss the incident
with other involved parties, such as the organization’s
Internet service provider (ISP), the ISP that the attacker
is using, the vendor of vulnerable software, or other
incident response teams that may be familiar with
unusual activity that the handler is trying to understand.
An organization may want to–or be required
to–communicate incident details with an outside
organization for numerous reasons.
...
...
The incident response team should discuss this at
length with the organization’s public affairs office, legal
department, and management before an incident
occurs to establish policies and procedures regarding
information sharing.
Otherwise, sensitive information regarding incidents
may be provided to unauthorized parties; this action
could lead to greater disruption and financial loss than
the incident itself.
The team should document all contacts and
communications with outside parties for liability and
evidentiary purposes.
Figure 2-1 shows several outside parties with which the
organization may need to communicate. The arrows
indicate the direction of the communication - for
example, the organization may initiate communications
with software vendors. Double-headed arrows indicate
that either party may initiate communications.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The Media:
Dealing with the media is an important part of incident
response.
The incident handling team should establish media
communications procedures that are in compliance
with the organization’s policies on appropriate
interaction with the media and information disclosure
(For example, an organization may want members of its
public affairs office and legal department to participate
in all incident discussions with the media).
Organizations often find it beneficial to designate a
single media point of contact (POC) and at least one
backup contact for discussing incidents with the media.
Ideally, all members of the incident response team
should be prepared to interact with the media.
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
The following actions should be considered for preparing
those who may be communicating with the media:
Conduct training sessions on interacting with the media
regarding incidents, which should include:
The importance of not revealing sensitive information,
such as technical details of countermeasures (e.g.,
which protocols the firewall permits), which could assist
other would-be attackers
The positive aspects of communicating important
information to the public fully and effectively.
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Establish procedures to brief media contacts on the
issues and sensitivities regarding a particular incident
before discussing it with the media.
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The following actions should be considered for preparing
those who may be communicating with the media:
...
Hold mock interviews and press conferences during
incident handling exercises. The following are
examples of questions to ask the media contact:
Who attacked you?
When did it happen?
How did they do the attack?
How widespread is this incident?
Did this happen because you have poor security
practices?
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
The following actions should be considered for preparing
those who may be communicating with the media:
...
Hold mock interviews and press conferences during
incident handling exercises. The following are
examples of questions to ask the media contact:
...
What steps are you taking to determine what
happened?
What is the impact of this incident?
What is the estimated monetary cost of this incident?
Law Enforcement
One reason that many security-related incidents do not
result in convictions is that organizations do not
properly contact law enforcement.
The incident response team should become familiar
with its various law enforcement representatives before
an incident occurs to discuss conditions under which
incidents should be reported to them, how the reporting
should be performed, what evidence should be
collected, and how it should be collected.
Law enforcement should be contacted through
designated individuals in a manner consistent with the
requirements of the law and the organization’s
procedures.
Many organizations prefer to appoint one incident
response team member as the primary POC with law
enforcement.
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Law Enforcement
...
Law enforcement should be contacted through
designated individuals in a manner consistent with the
requirements of the law and the organization’s
procedures.
Many organizations prefer to appoint one incident
response team member as the primary POC with law
enforcement.
This person should be familiar with the reporting
procedures for all relevant law enforcement agencies
and well prepared to recommend which agency, if any,
should be contacted.
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
Law Enforcement
...
Note that the organization typically should not contact
multiple agencies because doing so might result in
jurisdictional conflicts.
The incident response team should understand what
the potential jurisdictional issues are (e.g., physical
location—an organization based in one state has a
server located in a second state attacked from a
system in a third state, being used remotely by an
attacker in a fourth state).
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Information
security risk
management
process
(ISO/IEC
27005:2008)
Other Outside Parties:
The Organization’s ISP: During a network-based DoS
attack, an organization may need assistance from its
ISP in blocking the attack or tracing its origin.
Owners of Attacking Addresses:
incident handlers may want to talk to the designated
security contacts for the organization (owner of the
attacking addresses) to alert them to the activity or to
ask them to collect evidence
Handlers should be cautious if they are unfamiliar with
the external organization because the owner of the
address space could be the attacker or an associate of
the attacker
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...
Computer Security Incident Handling Guide
(NIST SP 800-61)
Sharing Information With Outside Parties
Compliance
and
operational
security
Other Outside Parties:
...
Software Vendors
Under some circumstances, incident handlers may want
to speak to a software vendor about suspicious activity.
This contact could include questions regarding the
significance of certain log entries or known false
positives for certain intrusion detection signatures,
where minimal information regarding the incident may
need to be revealed.
More information may need to be provided in some
cases—for example, if a server appears to have been
compromised through an unknown software
vulnerability. Incident handlers may have other
questions for vendors, such as the availability of
patches or fixes for new vulnerabilities.
Information
security risk
management
process
(ISO/IEC
27005:2008)
Context
establishment
Information security
risk assessment
Information security
risk treatment
Information security
risk acceptance
Information security
risk communication
Information security
risk monitoring and
review
Contingency
Planning
Guide for
Federal
Information
Systems
(NIST SP
...