Business Continuity Planning
Information stored in the company’s operating system or server is one of the most important assets in the company’s custody and should be safeguarded. Such information is usually prone to attackers, either from within or outside the company. The attackers normally target such information with the intent of committing fraud or harm to the smooth operation of the company. In order to avoid such inconveniences, companies should invest in information security and ensure that they seal every loophole. In addition, every company should be prepared to respond effectively to any incidence that breaks through its security walls. This business paper discusses types of backups and auditing, and explores the incident response process. In addition, the paper gives recommendations to Web Site 101 on how it can respond to security threats facing its server.
Keywords: auditing, backups, incidence, response
Types of Backups
There are three backup methods, including full, incremental and differential backups that are supported by most systems. A full backup entails complete and comprehensive backup of all organizational files on a server or a disk. Once completed, the organization gets a complete archive of its system at the said point in time. However, a full backup can be time consuming, especially on a large system. An incremental backup entails partial backup of data and stores only the information that has undergone a change since the last incremental of last full backup. Different from a full backup, it is proved that incremental backup consumes little time and can allow operations to resume faster. However, all the incremental backups should be retained until the next full backup is conducted. A differential backup resembles incremental backup save for the fact that it backs up all the files that have been changed since the last full backup. Although it is more comprehensive than incremental, it consumes much time with successive backups (Dulaney, 2011).
Incident Response Process
Incident response process is normally a five-step process. The first step in incident response is the incident identification and it is aimed at determining what has transpired in the organization. An event is often an intrusion detection system (IDS)-triggered signal and should be verified by the operations personnel. The first responder should establish whether the event is an incident or false alarm. If the verification confirms the event as an incident, an escalation needs to be performed. The latter entails consulting policies and appropriate management and establishing how best to carry out investigation (Dulaney, 2011).
Investigating the evidence forms the second step and entails searching files, logs and other sources of data in determining the scope and nature of the incident. The investigation should establish if the incidence is a random event, part of a larger attack or a false positive. The investigation might establish that the incident cannot be successful, and therefore, require no response. On the other hand, it might recommend a change in policies to deal with similar threats in the future. Decisions made following an investigation should be documented (Dulaney, 2011).
Once incidents have been determined, the response team should establish how to restore access to the company resources that the attack compromised. Restoration should be accompanied by reestablishment of control of the operating system. Repair is possible in the case of simple attacks such as DoD attack. However, regeneration from scratch may be necessary in the case when the system is severely compromised, as in the case of a worm. In such cases, complete disk drive format is needed to ensure that nothing suspicious remains in the disk that can infect the system that is being regenerated (Dulaney, 2011).
- Plagiarism and QA report
- Professionally-qualified writing experts
- Top-quality, at a great price - guaranteed
- Commitment to deliver papers by deadline
- No limit of revisions a customer can request
While responding to an incident, it is important to document every step that is taken to identify, detect and repair the compromised network. This information is important in dealing with future incidences and should be availed to people who are likely to deal with such incidences in the future. Whenever possible, it is important to report the incident to legal authorities, CERT and software or system manufacturer. Disclosing the incident can also help the other people take necessary precautions to avoid such incidences (Dulaney, 2011).
Adjusting Procedures is the fifth and the last step. It should be carried out once the response team has successfully managed the incidence. It entails revisiting organizational procedures and policies to establish what changes, if necessary, need to be made. The review can be conducted by answering simple questions following the incident response. For instance, asking the question on whether or not the policy which worked during the response can prompt necessary adjustments. This review process is referred to as postmortem (Dulaney, 2011).
Types of Auditing
Dulaney (2011) defines auditing as the process of ensuring that organizational regulations, procedures and policies are carried out in line with standards of the organization. User access and right review should be audited periodically to establish whether or not computer usage, as well as escalation processes, are in place and are functional. The role of an auditor is essential in this course as he or she acts as a consultant charged with the responsibility of ensuring that procedures are adhered to. Privilege audits are performed to verify that groups, roles and accounts are correctly assigned and establish that stakeholders adhere to policies. This audit verifies that access is instituted in the right manner, policies are effective and security is in place. Complete review of all the groups and accounts may be necessary during privilege audit in order to ensure correct implementation. Usage audit, on the other hand, is normally performed to verify that software and systems are utilized properly in line with organizational policies. This audit might involve verification of software configuration, physical inspection of systems and other activities with the aim of proving that resources are being put into appropriate use (Dulaney, 2011).
Escalation audits are performed to establish whether or not procedures and communication methods are functioning appropriately in the event of a problem. Primarily, escalation audit is focused on the question of obtaining access to decision makers during crisis. The audit ensures that the organization has appropriate policies, procedures and tools to deal with problems due to emergencies or catastrophes. On the contrary, administrative auditing entails documentation of procedures assumed during the arrangement of data and details of those involved in the process. This audit should also entail change management. The latter is a structured approach aimed at securing the company’s assets. It is essential to prevent unauthorized access of all IT assets. Finally, log file auditing is an essential operation that carefully monitors the size of log files being used by the organization. Audit on log entries should be performed regularly; at least once a week is recommended. The auditor should choose to clear the file manually once he or she is sure that there are no alarms that need a response (Dulaney, 2011).
Recommendations to Web Site 101
Web Site 101 has data security challenges and needs to enact certain changes in order to secure its data. The organization needs to conduct a security risk assessment in order to address the security problem. Performing a risk assessment would enable Web Site 101 to assess, identify and modify its overall security position. This assessment would enable the organizational, operations and security management, among other personnel to collaborate and look at the whole organization from an attacker’s perspective. Security risk assessment is essential as it will prompt the organizational management’s commitment towards allocation of resources for the implementation of appropriate security solutions. The enterprise risk assessment should be comprehensive enough to define the value of generated data and put in storage by the firm. Otherwise, it becomes cumbersome for an organizational management to prioritize and allocate funds where they are needed the most, if such valuation is not performed. For an accurate assessment, the process should identify the data that are more valuable to the firm. In addition, the assessment should identify the storage mechanisms of the data in question and their linked vulnerabilities (Shmittling & Munns, 2010).
The firm should institute physical access control in order to prevent bandits from physically accessing its stored data. Physical access to the firm’s equipment, secure areas or material containing organizational sensitive data might make it easier for malicious insiders or outsiders to carry out criminal activities. The management should ensure that the perimeter security is put in place as a physical security safeguard. Access to the entire corporate office should be monitored and all offices should be locked and alarmed when not in use. Access to sensitive rooms within the building should be restricted. Computers should also be located in areas where the screen cannot be viewed by the public. Important files should be stored in areas that are not accessible to the public and should only be accessed by authorized employees (Data Protection Commissioner, 2014).
Apart from physical access control, the firm should limit the sites on the network which employees can access through privilege management. The policy involves making decisions with regards to the level of information that is accessed, how the information is accessed and the individuals who are allowed to access it. Web Site 101 should ensure that it does not give more privileges or access than the individuals require in order to perform their duties. The organization should also introduce time and day restrictions to define the period over which accounts can have had access to the system. Usually, the employees use the system on weekdays from 8:00 a.m. to 5 p.m. The firm should configure its account to allow access from seven o’clock in the morning to 6 o’clock in the evening. This configuration ensures that attackers have reduced time and workers cannot access the system outside the defined parameters (Dulaney, 2011).
Since most employees are complaining that they do not comprehend what is anticipated of them from a security viewpoint, it is necessary to make them aware of their responsibilities. No matter the amount of technical resources that the firm may invest on access controls, they might not yield a result if employees are not aware of their responsibilities. Employees should be sensitized towards safeguarding their passwords. They should also ensure that the passwords are not written down; neither should they leave the passwords in the convenient places. Employees should be careful not to open unexpected e-mail attachments unless they have been screened by anti-virus software. They should be trained effectively concerning the risks of data compromise. The training should highlight the role of employees in preventing data loss and how they should respond in the event of breaches. Once employees are informed of the security measures, data controllers should ensure that they comply with them. Employees should be made aware that they have a legal obligation to keep organizational data secure. Enforcement of security policy would ensure individual and organizational accountability. Employee awareness and accountability largely reduce threats that emanate from employee negligence (Data Protection Commissioner, 2014).