Table of Contents
Cyber Security - Cybersecurity Recovery Objectives
The primary objective of a cybersecurity disaster recovery plan is to protect the organizational data and assets after a security mishap has happened.
The plan should address very specifically the steps the organization will follow to reconstitute assets after an incident.
Cybersecurity recovery efforts should consider:
- Restoring information systems using various methods.
- Performing standard operating procedures in alternative ways.
- Recovering information systems in backup locations.
- Implementing contingency controls based on the business impact of the incident.
Consider:
- Layered Protection.
- Plan for the Recovery Phase.
- Continuous Improvement.
- Track Recovery Metrics.
- Document Everything.
Layered Protection
- Preventive elements including:
- Firewalls with content inspection.
- Intrusion Detection / Preventative Systems (IDS/IPS), such as Suricata or Snort.
- Antivirus to block vulnerabilities, exploits and viruses in addition to the address and ports.
- Spam and Malware filtering and blocking.
- Application firewalls.
- Strict control on changes and software uploads.
- Strict access control and audits on activities to prevent compromised data or services.
- Timely patch management.
- Monitoring of integrity and availability to detect issues as early as possible.
Plan for the Recovery Phase
Not all cyber attacks can be avoided. Therefore plan for all possible cyber incidents, their containment and the recovery process.
To determine priorities, perform a business impact analysis to evaluate potential effects of cyber events; financial, legal, regulatory, etc.
- Define incident management roles and responsibilities.
- Develop a Cyber Incident Response Plan and larger Business Continuity Plan with a Crisis Management Strategy.
- Make arrangements for communication channels in the event of downtime.
- Identify alternate services and/or facilities for your data.
- Create and solve “what-if” scenarios based on recent cyber events that have impacted similar organizations.
- Identify and fix gaps in crisis planning before an incident occurs.
- Consider additional ramifications of a breach including how personnel and stakeholders will be affected and the legal and financial implications of noncompliance.
Continuous Improvement
Any recovery planning process needs to be fluid. The recovery plan should be updated regularly to keep up to date with the threats landscape, best practices and lessons learned from response to breaches that have affected similar businesses.
It is imperative to test periodically that the recovery plan does work.
Track Recovery Metrics
Keep track of real data to gauge the position.
- Patch Policy Compliance.
- Mean-Time to Patch.
- Vulnerability Scan Coverage.
- Percent of Systems Without Known Severe Vulnerabilities.
- Information Security Budget as % of IT Budget.
- Mean-Time to Incident Discovery.
- Incident Rate.
- Percentage of Incidents Detected.
- Mean-Time Between Security Incidents.
- Mean-Time to Mitigate Vulnerabilities and Recovery.
- Number of Known Vulnerability Instances.
- Number of Applications and Percentage of Critical Applications.
- Risk Assessment Coverage.
- Security Testing Coverage.
- Percent of Changes with Security Review.
Document Everything
Procedures, roles and responsibilities, metrics tracking, and adjustments should be documented for improved response times and recovery.
- Develop diagrams of infrastructure and equipment.
- Maintaining assets and systems inventory, including copies of support agreements with vendors and providers.
- Application dependencies and prioritization (Prioritize restoring applications in order of most critical).
- Regulatory compliance information — who, when, and how to contact regulatory bodies and stakeholders in the event of a breach.
- Recovery team members and contact information for those employees.
NOTE: The Recovery Plan should be discussed with Security teams, Business continuity teams and Contingency planning teams.