Case Study 2
Developing the Forensics, Continuity, Incident Management, and Security Training Capacities for the Enterprise
SEC 402 Cyber Security
The Essential Body of Knowledge
Case Study 2: Developing the Forensics, Continuity, Incident Management, and Security Training Capacities for the Enterprise
Within this case study I will attempt to determine how defined roles of technology, people, and processes are necessary to ensure resource allocation for Business Continuity. Hopefully, I will be able to explain how IT Security policies and data retention policies are helpful in maintaining user expectations of the levels of business continuity that is achievable. Answering the following questions of how do AUP’s, remote access policies, and email policies help to minimize any anti-forensic efforts. In this case study my intentions are to suggest models that could be used to ensure business continuity and ensure the integrity of corporate forensic efforts while also providing an explanation of the essentials of defining a digital forensic process including a step by step process that could be used to develop and sustain an enterprise continuity process. Finally, describing the role of incident response teams, how these accommodate businesses continuity and what awareness and training efforts can be adopted to prevent anti-forensic efforts.
An effective Business Continuity Plan will outline procedures and instructions an organization must follow in the face of a disaster; it will cover business processes, human resources, business partners and more. The Primary Activities which will need to be carried out will require a staff that is up and ready to go, clearly defined roles & responsibilities are critical to ensure that each activity can be fully carried out.(Business Continuity Maturity Model- dodcoop.com. (n.d.). Organizations of all sizes experience some lack with regards to allocation of responsibilities, many times one resource has tasks which were not originally assigned but must be completed.
Processes, processes, processes are the foundation of all organizations, with the ability to transform requirements into deliverables and include actions, methods and operations. The master plan by which value is added, and it should be laser focused on customer and total quality deliverables which satisfy or exceed the needs and expectations of the customers.
Within IT all that we do is a process, whether it is documented or not, and within each area or function of an organization there are many processes taking place from the analyst to quality control to customer facing. The processes will and often do intermingle with other processes throughout an organization, as outputs from one process form the inputs to another process. Resource allocations within an organization should also work collaboratively to produce teams necessary to the recovery and disaster mitigation (Warkentin & Vaughn, 2006).
Clearly identified roles and responsibilities are absolutely essential for all components as it eliminates the possibility of duplication of roles, duplicated effort and loss of time. If roles have been clearly defined resources are more efficient and not wasted. When roles for each resource is clearly defined, it is much easier to identify the core skills necessary to get all the tasks completed. On a team where each task or activity has a designated SME (subject matter expert), resources carry on with their work without worrying about who they may or may not overstep.
An organization needs to determine the quality of its data prior to developing computer security and data retention policy meant to help protect and manage the data. Across the organization security policies are applied to all users of the information and the information technology department.
In developing these policies, an organization will need to consider the following:
Where will the user access and use the data?
What is the security classification of the data?
Depending on the value, importance and cost of defending the data will determine the required security level necessary for the data transmission.
Security policies are very important in enhancing and promoting user expectation to achieve business continuity. Do’s and Don’ts of how to navigate on the network and with critical organizational data is achieved with the security settings and password policies provided to the users through security policies. Armed with these policies users are now capable to discern to what degree and how the information in the event of an incident is going to be safeguarded or the recovered after or during a breach.
The IT department within an organization essentially defines the IT policies regarding the security and protection of the network. IT Security policies provide the users the ability to know what the organization is doing to safeguard their information, providing an expectation to the users of what to expect and what is not to be expected in the event of an incident or disaster from the organization. Accountability of data integrity to not only the organization but its users is ensured by the security polices enforced. Responsibilities of the organization related to its business continuity and its policies are often defined within the its General Policies. How does an organization recover from a disaster and how will that data and information be preserved are critical questions to be asked? (Dan Shoemaker, W. A., 2012)
Methods used by anti-forensics create challenges for the forensic auditors to do their jobs during a criminal process in such a way that cost becomes a factor making it difficult to complete a thorough investigations.
“Today’s technology coupled with acceptable use policies, policies around remote access, and email working together to minimize any anti-forensics activity within an organization through such measures as the integration of forensic steps.” (Dahbur, K., & Mohammad, B., 2011) “If an anti-forensic perpetrator attacks one of the steps, it does not render the forensic expert so helpless such that he or she cannot glean any evidence, there is still opportunities to use bread crumbs left from previous steps to gather the necessary evidence.” (Warkentin & Vaughn, 2006).
Acceptable use policies are designed to minimize anti-forensic activity through implemented system user requirements, for example: no single user may introduce any foreign item into a computer system without prior knowledge of the management. (Dahbur, K., & Mohammad, B., 2011) Communication emails are often backed up even when employees or a user who is sending emails attempts to destroy the email, forensic experts will have the ability to track them from elsewhere within the system. Organizational email servers have user policies which require users to back up anything done in the system.
When managing unforeseen and unplanned events a business continuity model is an important tool to ensure that organizational core functions are not affected by disaster or are disrupted for an extended amount of time and if so that core functions can be recovered within the shortest time possible. Businesses working to build and maintain a sustainable business recovery model as prescribed by its business continuity model have online software tools such as the business maturity model are available. The business maturity model will provide clear and concise steps to be followed within a disaster recovery program and this model is designed to be suitable for various organizational sizes. (Arduini, F., & Morabito, V., 2010)
Choosing a model to implement in an organization requires that a level be identified such as corporate or mid-management, the focus at this level of the identified model would include the organizational parameters of employee awareness, business continuity program structure, leadership resource commitment, metrics, and external coordination. (Business Continuity Maturity Model – dodcoop.com., (n.d.) When developing the business continuity program the parameters of recovery technology, incident management, business recovery and security management become the content focus applied to an organization according to its immediate structure. (Business Continuity Maturity Model – dodcoop.com., (n.d.)
The logic model tool applies logic when addressing the business recovery efforts that ensure an organizations business continuity and business forensics integrity. Automated or non-automated, the logic model utilizes a logical approach to restore order. “Digital Forensics can be defined as the identification, preservation, recovery, authentication, extraction, documentation, investigation, analysis, and interpretation of electronically stored information.” (Dahbur, K., & Mohammad, B., 2011) “The digital forensics includes the planning and mapping of the entire project and the preservation of information thru the collection of information.” (Dahbur, K., & Mohammad, B., 2011)
Assessment of evidence gleaned from the processing of data during an investigation incorporates critical analysis, reporting and production which results in an expert recommendation upon the conclusion of the investigation. Streamlining and eliminating unnecessary process activities aided by a recovery plan work to establish recovery time objective (RTO) for an organization.
When your personnel know through planning which activities need to be completed, when, and by which resource overlapping and duplication of activities are eliminated.
The managing and initiation of the project process involves the design of the project; problem identification and the business continuity needs are applied when developing and sustaining an effective business continuity plan. While an organization is working to establish control measures, continued evaluation of the inherent risks is ongoing.
The business response teams of an organization are essential assets and critical tools in the management kit. The business response team’s role is sure to include the detection of malware within the computer systems. Resources from across all disciplines within the organization make up the response teams and these response teams accommodate business continuity by performing tasks which include repairing and recovering from disasters. The response team are tasked to prepare a containment strategy and mitigation measures for the anomalies it has discovered, these mitigation measures are preceded by analysis, remediation and measurement.
Forensic audits conducted by forensic experts are often challenged by the anti-forensic effort itself. Due to the anti-forensic threats the need for awareness training becomes glaringly apparent. Sensitizing the employees to commonly used anti-forensic tools is a form of awareness training that an organization might consider as a means to reduce these efforts. Sensitized training enables the employees to understand what the threats are and develop appropriate methods to counter them. (Dahbur, K., & Mohammad, B., 2011).
Within the sensitized training of employees how the system functionality works is explained, its purpose and a system demonstration is provided, providing the employees with a better understanding on how to detect and counter any anti-forensic behavior. A well-informed workforce is vital and is the first line of defense in its role to ensure there is integrity, ethical and secure behavior around an organizations computer system and its data. The probability of employees that engage in negligent behavior once they have been made aware through the sensitized training on the dos and don’ts of the computer system will decline tremendously.
Security awareness training should become as second nature as changing one’s password every 90 days, ensuring the employees are aware of the latest technological developments and practices. To garner continued support and effectiveness the new employees should be introduced early in their employ to the security awareness training to ensure that there are no gaps in performance and effectiveness once the newly hired employees are granted user access to the organization’s systems.