IT255 Introduction to Information
Systems Security
Unit 6
Role of Risk Management, Response, and
Recovery for IT Systems, Applications,
and Data
© ITT Educational Services, Inc. All rights reserved.
Learning Objective
Describe the principles of risk management,
common response techniques, and issues
related to recovery of IT systems.
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 2
Key Concepts
 Quantitative and qualitative risk assessment
approaches
 Business impact analysis (BIA)
 Business continuity plan (BCP)
 Disaster recovery plan (DRP)
 Elements of an incident response plan
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 3
EXPLORE: CONCEPTS
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 4
BCP
 A plan designed to help an organization
continue to operate during and after a
disruption
 Covers all functions of a
business: IT systems,
facilities, and personnel
 Generally includes only
mission-critical systems
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 5
BCP Elements
 Purpose and scope
 Assumptions and planning principles
 System description and architecture
 Responsibilities
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 6
BCP Elements (Continued)
 Notification or activation phase
 Recovery and reconstitution phases
 Plan training, testing, and exercises
 Plan maintenance
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 7
DRP
 Includes the specific steps and procedures to
recover from a disaster
 Is part of a BCP
 Important terms:
• Critical business function (CBF)
• Maximum acceptable outage
(MAO)
• Recovery time objectives (RTO)
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 8
DRP Elements
 Purpose and scope
 Disaster or emergency declaration
 Communications
 Emergency response and activities
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 9
DRP Elements (Continued)
 Recovery steps and procedures
 Critical business operations
 Recovery operations
 Critical operations, customer service, and
operations recovery
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 10
BIA
 A study that identifies the CBFs and MAOs
of a DRP
• Studies include interviews, surveys,
meetings, and so on.
 Identifies the impact to the business if one
or more IT functions fails
 Identifies the priority of different critical
systems
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 11
BIA Elements
Scope
Objectives
 It is affected by size
of the organization.
 For small organization,
scope could include
entire organization.
 For larger organizations,
scope may include only
certain areas.
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 12
Computer Incident Response
Team (CIRT) Plan
 Outlines steps taken during a response effort and
the roles and responsibilities of the team
 Includes the five Ws + H:
• Who launched the attack?
• What type of attack occurred?
• Where the attack occurred?
• When the attack occurred?
• Why the attack occurred?
• How the attack occurred?
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 13
EXPLORE: PROCESSES
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 14
Risk Management
 Assessment
 Avoidance
 Reduction
 Mitigation
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 15
Risk Assessment
 It is a process used to identify and
evaluate risks.
 Risks are quantified
based on importance
or impact severity.
 Risks are prioritized.
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 16
Risk Assessment Steps
 Identify threats and vulnerabilities.
 Identify the likelihood that a risk will occur.
 Identify asset values.
 Determine the impact of a risk.
 Determine the usefulness of a safeguard
or control.
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 17
Risk Assessment Approaches
 Quantitative
• Uses numbers, such as dollar values
 Qualitative
• No dollar values; determines risk level
based on probability and impact of a
risk
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 18
Quantitative Risk Assessment
 Single loss expectancy (SLE)
• Total loss expected from a single incident
 Annual rate of occurrence (ARO)
• Number of times an incident is expected to
occur in a year
 Annual loss expectancy (ALE)
• Expected loss for a year
SLE X ARO = ALE
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 19
Qualitative Risk Assessment
 Probability
• Likelihood a threat will exploit a
vulnerability
 Impact
• Negative result if a risk occurs
Risk level = Probability X Impact
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 20
EXPLORE: RATIONALE
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 21
Importance of Risk Assessments
 Is part of the overall risk management
process
 Helps you evaluate controls
 Supports decision making
 Can help organizations remain in
compliance
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 22
Summary
 You can protect data and business
functions with a BCP, DRP, BIA, and
incident response plan.
 Risk assessments include quantitative
and qualitative approaches.
IT255 Introduction to Information Systems Security
© ITT Educational Services, Inc. All rights reserved.
Page 23