Incidence Management and Operational Risks - Report Example

1. Communication Systems 1. Incidence Response Plan (Confidentiality, Availability, Integrity 2. Disaster Recovery Plan/Business Continuity Plan(Confidentiality, Availability, Integrity) 2. Proposed Security Policy and Plans 2.1. Security Policy 2.1.1. Definitions 2.1.2. Purpose, Goals and Intent 2.1.3. Policy Statement 2.1.3.1. Protection of Information 2.1.3.2. Use of Information and systems 2.1.3.3. Information handling 2.1.3.4. Legal and Governmental Policy Relationships 2.1.3.5. Exceptions 2.1.3.6. Non-enforcement 2.1.3.7. Violations of Law 2.1.3.8. Revocation of Privileges 2.1.3.9. Information Security Standards 2.1.4. Use of Policies and procedures 2.1.5. Enforcement, Audit and Review 2.1.6. Education, Training and Awareness 2.1.7. Security Roles and Responsibilities 2.2. Controls 2.2.1. C2 Systems 2.2.1.1. Risk 1 – unauthorized Access (Confidentiality) 2.2.1.2. Risk 2 – unauthorized Data Modification (Integrity) 2.2.1.3. Risk 3 – Denial of Access (Availability) 2.2.2. Communication 2.2.2.1. Risk 1 – Crypto Attack (Confidentiality) 2.2.2.2. Risk 2 – false Message (Integrity) 2.2.2.3. Risk 3 – denial of service (Availability) 2.3. Planned Expenditure 2.3.1. Program Activities 2.3.1.1. Program Management 2.3.1.2. Technology Assessment 2.3.1.3. Risk Assessment 2.3.1.4. Control Implementation and Vulnerability Assessment 2.3.1.5. Education and Training 2.3.1.6. Audits and Monitoring 2.3.1.7. Policy Development and review 2.3.1.8. Response Planning and Practice 2.3.2. Program Budget 2.3.3. Related Defense Plans and Projects 1. Communication Systems 1.1. Incidence Response Plan (Confidentiality, Availability, Integrity) Incidence management and operational risks require the ability to seek and manage information discreetly during any emergency incidents. Incidence response plans can be divided into pre-incident/fire planning; which is based on two categorical plans i.e. recognitions of the hazards and compilation of necessary details about the hazards that can be helpful in the implementation of the risk management process. For effective recovery, information confidentiality-accuracy; availability – can be accessed and retrieved if and when need; and integrity- authenticity, are very fundamental in the any communication. 1.2. Disaster Recovery Plan/Business Continuity Plan (Confidentiality, Availability, Integrity) Disaster recovery plans or business continuity plans are conditions set in place to ensure that pre-fire readiness strategies are set. For this the managements must stipulate how: i. The fire department is expected to adopt officially drawn plan to address all fire departments conditions and policies. ii. The plan to include administration department, training, transport facilities, protective attires and equipments, operations at recovery incidents, operations at non-disaster recovery incidents e.t.c. iii. It shall include disaster; identification, evaluation, control techniques and management monitoring. 2. Proposed Security Policy and Plans 2.1. Security Policy Critical infrastructure and Information Technology security policies have in most cases been relevant if issues that determine the nature and extent of operations and those that directly address safe conducts recommended of the operations. 2.1.1. Definitions Security policy will identify, evaluate, control and come up with corrective plans for potential security threats 2.1.2. Purpose, Goals and Intent The purpose, goals and intent of security policy will be to ensure safety on the critical Infrastructures involved in the fire fighting and internet operations protocols for the Information Technology appliances. 2.1.3. Policy Statement 2.1.3.1. Protection of Information Certain pieces of information are always very important and are kept out of access by the terrorists. Information Protection is one of the safety procedures in the event of dealing with issues that could be of attractions to cyber terrorists. For these reasons, nuclear plants are always controlled remotely through the use of PCS and PLC, controlled remotely over intranet telecommunication networks connected to input/output devises of the plants. This is discussed be Cassidy et al. (2008), Remote forensic analysis of process control systems; IFIP International Federation for Information Processing. Firewalls are remedies set in place to filter communications between the intranet and the site of operation. However, good hackers can overwhelmingly take advantage of any information leak or gain vulnerabilities residing in the commodity being deployed in the corporate intranet. An illustration of possible cyber terrorist attack as discussed above. 2.1.3.2. Use of Information and systems Data or information and the systems containing such pieces will only the used in threat free situations – in remote controls to avoid malicious attacks. Such systems will also only be available to the authorized and authenticated users for effective and secure operations. 2.1.3.3. Information handling Every information or data in this organization is very important, keeping in mind that scrutiny is done during information acquiring process. Codes of information handling and precision on the authorized users must be defined. Access to crucial workers’ details such as bank account numbers, social life, health issues e.t.c. if found by a hackers of bad intensions may use such to bring down the workforce. 2.1.3.4. Legal and Governmental Policy Relationships All policies, agreements, conducts must be within the expected regulations of the country’s’ law mandates. Any defaulter shall be held responsible without fear or favors. Therefore, rules must be obeyed. 2.1.3.5. Exceptions Depending on the situation and hand, live/property saving initiatives may be taken though not in an advanced way. No advantage of this condition will be tolerated as evidenced that called for it must be demonstrated before the authorities’ concerned 2.1.3.6. Non-enforcement For any of non-enforcement experience, which will not be allowed at all circumstances, every actions or conducts, will be guided by the rule of law. 2.1.3.7. Violations of Law Our organization is for offering fire control hazards control to the state and citizens. All the violators, which in this case may be against a civilian, staff member or State at large will be answerable to the Judge Advocate General. 2.1.3.8. Revocation of Privileges Fire fighting services are considered basic since no one can detect when such tragedies may arise. One is therefore allowed to check into our Organization’s portal for any information that may necessary. However, is this opportunity is used hazardously; such information may be barred from your use. 2.1.3.9. Information Security Standards Security threats in the internet services are due to its susceptibility to invasions by people with malicious intensions, hackers. Hacking is an unauthorized means of gaining access to unauthorized data or internet with the intension of either stripping the data of causing destruction to either information content or the hardware itself. With the rapid technological advancements, it has become so easy to leak data or information i.e. through a communication link. Therefore, for information security standards to be maintained, the Process Control System (PCS) majorly applied in larger industries automation systems and meant to oversee real-time operations should be adequately be installed. 2.1.4. Use of Policies and procedures Each and every process of seeking information from ADF is procedural and detained by you identification, authority, intensions and time needed. 2.1.5. Enforcement, Audit and Review For the chronological flow of information and functions audit, review and enforcements must be embraced and implemented. These will give the ADF management an insight on what actions should be taken for effective, secure and efficient operations. 2.1.6. Education, Training and Awareness Performance appraisals will be done regularly with objectives of increasing the level of skills, knowledge and expertise of all staff of ADF. Such services may be extended to the public for minor disaster preparedness. 2.1.7. Security Roles and Responsibilities 2.2. Controls In the event of setting up controls of the extent to which vulnerability can be subjected to the system, potentially dangerous threats have to be recognized, any emergencies prevented and effective response formulated to the identified issue. 2.2.1. C2 Systems 2.2.1.1. Risk 1 – unauthorized Access (Confidentiality) Only authorized personnel should be able to access confidential information, data, computers, or networks by activating encrypted username and protective passwords. 2.2.1.2. Risk 2 – unauthorized Data Modification (Integrity) Data integrity is only assured by the level of protective measures set to it. If data cannot be edited through addition of other information or deletion of contents, it is considered to be of paramount integrity. 2.2.1.3. Risk 3 – Denial of Access (Availability) According to Marcus J. (1997) denial of access through social engineering, impersonation, exploits, transitive trust, infrastructure, data driven and denial of service will always ensure security and protection of the infrastructure being used. 2.2.2. Communication 2.2.2.1. Risk 1 – Crypto Attack (Confidentiality) This particular type of attacks usually occur on the internet relayed chants where users are deliberately instructed by pop-ups to download a program and run it for increased advantages over others, for example. Such actions eventually leads to data lose and security credentials transfer to the attacker. 2.2.2.2. Risk 2 – false Message (Integrity) Spyware can be used by cyber terrorists to access computers in the corporate intranet if downloaded and installed. After installation, they can access those computers as zombie hosts and achieve their goals by gaining control of the PCS in the remote operating systems. 2.2.2.3. Risk 3 – denial of service (Availability) Cyber terrorists alternatively can use the above strategy, be a zombie host, to successfully instigate a type of denial of service attack called distributed denial of service attack to shut services provided by any identified critical infrastructure, (Journal of Universal Computer Science, vol. 15, no. 12 (2009)). 2.3. Planned Expenditure Every actions detailed in this write up calls for financial and human resources. Planned expenditures will herein give an approximated expenditure for ADF’s success in the 2010 – 2015 Work plan. 2.3.1. Program Activities Critical Infrastructure in Information Technology appraisal will take the following into account. 2.3.1.1. Program Management This is a very crucial section in the running of ADF. It will therefore only constitute IT technocrats who will intensify security of online connections and remote communication. 2.3.1.2. Technology Assessment All technological devices i.e. software and hardware must be scrutinized to determine how genuine, free of malicious codes, and properly developed to conform to its functions. 2.3.1.3. Risk Assessment Present and significant risks in any situation, are used in this process of risk assessment and decision making. Risk assessment evaluation requires accuracy, timeliness, reliability and complete information. There exist only two different types of information that can be considered for management process i.e. pre-incident planning and preparation and information management and application for the duration of emergencies. 2.3.1.4. Control Implementation and Vulnerability Assessment This strategy will guarantee recommendations in accordance to the ADF/ICT security policies. 2.3.1.5. Education and Training It is with a view of sensitizing and modeling the workforce into a fully skilled group for effectiveness. 2.3.1.6. Audits and Monitoring Auditing and monitoring and strategies aimed at watching if ADF conforms to its mandates in all sectors. 2.3.1.7. Policy Development and review ADF policies in the HR, ICT, Managerial and Operation departments will reviewed to check if they all gear towards the common goal of maximum security. 2.3.1.8. Response Planning and Practice Rejoinder preparedness in any malicious intrusion in the Critical Infrastructure through; codes, forcefully, or over the communication links must be set and brought to the table for all concerned personnel to take caution of. 2.3.2. Program Budget The projection given in the table below (2010 – 2015 financial years) depicts estimate project running and coordination valuation in Million dollars. Task 2010-2011 2011-2012 2012-2013 2013-2014 2014-2015 Policy Development 1.1 0.8 0.6 0.5 0.5 Program management 1.5 2.0 2.2 2.5 2.5 Sensitization 2.0 2.0 2.1 2.0 2.0 Technological Assessment 1.5 1.5 1.7 1.9 2.0 Response Practice 2.0 2.4 2.8 3.0 3.2 Audit & Monitoring 2.0 2.2 2.3 2.5 2.5 Risk Assessment 1.5 1.5 1.7 1.9 2.0 Response measures 3.0 3.0 3.2 3.2 3.5 Control Implementations 2.4 2.4 2.6 3.0 3.0 References Cassidy et al. 2008] Cassidy, R.F., Chavez, A., Trent, J., Urrea, J.: “Remote forensic analysis of process control systems”; IFIP International Federation for Information Processing, 253, critical infrastructure protection, (2008), 223-235. Read More