3.1 Compare and contrast risk related concepts - Paiet/Tech-Journal-for-Everything GitHub Wiki

3.1 Compare and contrast risk related concepts

  • Disaster recovery
    • Getting back to production after experiencing a loss of data from a worst-case scenario event
      • Natural Disasters
        • Fire, flood, wind/storm, lightning
        • Good documentation is key to rebuilding
      • Data Destruction
        • Accidental/malicious deletion
        • Malware infection
      • Hardware failure
        • Hot-spare
        • Good service contract with vendor for quick replacement
          • 4 hr guarantee delivery
        • Avoid unique or hard to find hardware
          • Extended replacement times = productivity loss
  • Business continuity
    • This is the plan and procedures that are in place to mitigate downtime of normal business operations during a disaster event
    • This should either keep the business operating during a disaster or get the business operational after a short amount of downtime
    • Consists of 3 elements
      • Resilience
        • Functions and infrastructure designed to withstand disruptions
      • Recovery
        • The ability to quickly restore operation of a failed device or system through backups and operating procedures
      • Contingency
        • What to do in case Resilience and Recovery measures were ineffective
        • Backup plans for your backup plans
  • Battery backups/UPS
    • Critical systems shouldn't go down due to loss of power
    • UPS systems
      • Battery banks
      • Generators
      • Local battery backup units
  • First responders
    • The first person(s) on the emergency call list
      • Network/Security specialist
      • Top tier/senior admins
      • Human Resources
  • Data breach
    • Lost, stolen, sold, copied, transmitted, viewed
    • Intentional or Unintentional
    • Includes sensitive data like...
      • Trade secrets
      • Intellectual Property
      • Financial information (CC numbers)
      • User or employee personal data
  • End user awareness and training
    • All the security countermeasures in the world won't help if the users are giving away the keys to the castle
    • Users need to be made aware of their role in the system security
      • Official security awareness training and practices documentation available or posted to intranet
      • Security guidelines read and signed
    • Security training should be made available if possible
      • Class either online or instructor led
      • Exam completion and pass
      • Continuing education as technology changes
    • Personal security
      • Physical Security
        • Access to buildings and restricted areas
      • System Security
        • Passwords, badges, keys
          • DO NOT SHARE!!!
        • Personal work information should be saved to a secure location
      • Device Security
        • Logging off/locking devices
        • Encryption
  • Single point of failure
    • Critical nodes
    • Critical assets
    • Redundancy
  • Adherence to standards and policies
    • Read them, know them, follow them
      • In house
      • Legal
  • Vulnerability scanning
    • Scanning the network and systems to look for potential points of compromise/known vulnerabilities
  • Penetration testing
    • Actually attempting to break security or hacking into your own system to verify vulnerabilities
    • Use the tools and tricks of hackers to find the flaws in your security
    • White/Grey/Black Box testing
      • White box
      • Grey box
      • Black box