1.從CISSP考試看,整個考試涉及8個領域,至少3個領域提出了業務連續性管理,從規划、運營到具體的實現技術及應用,涉及方方面面。業務連續性管理貫穿信息安全知識體系的所有部分,是CIA中可用性的重要保障。
2.從企業的運營看,信息技術作為當前企業生產運營的基礎,業務連續性是保障。
業務連續性/應急管理能力(sp800-34)/連續性管理能力會隨着企業信息化使用的深度和廣度凸顯越來越重要。舉一個筆者身邊的例子。
一個某傳統的大型制造國有企業,員工對信息化認識經歷了幾個階段。第一個階段,信息化剛開開始應用,大部分人比較排斥,尤其一線車間人員,信息系統建設的也不完善;第二階段,排斥聲減小,信息系統全面應用,但精細度不夠,這個時候一線工人特別盼望着系統不能用,為什么呢?因為系統不能用了,生產就要停產,生產停了,就不用干活了。這個時候信息化還不能完全支撐企業運營;第三階段,企業把信息化融入到企業生產經營的各個環節,這個時候無論企業經營計划安排還是員工績效監控均在信息系統,系統一旦不能用就會直接面臨停工停產,員工沒有工作量工資會減少,企業停產也承受巨大損失,信息化將員工的利益和企業的利益捆綁在了一起,信息化充分釋放了其作用。以上三個階段往往,無論是信息化能力的建設還是對於信息化的認知都是循序漸進的過程,而此時對於業務連續性在信息化中的重要作用才剛剛凸顯。隨着信息化不斷的深入到企業生產環節,企業的正常運營越來越離不開信息化,數據資產成為了新時期的企業的核心資產,數據的可用性成為企業核心競爭力的重要基礎。如何保證數據的可用性成為新時期的一個重點話題。
復原力[7]是指能夠迅速適應和從已知或未知的環境變化中恢復的能力。彈性不是一個過程,而是組織的最終狀態。彈性組織的目標是在任何類型的中斷期間,始終能保持基本的功能可用。有彈性的組織不斷努力適應可能影響其繼續履行關鍵職能能力的變化和風險。風險管理、應急和連續性規划是單獨的安全和應急管理活動,也可以作為彈性計划的組成部分在整個組織中以整體的方式實施。
An organization must have the ability to withstand all hazards and sustain its mission through environmental changes. These changes can be gradual, such as economic or mission changes, or sudden, as in a disaster event. Rather than just working to identify and mitigate threats, vulnerabilities, and risks, organizations can work toward building a resilient infrastructure, minimizing the impact of any disruption on mission essential functions.
Resilience[7] is the ability to quickly adapt and recover from any known or unknown changes to the environment. Resiliency is not a process, but rather an end-state for organizations. The goal of a resilient organization is to continue mission essential functions at all times during any type of disruption. Resilient organizations continually work to adapt to changes and risks that can affect their ability to continue critical functions. Risk management, contingency, and continuity planning are individual security and emergency management activities that can also be implemented in a holistic manner across an organization as components of a resiliency program.
啰嗦了這么多,到底應急計划和風險管理有哪些關系呢?
風險管理包含了對系統風險進行識別、分析和控制、監控多項活動。按照原文的解釋是與應急管理可獨立運行也可聯合一起運行。筆者的理解,風險管理和應急管理是相輔相成的,風險管理過程必然會影響到應急管理決策,應急管理的決策也會影響到風險管理的控制方法。實際上,當我們在做BIA的時候,其開始就要引用風險分析的結果作為輸入。
業務連續性計划的重點是在中斷期間和中斷之后維持組織的任務/業務流程連續性。任務/業務流程的示例可以是組織的工資單流程或客戶服務流程。業務連續性計划可以針對單個業務單元內的任務/業務流程編寫,也可以針對整個組織的流程。
The BCP focuses on sustaining an organization's mission/business processes during and after a disruption. An example of a mission/business process may be an organization's payroll process or customer service process. A BCP may be written for mission/business processes within a single business unit or may address the entire organization's processes.
一句話總結:中斷前進和之后維持組織能運轉的計划。
2)運營/操作連續性(COOP)計划
重點是在另一個地點恢復一個組織的基本職能,並在恢復正常運轉之前能保障這些只能正常運轉30天。其他職能或外地辦事處一級的職能可由業務連續性計划處理。
COOP focuses on restoring an organization's mission essential functions (MEF) at an alternate site and performing those functions for up to 30 days before returning to normal operations. Additional functions, or those at a field office level, may be addressed by a BCP. Minor threats or disruptions that do not require relocation to an alternate site are typically not addressed in a COOP plan.
一句話總結:在災備中心臨時性恢復的計划。強調機構在備用站點恢復運行能力,計划不需要包括IT運行。
3)危機溝通計划
組織應使用危機溝通計划記錄發生中斷時內部和外部溝通的標准程序。危機溝通計划通常由負責公眾宣傳的組織制定。該計划提供了適合事件的各種通信格式。危機溝通計划通常指定特定個人作為回答公眾提出的問題或向公眾提供有關應急響應信息的唯一權威。它還可以包括向工作人員分發關於事件狀況的報告的程序和公開新聞稿的模板。危機溝通計划程序應傳達給組織的COOP和BCP策划人,以確保計划包括明確的指示,即只有經批准的聲明才由授權官員向公眾發布。
Organizations should document standard procedures for internal and external communications in the event of a disruption using a crisis communications plan. A crisis communications plan is often developed by the organization responsible for public outreach. The plan provides various formats for communications appropriate to the incident. The crisis communications plan typically designates specific individuals as the only authority for answering questions from or providing information to the public regarding emergency response. It may also include procedures for disseminating reports to personnel on the status of the incident and templates for public press releases. The crisis communication plan procedures should be communicated to the organization's COOP and BCP planners to ensure that the plans include clear direction that only approved statements are released to the public by authorized officials.
一句話總結:事件發生后,內部溝通(找誰)和外部溝通(和誰說,媒體應答)
4)關鍵基礎設施保護(CIP)計划
關鍵基礎設施和關鍵資源(CIKR)是國家基礎設施的組成部分。CIP計划是一套政策和程序,用於保護和恢復這些國家資產,減輕風險和脆弱性。
Critical infrastructure and key resources (CIKR) are those components of the national infrastructure that are deemed so vital that their loss would have a debilitating effect of the safety, security, economy, and/or health of the United States.[10] A CIP plan is a set of policies and procedures that serve to protect and recover these national assets and mitigate risks and vulnerabilities.
一句話總結:關系國計民生的設施
5)網絡事件響應計划
網絡事件響應計划:建立了處理針對組織信息系統的網絡攻擊的程序。這些程序旨在使安全人員能夠識別、減輕和恢復惡意計算機事件,如未經授權訪問系統或數據、拒絕服務,或對系統硬件、軟件或數據進行未經授權的更改(如惡意邏輯,如病毒、蠕蟲或特洛伊木馬)。本計划可作為業務連續性計划的附錄。
The cyber incident response plan[11] establishes procedures to address cyber attacks against an organization's information system(s).[12] These procedures are designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware, software, or data (e.g., malicious logic, such as a virus, worm, or Trojan horse). This plan may be included as an appendix of the BCP.
一句話總結:針對網絡攻擊事件,可作為BCP的附錄。
6)災難恢復計划(DRP)
DRP通常適用於重要基礎設施因物理損害且在較長時間內無法服務的場景。DRP是聚焦系統層面的規划,用於在緊急情況下恢復目標系統、應用和計算機設備在備用站點達到可用。DRP可面向多種信息系統應急規划,用於指導人們在建設好的備份設施上恢復受影響的各個系統。DRP或許能通過恢復輔助系統的業務過程或者重要任務功能來支持BCP或者COOP計划。DRP僅能通過遷移來解決信息系統的破壞問題。
The DRP applies to major, usually physical disruptions to service that deny access to the primary facility infrastructure for an extended period. A DRP is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. The DRP may be supported by multiple information system contingency plans to address recovery of impacted individual systems once the alternate facility has been established. A DRP may support a BCP or COOP plan by recovering supporting systems for mission/business processes or mission essential functions at an alternate location. The DRP only addresses information system disruptions that require relocation.
一句話總結:在備用設施臨時性的恢復緊急的、重要的系統。
7)信息系統應急計划(ISCP)
ISCP與DRP的主要區別在於,信息系統應急計划程序是為恢復系統而制定的,而不考慮具體位置。ISCP可以在系統的當前位置或備用站點激活。相比之下,DRP主要是一個特定於現場的計划,將一個或多個信息系統的從受損或不適宜居住的位置移動到臨時替代位置的程序。一旦DRP成功地將一個信息系統站點轉移到另一個站點,每個受影響的系統將使用其各自的ISCP來恢復、恢復和測試系統,並將其投入運行。
An ISCP provides established procedures for the assessment and recovery of a system following a system disruption. The ISCP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system.
The ISCP differs from a DRP primarily in that the information system contingency plan procedures are developed for recovery of the system regardless of site or location. An ISCP can be activated at the system's current location or at an alternate site. In contrast, a DRP is primarily a site-specific plan developed with procedures to move operations of one or more information systems from a damaged or uninhabitable location to a temporary alternate location. Once the DRP has successfully transferred an information system site to an alternate site, each affected system would then use its respective ISCP to restore, recover, and test systems, and put them into operation.
一句話總結:系統中斷后對系統的評價程序。
8)場所應急計划(OEP) Occupant Emergency Plan (OEP)
概述了人員、環境或財產的健康和安全受到威脅或發生事故時,設施占用者的第一反應程序。此類事件包括火災、炸彈威脅、化學品泄漏、工作場所的家庭暴力或醫療緊急情況。OEP中還涉及了需要人員留在建築物內而不是疏散的避難所到位程序。OEP是在設施層面制定的,具體針對建築物的地理位置和結構設計。
The OEP outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. Such events include a fire, bomb threat, chemical release, domestic violence in the workplace, or a medical emergency. Shelter-in-place procedures for events requiring personnel to stay inside the building rather than evacuate are also addressed in an OEP. OEPs are developed at the facility level, specific to the geographic location and structural design of the building.
一句話總結:關系人員、財產和環境安全
| 計划 |
目的 |
范圍 |
計划關系 |
| 業務連續性計划(BCP) |
提供在從重大中斷中恢復時維持任務/業務運作的程序。 |
在較低或擴大的層面上處理來自COOP MEF的任務/業務流程。 |
以任務/業務流程為重點的計划,可與合作計划協調啟動,以維持非MEF。 |
| 連續性操作計划(COOP) |
提供程序和指導,使組織在備用站點維持30天; |
在一個設施中處理MEF;信息系統的處理僅基於它們對任務基本功能的支持。 |
以MEF為中心的計划,還可以根據需要激活多個業務部門級BCP、ISCP或DRP。 |
| 危機通訊-行動計划 |
提供傳播內部和外部通信的程序;提供關鍵狀態信息和控制謠言的方法。 |
處理與人員和公眾的溝通;不是以信息系統為中心。 |
基於事件的計划通常由合作社或業務連續性計划激活,但在公共曝光事件期間可以單獨使用。 |
| 關鍵的基礎設施保護(CIP)計划 |
提供國家基礎設施保護計划中定義的國家關鍵基礎設施組件的保護政策和程序。 |
解決由機構或組織支持或操作的關鍵基礎設施組件。 |
支持具有關鍵基礎設施和關鍵資源資產的組織的合作計划的風險管理計划。 |
| 網絡事件回應計划 |
提供減輕和更正網絡攻擊(如病毒、蠕蟲或特洛伊木馬)的過程。 |
解決受影響系統的緩解和隔離、清理和最小化信息丟失的問題。 |
以信息系統為中心的計划,可能激活ISCP或DRP,這取決於攻擊的程度。 |
| 災難恢復計划(DRP) |
提供將信息系統操作重新定位到備用位置的過程。 |
主要系統中斷后激活,具有長期影響。 |
以信息系統為中心的計划,激活一個或多個ISCP以恢復單個系統。 |
| 問詢處系統意外事故計划(ISCP) |
提供恢復信息系統的過程和功能。 |
在當前位置或適當的備用位置處理單個信息系統恢復。 |
以信息系統為中心的計划,可獨立於其他計划或作為更大規模恢復的一部分而啟動與DRP、COOP和/或BCP協調的工作。 |
| 居住者應急計划(OEP) |
提供協調的程序,以最大限度地減少生命或傷害的損失,並保護財產損失,以應對人身威脅。 |
專注於特定設施;不基於任務/業務流程或信息系統。 |
立即啟動的基於事件的計划事件發生后,在合作社或DRP激活之前。 |
顯示了每個計划的相互關系,這些計划是為了響應適用於其各自范圍的事件而實現的。
三、關於IT應急計划的七個步驟
制定和維護信息系統應急計划的過程,該過程的七個步驟是:
- 制定應急計划政策;
- 進行業務影響分析(BIA);
- 識別預防控制措施;
- 制定應急策略;
- 制定信息系統應急計划;
- 計划測試、培訓和演習;
- 計划維護。
This section describes the process to develop and maintain an effective information system contingency plan. The process presented is common to all information systems. The seven steps in the process are:
1. Develop the contingency planning policy;
2. Conduct the business impact analysis (BIA);
3. Identify preventive controls;
4. Create contingency strategies;
5. Develop an information system contingency plan;
6. Ensure plan testing, training, and exercises; and
7. Ensure plan maintenance.
應急計划流程圖
1.制定應急計划政策聲明
為了有效並確保人員充分理解組織的應急計划要求,應急計划必須有明確定義。應急計划政策聲明應定義組織的總體應急目標,並建立系統應急計划的組織框架和職責。
為了取得成功,高級管理層(很可能是首席信息官)必須支持應急計划,並將其納入制定計划政策的過程中。
To be effective and to ensure that personnel fully understand the organization's contingency planning requirements, the contingency plan must be based on a clearly defined policy. The contingency planning policy statement should define the organization's overall contingency objectives and establish the organizational framework and responsibilities for system contingency planning. To be successful, senior management, most likely the CIO, must support a contingency program and be included in the process to develop the program policy.
2.業務影響分析(BIA)
BIA通常需要三個步驟:
1.確定任務/業務流程和恢復關鍵性。確定系統的任務/業務流程,確定系統中斷的影響以及估計停機時間。停機時間應反映一個組織在維持任務的同時能夠容忍的最長時間。
總結:業務流程、中斷影響、最長容忍時間。
2.確定資源需求。實際的恢復工作需要對恢復資源的需求疏理,評估企業的使命、業務流程和相關的相互依賴
應確定的資源示例包括設施、人員、設備、軟件、數據文件、系統組件和重要記錄。
3. 確定系統資源的恢復優先級。根據先前活動的結果,清楚地將系統資源與關鍵使命/業務流程相關聯。可以為恢復活動和資源的順序確定優先級。
1.Determine mission/business processes and recovery criticality.Mission/Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. The downtime should reflect the maximum time that an organization can tolerate while still maintaining the mission.
2.Identify resource requirements.Realistic recovery efforts require a thorough evaluation of the resources required to resumemission/business processes and related interdependencies as
quickly as possible. Examples of resources that should be identified include facilities, personnel, equipment, software, data files, system components, and vital records.
3.Identify recovery priorities for system resources.Based upon the results from the previous activities, system resources can be linked more clearly to criticalmission/business processes and functions. Priority levels can be established for sequencing recovery activities and resources.
下圖展示了BIA流程和數據收集活動,由一個具有多個組件(服務器)的代表性信息系統組成,旨在幫助ISCP協調員簡化和集中應急計划開發活動,以實現更有效的計划。
2.1.確定業務流程和恢復關鍵性
為了完成BIA並更好地了解系統中斷或中斷對組織的影響,ISCP協調員應與管理層以及內部和外部聯絡點(POC)合作,以確定和驗證依賴或支持信息系統的任務/業務流程和流程。
To accomplish the BIA and better understand the impacts a system outage or disruption can have on the organization, the ISCP Coordinator should work with management and internal and external points of contact (POC) to identify and validate mission/business processes and processes that depend on or support the information system.
ISCP協調員接下來應分析受支持的任務/業務流程,並與流程所有者、領導層和業務經理一起確定,如果給定流程或特定系統數據被中斷或以其他方式不可用,則可接受的停機時間。停機時間可以通過多種方式確定。
The ISCP Coordinator should next analyze the supported mission/business processes and with the process owners, leadership and business managers determine the acceptable downtime if a given process or specific system data were disrupted or otherwise unavailable.
恢復時間目標(RTO)。RTO定義在對其他系統資源、支持的任務/業務流程和MTD產生不可接受的影響之前,系統資源可以保持不可用的最長時間。確定信息系統資源RTO對於選擇最適合滿足MTD要求的適當技術很重要。
恢復點目標(RPO). RPO表示中斷或系統中斷前的時間點,在中斷后,可以將任務/業務流程數據恢復到該時間點(給定數據的最新備份副本)。與RTO不同,RPO不被視為MTD的一部分。相反,它是任務/業務流程在恢復過程中能夠容忍的數據丟失量的一個因素。
因為RTO必須確保沒有超過MTD,所以RTO通常必須短於MTD。例如,系統中斷可能會阻止某個特定過程的完成,並且由於重新處理數據需要時間,因此必須向RTO添加額外的處理時間,以保持在MTD確定的時間限制內。
ISCP協調員應與管理層合作,通過解決上述因素,確定恢復信息系統的最佳點,同時平衡系統不可用性成本與恢復系統所需資源成本及其對關鍵任務/業務流程的總體支持。這可以用一個簡單的圖表來描述,如圖的例子。
中斷允許的時間越長,對組織及其運營造成的成本就越高。相反,RTO越短,實施恢復解決方案的成本就越高。
上面關於MTD、RPO、RTO說的比較啰嗦,直接上一張圖。
總結一下:RTO是系統從故障到能啟動起來的時間,這個時候還有需要把數據恢復進來的時間是WRT,也就是說系統正常運行了,但還無法對外提供服務,系統數據還未恢復。RTO+WRT的合值是MTD,所以RTO+WRT要小於MTD。而具體允許恢復的最底線是多少呢,是RPO。舉個例子。當系統故障后,將系統能運行起來的時間是RTO,這個時候把數據還原的時間是WRT,然后假如企業最多允許丟一天的時間,一天單位就是RPO了,是企業能承受的最大損失。
2.2.確定資源需求
實際的恢復工作需要對恢復所需的資源進行徹底的評估。
Realistic recovery efforts require a thorough evaluation of the resources required to resume
也就是說確定要滿足恢復目標,需要哪些資源,包括人、財、物。
2.3.確定系統資源恢復優先級
制定恢復優先級是BIA流程的最后一步。考慮到任務/業務流程的關鍵性、中斷影響、可容忍的停機時間和系統資源,可以有效地確定恢復優先級。結果是信息系統恢復優先級層次結構。
Developing recovery priorities is the last step of the BIA process. Recovery priorities can be effectively established taking into consideration mission/business process criticality, outage impacts, tolerable downtime, and system resources. The result is an information system recovery priority hierarchy. The ISCP Coordinator should consider system recovery measures and technologies to meet the recovery priorities.
BIA中確定的優先級業務,可以通過預防措施來阻止、檢測和/或降低影響。在可行且成本有效的情況下,預防方法比在系統中斷后恢復所需的措施更可取。
In some cases, the outage impacts identified in the BIA may be mitigated or eliminated through preventive measures that deter, detect, and/or reduce impacts to the system. Where feasible and costeffective, preventive methods are preferable to actions that may be necessary to recover the system after a disruption. Step 2 of the RMF includes the identification of effective contingency planning preventive controls and maintaining these controls on an ongoing basis.
4.制定應急策略
制定應急策略以減輕應急計划的風險,涵蓋備份、恢復、應急計划、測試和持續維護的全部范圍。
Contingency strategies are created to mitigate the risks for the contingency planning family of controls and cover the full range of backup, recovery, contingency planning, testing, and ongoing maintenance.
備份和恢復方法和策略是在服務中斷后快速有效地恢復系統操作的一種方法。這些方法和策略應解決中斷影響和BIA中確定的允許停機時間,並應在SDLC的開發/獲取階段集成到系統架構(architecture)中。
具體恢復方法,可包括具有備用的商業合同現場供應商,與內部或外部組織的互惠協議,以及與設備供應商的服務水平協議(sla)。此外,在制定系統恢復策略時,應考慮獨立磁盤冗余陣列(RAID)、自動故障切換、UPS、服務器群集和鏡像系統等技術。
在制定和比較策略時,應考慮幾種替代方法,包括成本、最大停機時間、安全性、恢復優先級,以及與更大的組織級應急計划的集成。
Backup and recovery methods and strategies are a means to restore system operations quickly and effectively following a service disruption. The methods and strategies should address disruption impacts and allowable downtimes identified in the BIA and should be integrated into the system architecture during the Development/Acquisition phase of the SDLC. A wide variety of recovery approaches may be considered, with the appropriate choice being highly dependent upon the incident, type of system, BIA/FIPS 199 impact level, and the system's operational requirements.22 Specific recovery methods further described in Section 3.4.2 should be considered and may include commercial contracts with alternate site vendors, reciprocal agreements with internal or external organizations, and service-level agreements (SLAs) with equipment vendors. In addition, technologies such as redundant arrays of independent disks (RAID), automatic failover, UPS, server clustering, and mirrored systems should be considered when developing a system recovery strategy.
Several alternative approaches should be considered when developing and comparing strategies, including cost, maximum downtimes, security, recovery priorities, and integration with larger, organization-level contingency plans. Table is an example that can assist in identifying the linkage of FIPS 199 impact level for the availability security objective, recovery priority, backup, and recovery strategy.
系統數據應定期備份。策略應根據數據關鍵性和引入新信息的頻率,指定備份的最低頻率和范圍(如每日或每周、增量或完整備份)。數據備份策略應指定存儲數據的位置、文件命名約定、媒體輪換頻率和異地傳輸數據的方法。數據可以備份在磁盤、磁帶或光盤上。
將數據備份到異地是一個比較好的業務實踐。商業數據存儲設施專門用於存檔媒體並保護數據免受威脅。如果使用異地存儲,則將數據標記、打包后傳輸到異地的存儲中。如果進行數據恢復和測試,訪問存儲,通過本地或異地獲取特定的數據。
System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data, file-naming conventions, media rotation frequency, and method for transporting data offsite. Data may be backed up on magnetic disk, tape, or optical disks, such as compact disks (CDs). The specific method chosen for conducting backups should be based on system and data availability and integrity requirements. These methods may include electronic vaulting, network storage, and tape library systems
It is good business practice to store backed-up data offsite. Commercial data storage facilities are specially designed to archive media and protect data from threatening elements. If using offsite storage, data is backed up at the organization's facility and then labeled, packed, and transported to the storage facility. If the data is required for recovery or testing purposes, the organization contacts the storage facility requesting specific data to be transported to the organization or to an alternate facility.
Commercial storage facilities often offer media transportation and response and recovery services. When selecting an offsite storage facility and vendor, the following criteria should be considered:
4.3.備用場地
NIST SP 800-53確定了信息系統的CP控制。可用性安全目標的FIPS 199安全分類確定了哪些控件適用於特定系統。
備用場地類型包括:
- 熱站點
- 溫站點
- 冷站點
As stated in Section 2.1, NIST SP 800-53 identifies the CP controls for information systems. The FIPS 199 security categorization for the availability security objective determines which controls apply to a particular system. For example, an information system categorized with a low-availability security objective does not require alternate storage or a processing site (CP-6 and CP-7, respectively), and an information system with a moderate-availability security objective requires the system backup and testing the backup (CP-9 [1]).
4.4.設備更換
如果信息系統損壞或毀壞,或主站點不可用,則需要快速激活或采購必要的硬件和軟件,並將其交付到備份地。
If the information system is damaged or destroyed or the primary site is unavailable, necessary hardware and software will need to be activated or procured quickly and delivered to the alternate location. Three basic strategies exist to prepare for equipment replacement.
4.5.成本考慮
ISCP協調員應確保所選戰略能夠在現有人員和財政資源的幫助下得到有效實施。考慮中的每種備用場地、設備更換和存儲方案的成本應與預算限制進行權衡。協調員應確定已知的應急計划費用,如備用現場合同費用,以及不太明顯的費用,如實施機構范圍的應急意識計划和承包商支持的費用。預算必須足以涵蓋軟件、硬件、行程和運輸、測試、培訓計划、認知計划、工時、其他合同服務和任何其他適用資源(如辦公桌、電話、傳真機、筆和紙)。
組織應進行成本效益分析,以確定最佳應急策略。
The ISCP Coordinator should ensure that the strategy chosen can be implemented effectively with available personnel and financial resources. The cost of each type of alternate site, equipment replacement, and storage option under consideration should be weighed against budget limitations. The coordinator should determine known contingency planning expenses, such as alternate site contract fees, and those that are less obvious, such as the cost of implementing an agency-wide contingency awareness program and contractor support. The budget must be sufficient to encompass software, hardware, travel and shipping, testing, plan training programs, awareness programs, labor hours, other contracted services, and any other applicable resources (e.g., desks, telephones, fax machines, pens, and paper). The organization should perform a cost-benefit analysis to identify the optimum contingency strategy. Table provides a template for evaluating cost considerations.
4.6.角色和職責
在選擇並實施備份和系統恢復策略,ISCP協調員必須指定適當的團隊來實施該策略。每個團隊都應接受培訓,並准備好在出現需要啟動計划的破壞性情況時做出響應。應將恢復人員分配到幾個特定團隊中的一個,這些團隊將對事件作出響應,恢復能力,並使系統恢復正常運行。為此,恢復團隊成員需要清楚地了解團隊的恢復工作目標、團隊將執行的各個過程,以及恢復團隊之間的相互依賴性集對總體策略的影響。
Having selected and implemented the backup and system recovery strategies, the ISCP Coordinator must designate appropriate teams to implement the strategy. Each team should be trained and ready to respond in the event of a disruptive situation requiring plan activation. Recovery personnel should be assigned to one of several specific teams that will respond to the event, recover capabilities, and return the system to normal operations. To do so, recovery team members need to clearly understand the team's recovery effort goal, individual procedures the team will execute, and how interdependencies between recovery teams may affect overall strategies.
制定信息系統應急計划,這部分在第四部分進行了詳細介紹。
5.測試、培訓和演習(TT&E)
ISCP應保持在准備狀態,包括對人員進行培訓以履行其在計划中的角色和職責,實施計划以驗證其內容,並對系統和系統組件進行測試,以確保其在ISCP規定的環境中的可操作性。
An ISCP should be maintained in a state of readiness, which includes having personnel trained to fulfill their roles and responsibilities within the plan, having plans exercised to validate their content, and having systems and system components tested to ensure their operability in the environment specified in the ISCP.
各組織應在組織或系統變更、發布新的TT&E指南或其他需要時,定期進行TT&E活動。TT&E活動的執行有助於組織確定計划的有效性,並且所有人員都知道他們在執行每個信息系統計划中的角色。TT&E活動時間表通常由組織要求決定。
對於執行的每個TT&E活動,結果記錄在行動后報告中,並收集經驗教訓糾正措施,以更新ISCP中的信息。
Organizations should conduct TT&E events periodically, following organizational or system changes, or the issuance of new TT&E guidance, or as otherwise needed. Execution of TT&E events assists organizations in determining the plan's effectiveness, and that all personnel know what their roles are in the conduct of each information system plan. TT&E event schedules are often dictated in part by organizational requirements.
5.1測試
ISCP測試是可行的應急能力的關鍵。測試能夠通過驗證一個或多個系統組件和計划的可操作性來識別和解決計划缺陷。測試可以采取多種形式並實現多種目標,但應盡可能接近實際操作環境。應對每個信息系統組件進行測試,以確認各個恢復程序的准確性。
ISCP testing is a critical element of a viable contingency capability. Testing enables plan deficiencies to be identified and addressed by validating one or more of the system components and the operability of the plan. Testing can take on several forms and accomplish several objectives but should be conducted in as close to an operating environment as possible. Each information system component should be tested to confirm the accuracy of individual recovery procedures. The following areas should be addressed in a contingency plan test, as applicable:
5.2.培訓
對具有應急計划職責的人員的培訓應側重於使他們熟悉ISCP角色和完成這些角色所必需的技能。這種方法有助於確保員工參加測試和演習以及實際的應急事件做好了准備。應至少每年提供一次培訓。
Training for personnel with contingency plan responsibilities should focus on familiarizing them with ISCP roles and teaching skills necessary to accomplish those roles. This approach helps ensure that staff is prepared to participate in tests and exercises as well as actual outage events. Training should be provided at least annually.
5.3.練習
NIST SP 800-84確定了單個組織在信息系統TT&E項目中廣泛使用的以下類型的練習
NIST SP 800-84 identifies the following types of exercises widely used in information system TT&E programs by single organizations:
5.4.測試總結
測試項目提供了一個確定、安排和設定目標的總體框架
測試活動。NIST SP 800-84中提供了關於建立有效的ISCP TT&E計划以及進行TT&E活動的各種方法和途徑的指南。ISCP TT&E活動的深度和嚴密性隨着FIPS 199可用性安全目標的實現而增加。所有的測試和練習都應該包括確定對組織運作的影響,並提供一種機制來更新和改進計划。
A TT&E program provides an overall framework for determining, scheduling, and setting objectives for
TT&E activities. Guidance on establishing an effective ISCP TT&E program and the various methods and approaches for conducting TT&E activities is provided in NIST SP 800-84. The depth and rigor of ISCP TT&E activities increases with the FIPS 199 availability security objective. All tests and exercises should include some kind of determination of the effects on the organization's operations and provide for a mechanism to update and improve the plan as a result.
6.計划維護
為了有效,計划必須保持就緒狀態,准確反映系統需求、程序、組織結構和政策。在SDLC的運行/維護階段,由於業務需求的變化、技術升級或新的內部或外部政策,信息系統經常發生變化。因此,作為組織變更管理過程的一部分,必須定期審查和更新ISCP,以確保記錄新信息,並在需要時修訂應急措施。
作為一般規則,應以組織規定的頻率或當計划的任何要素發生重大變化時,審查計划的准確性和完整性。某些元素,如聯系人列表,將需要更頻繁的審查。應對中等或高等影響系統的計划進行更頻繁的審查。
To be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. During the Operation/Maintenance phase of the SDLC, information systems undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies. Therefore, it is essential that the ISCP be reviewed and updated regularly as part of the organization's change management process to ensure that new information is documented and contingency measures are revised if required. As identified as part of RMF Step 6 (Continuous Monitoring), a continuous monitoring process can provide organizations with an effective tool for plan maintenance, producing ongoing updates to security plans, security assessment reports, and plans of action and milestone documents.
四、應急計划
該計划包含與中斷后恢復信息系統相關的詳細角色、職責、團隊和過程。ISCP應記錄旨在支持應急行動的技術能力,並應根據組織及其要求進行調整。計划需要平衡細節和靈活性;通常,計划越詳細,可擴展性和通用性就越差。此處提供的信息旨在作為指南;然而,本文件中的計划格式可根據需要進行修改,以更好地滿足用戶的特定系統、操作和組織要求。
The plan contains detailed roles, responsibilities, teams, and procedures associated with restoring an information system following a disruption. The ISCP should document technical capabilities designed to support contingency operations and should be tailored to the organization and its requirements. Plans need to balance detail with flexibility; usually, the more detailed the plan, the less scalable and versatile the approach. The information presented here is meant to be a guide; nevertheless, the plan format in this document may be modified as needed to better meet the user's specific system, operational, and organization requirements.
本指南確定了應急計划的五個主要組成部分。
應對計划進行標准化,以便不熟悉計划或系統的人員執行恢復操作時提供快速而清晰的指示。計划應清晰、簡明,並且在緊急情況下易於實施。如有可能,應使用檢查表和分步程序。簡潔且格式良好的計划可以減少創建過於復雜或令人困惑的計划的可能性。
Plans should be formatted to provide quick and clear directions in the event that personnel unfamiliar with the plan or the systems are called on to perform recovery operations. Plans should be clear, concise, and easy to implement in an emergency. Where possible, checklists and step-by-step procedures should be used. A concise and well-formatted plan reduces the likelihood of creating an overly complex or confusing plan.
1.支持信息
輔助信息部分包括“操作簡介和概念”部分,提供基本背景或上下文信息,使應急計划更易於理解、實施和維護。這些細節有助於理解本指南的適用性,有助於就如何使用本計划作出決定,也有助於提供有關在何處可以找到相關計划和本計划范圍以外的信息。
The supporting information component includes an introduction and concept of operations section providing essential background or contextual information that makes the contingency plan easier to understand, implement, and maintain. These details aid in understanding the applicability of the guidance, in making decisions on how to use the plan, and in providing information on where associated plans and information outside the scope of the plan may be found.
2.激活和通知階段
激活和通知階段定義了一旦檢測到系統中斷或停機或似乎即將發生時所采取的初始操作。此階段包括通知恢復人員、進行應急評估和激活計划的活動。在激活和通知階段結束時,ISCP工作人員將准備執行恢復措施以恢復系統功能。
The Activation and Notification Phase defines initial actions taken once a system disruption or outage has been detected or appears to be imminent. This phase includes activities to notify recovery personnel, conduct an outage assessment, and activate the plan. At the completion of the Activation and Notification Phase, ISCP staff will be prepared to perform recovery measures to restore system functions.
2.1.激活標准和程序
如果滿足該系統的一個或多個激活標准,則應激活ISCP。如果滿足激活標准,指定機構應激活計划。系統中斷或中斷的激活標准對於每個組織都是唯一的,應在應急計划策略中說明。
The ISCP should be activated if one or more of the activation criteria for that system are met. If an activation criterion is met, the designated authority should activate the plan.[29] Activation criteria for system outages or disruptions are unique for each organization and should be stated in the contingency planning policy.
2.2.通知程序
在事先通知或不通知的情況下,可能會發生中斷或中斷。例如,通常會提前通知,颶風預計會影響一個地區,或者電腦病毒預計會在某一天出現。但是,可能沒有設備故障或犯罪行為的通知。兩種情況的通知程序應記錄在計划中。程序應描述在營業時間和非營業時間通知恢復人員的方法。及時通知對於減少中斷對系統的影響非常重要;在某些情況下,它可以提供足夠的時間,允許系統人員從容地關閉系統,以避免發生硬崩潰。在故障或中斷之后,應向恢復評估小組發出通知,以便其確定情況的狀態和適當的下一步措施。
An outage or disruption may occur with or without prior notice. For example, advance notice is often given that a hurricane is predicted to affect an area or that a computer virus is expected on a certain date. However, there may be no notice of equipment failure or a criminal act. Notification procedures should be documented in the plan for both types of situation. The procedures should describe the methods used to notify recovery personnel during business and non business hours. Prompt notification is important for reducing the effects of a disruption on the system; in some cases, it may provide enough time to allow system personnel to shut down the system gracefully to avoid a hard crash. Following the outage or disruption, notification should be sent to the Outage Assessment Team[30] so that it may determine the status of the situation and appropriate next steps. Outage assessment procedures are described in Section 4.2.3. When outage assessment is complete, the appropriate recovery and system support personnel should be notified.
2.3.恢復評估
為了確定系統中斷或停機后如何實施ISCP,必須評估中斷的性質和程度。恢復評估應在給定條件允許的情況下盡快完成,人員安全仍然是最高優先級。在可能的情況下,應急評估小組是第一個收到中斷通知的小組。應急評估程序對於特定系統可能是唯一的,但至少應考慮以下方面:
To determine how the ISCP will be implemented following a system disruption or outage, it is essential to assess the nature and extent of the disruption. The outage assessment should be completed as quickly as the given conditions permit, with personnel safety remaining the highest priority. When possible, the Outage Assessment Team is the first team notified of the disruption. Outage assessment procedures may be unique for the particular system, but the following minimum areas should be addressed:
3.恢復階段
正式恢復操作在ISCP啟動、恢復評估完成(如有可能)、人員得到通知和適當的團隊調動之后開始。恢復階段活動的重點是實施恢復策略,以恢復系統能力、修復損壞並在原始或新的備用位置恢復操作能力。在恢復階段結束時,信息系統將發揮作用,能夠執行計划中確定的各項功能。根據計划中定義的恢復策略,這些功能可以包括臨時手動處理、在備用系統上的恢復和操作,或在備用站點上的重新定位和恢復。在這個階段,只有在BIA中被確定為高優先級的系統資源才可以被恢復。
Formal recovery operations begin after the ISCP has been activated, outage assessments have been completed (if possible), personnel have been notified, and appropriate teams have been mobilized. Recovery Phase activities focus on implementing recovery strategies to restore system capabilities, repair damage, and resume operational capabilities at the original or new alternate location. At the completion of the Recovery Phase, the information system will be functional and capable of performing the functions identified in the plan. Depending on the recovery strategies defined in the plan, these functions could include temporary manual processing, recovery and operation at an alternate system, or relocation and recovery at an alternate site. It is feasible that only system resources identified as high priority in the BIA will be recovered at this stage.
3.1.恢復活動的順序
當恢復復雜系統時,例如涉及多個獨立組件的廣域網(WAN)或虛擬局域網(VLAN),恢復過程應反映BIA中確定的系統優先級。活動順序應反映系統的MTD,以避免對相關系統產生重大影響。過程應以逐步的順序格式編寫,以便系統組件可以邏輯方式還原。例如,如果局域網在中斷后正在恢復,那么最關鍵的服務器應該在其他不太關鍵的設備(如打印機)之前恢復。
When recovering a complex system, such as a wide area network (WAN) or virtual local area network (VLAN) involving multiple independent components, recovery procedures should reflect system priorities identified in the BIA. The sequence of activities should reflect the system's MTD to avoid significant impacts to related systems. Procedures should be written in a stepwise, sequential format so system components may be restored in a logical manner. For example, if a LAN is being recovered after a disruption, then the most critical servers should be recovered before other, less critical devices, such as printers. Similarly, to recover an application server, procedures first should address operating system restoration and verification before the application and its data are recovered. The procedures should also include escalation steps and instructions to coordinate with other teams where relevant when certain situations occur, such as:
3.2.恢復程序
為方便恢復階段的操作,ISCP應提供詳細的過程,以將信息系統或組件還原到已知狀態。
To facilitate Recovery Phase operations, the ISCP should provide detailed procedures to restore the information system or components to a known state. Given the extensive variety of system types, configurations, and applications, this planning guide does not provide specific recovery procedures.
3.3.恢復升級和通知
作為BIA的一部分,系統組件、基礎設施和相關設施是支持日常任務/業務流程的關鍵組件。將用戶連接到這些系統、應用程序和基礎結構的系統、應用程序和基礎結構會受到導致服務中斷和中斷的事件的影響。在恢復階段包含一個升級和通知組件有助於確保遵循一個總體的、可重復的、結構化的、一致的和可測量的恢復過程。
As identified as part of the BIA, system components, infrastructure, and associated facilities are critical components supporting daily mission/business processes. The systems, applications, and infrastructure that connect users to these are subject to events causing service interruptions and outages. Including an escalation and notification component within the Recovery Phase helps to ensure that overall, a repeatable, structured, consistent, and measurable recovery process is followed.
有效的升級和通知過程應該定義和描述附加操作所必需的事件、閾值或其他類型的觸發器。行動將包括更多恢復人員的附加通知、向領導層發送的消息和狀態更新,以及附加資源的通知。應包括建立一套明確的事件、行動和結果的程序,並應酌情為團隊或個人記錄。
Effective escalation and notification procedures should define and describe the events, thresholds, or other types of triggers that are necessary for additional action. Actions would include additional notifications for more recovery staff, messages and status updates to leadership, and notices for additional resources. Procedures should be included to establish a clear set of events, actions and results, and should be documented for teams or individuals as appropriate.
4.重建階段
重構階段是ISCP實現的第三個也是最后一個階段,定義了測試和驗證系統能力和功能所采取的措施。在重建過程中,恢復活動完成,恢復正常的系統操作。如果原始設施無法恢復,則此階段的活動也可用於准備新的永久性位置,以支持系統處理需求。此階段包括兩個主要活動:驗證計划的成功恢復和停用。
恢復驗證通常包括以下步驟:
並行處理並發處理是指在兩個獨立的位置同時運行一個系統,直到能夠保證恢復的系統正常、安全地運行為止的過程。
驗證數據測試. 數據測試是測試和驗證已恢復數據的過程,以確保數據文件或數據庫已完全恢復,並且是最新的可用備份。
驗證功能測試. 功能測試是一個過程,用於驗證所有系統功能都已測試,並且系統已准備好恢復正常操作。
The Reconstitution Phase is the third and final phase of ISCP implementation and defines the actions taken to test and validate system capability and functionality. During Reconstitution, recovery activities are completed and normal system operations are resumed. If the original facility is unrecoverable, the activities in this phase can also be applied to preparing a new permanent location to support system processing requirements. This phase consists of two major activities: validating successful recovery and deactivation of the plan. Validation of recovery typically includes these steps:
5.計划附錄
應急計划附錄提供了計划正文中未包含的關鍵細節。通用應急計划附錄包括以下內容:
Contingency plan appendices provide key details not contained in the main body of the plan.
- 應急計划小組人員聯系方式;
- 供應商聯系信息,包括場外存儲和備用現場POC;
- BIA;
- 詳細的恢復程序和清單;
- 詳細的驗證測試程序和檢查表;
- 設備和系統需求支持系統操作所需的硬件、軟件、固件和其他資源的列表。應提供每個條目的詳細信息,包括型號或版本號、規格和數量;
- 對系統進行恢復時可能發生的備用任務/業務處理程序;
- ISCP測試和維護程序;
- 系統互連(直接互連或交換信息的系統);以及
- 供應商服務水平協議、與其他組織的互惠協議以及其他重要記錄。
總結:
1.應急計划的步驟:1)激活和通知 2)恢復階段(一般備用設施) 3)重建階段(一般是將系統從備用站點遷移到主站點)
2.而整個ISCP中,應急策略是保障措施,通過一些預防措施將災難的影響降低到可接受程度,應急計划是災難發生后處理方法、流程,而如何處理采取那些措施的決策依據是BIA的分析結果。而這些措施的實施需要企業戰略層面的保障,同時通過日常的培訓、測試和演練來保障計划的有效性、可行性。
3.在開篇提到的各種計划,其內在有什么關系內,BCP的具體執行層面是COOP,BCP關注業務,COOP關注具體系統,而對於重要、緊急的系統在災備中應用則在DRP中說明,而過錯中無論是對外、對內溝通還是針對網絡事件有相應的針對性計划。整體形成了ISCP。
https://www.nist.gov/ NIST Special Publication 800-34 Rev.1
<wiz_tmp_tag id="wiz-table-range-border" contenteditable="false" style="display: none;">