7CCSMSEM
Security Management
Tutorial Week 9 (Sketch of Solutions)
Recall GANT from previous tutorials:
Question 1. The officers of GANT are deciding whether they should put in place robust business continuity management or disaster recovery plans, but they are not quite sure about the difference between them. Explain the difference.
Disaster Recovery is that part of business continuity that addresses the need to recover IT services and voice services and data following a business-threatening impact. Disaster Recovery prioritises those services and information that are critical to the business. Disaster Recovery includes planning for crisis situations and having in place the means to identify incidents, contain and recover them.
Question 2. After your explanations they understand they will need both. In particular, they have started drafting a disaster recovery plan. What should the document of that plan include?
A disaster recovery plan should be structured including: • Introduction:
– A summary of the objectives and scope of the plan, including IT services and locations covered, the different services, and testing and maintenance activities. Also includes a revision history to track changes.
• Roles and responsibilities:
– A list of the internal and external stakeholders involved in each DR process covered, complete with their contact details and a description of their duties.
• Incident response:
– When should the DR plan be triggered, and how and when should employees, management, partners and customers be notified?
• DR procedures:
– When the DR plan is triggered, the stakeholders can start to action a DR process for each affected IT service. Those procedures are set out step-by-step.
• Appendices:
– A collection of any other lists, forms and documents relevant to the DR plan, such as details on alternate work locations, insurance policies, and the storage and distribution of DR resources.
Question 3. GAN have heard about the “human factor” in security and are concerned about putting in place security controls that are as usable as possible. What are the three main guideline advice that you would give them towards that aim?
Sketch response of the three main guidelines for usable security: 1. Make security “just work”
2. Make security understandable
3. Train the user
Now let’s talk about King’s:
Recently (true story!!), CoreHR, a new system for managing some of the HR services, has been introduced. According to the College:
“The vision for CoreHR in King’s is an internet-based suite of digital services, which can be accessed from anywhere, at any time, using multiple different types of device. Some of the functionality rolling in the next service releases such as booking annual leave, family friendly leave approval, manager requests and online payslips are designed to fit with a mobile workforce, working in a more agile manner with minimal barriers to use.
As CoreHR does not support Captcha, it is a potential target for brute force attacks, so with this in mind password length and complexity are the primary controls available for this system. The current password restrictions have been set in accordance to the recommendation of the King’s IT Cyber Security Team. They have recommended that passwords should be 15 characters long with expiry set at 180 days.”
Question 4. What do you think about this password standard? As a security consultant, what would be the advice you would give to KCL’s IT services?
This is a very bad idea, complexity of passwords and expiry dates are going to become a burden on the users, who may just work around the system in ways that will actually make it less secure than intended and what it would potentially seem because of the complexity of the passwords, e.g., users writing passwords down in insecure places, creating very simple passwords even if long, reusing as much as they can from the previous password every time they renew it, resetting passwords every time they try to use the system (with the extra added time they need to spend doing this every time), etc. A potentially interesting advice would be whether other ways of authentication, such as two-factor authentication, or an integration with the already existing single sing on system (SSO) at King’s would not be possible, which would for sure, make people’s life easier and, in the end, potentially contribute to make the system more secure.