Managing Security Incidents And Developing A Disaster Recovery Plan Essay.

Task 1: Security Incident Handling

Security vulnerabilities in poorly maintained websites provide access to information in the underlying databases that hackers could potentially exploit (Mo?teanu and Roxana, 2020. The exploitation of this information may create a risk in the operation of the business by disrupting the business, which leads to threats such as financial loss and damage to reputation ( Fani and Subriadi, 2019. In the event of a security incident, a business needs to have a business continuity plan to help the business recover as quickly as possible. The business continuity plan outlines the solutions and strategies for actions that the business will implement to prevent future incidences from occurring again (Suresh et al., 2020).

This refers to how TalkTalk as an organization is planning to manage the attack, and this helps them to recover quickly from the attack, mitigate the risks and control the threat ( Kato and Charoenrat, 2018). The handling of a security incident should follow a framework such as the one provided by the NIST, which is compliant with international standards, policies and regulations.

In regards to the NIST framework, the following phases are to be followed in preventing any attacks from reoccurring in the future again and minimizing the damage that has been caused:

In this phase, the right resource tools are identified, and proper training is administered to the team to respond to the incident and prevent future incidents from occurring.

The purpose is to establish the type of security incidents that should be put under investigation and formulate detailed steps for responding to common incidents.

The scope of the plan includes:

1. Compiling lists of assets that have been affected, such as endpoints, networks and servers.
2. Establishing the significance of these assets and their criticality in terms of holding sensitive information or Data
3. Establishing a baseline of activities that are normal through setting up of monitoring

This team involves a group of experts or IT security professionals that will provide TalkTalk as an organization with support and services regarding the prevention of future cyber-attacks, management, assessment and coordination of response to a security incident that has occurred (Narula et al., 2020).

The team's main purpose is to swiftly respond to security incidents efficiently and, therefore, minimize the damage and regain control.

The following members will be included as part of the team:

1. CSIRT team lead
2. Incident manager
3. Security analyst
4. Threat researchers
5. Other stakeholders such as CISO, senior management etc.
6. A third party such as the law enforcement

1. Creating and updating plans for incidence response
2. Communicating and maintaining information to both external and internal entities
3. Identifying, assessing and analyzing incidents
4. Coordinating and communicating the efforts put towards response
5. Remediating the incident
6. Incident reporting
7. Managing audits
8. Reviewing of security policies
9. Recommending changes towards prevention of future incidents

Asset type	Description	Sensitivity / criticality
Website / Web application	The website is a portal that gives clients access to company services	Contains code that gives access to web functions
Servers	These are hardware and software that are optimized for running specific services.	They host many applications that the company runs, such as web
Email	These are communication links that the company uses to communicate with stakeholders.	They may contain sensitive information that can be subject to abuse, misuse or manipulation by malicious persons.
Database	Structured tables that contain data	It contains information for clients and other company operations.

This phase involves the detection and assessment of incidents. In regards to detection, TalkTalk will be involved in collecting data from their systems, tools, or any public information that is available inside their organization and outside to identify the precursors and indicators of the incident.

Preparation Phase

In analysis, the organization will have to identify the baseline for the systems that have been affected and events that are correlated to establish how they differ from norm behaviour

The following table provides detailed information regarding the incident at TalkTalk:

Incident type	Incident Description	Attack vectors	Incident status	Assets affected	Severity/impact of the incident
SQL injection	Insertion of malicious code into the server to exploit  database	SQLi	Compromised accounts Stolen information	Underlying databases	High

The main purpose of containment is to halt the attack before it causes damage and overwhelms the resources (Ranf et al., 2021). The level or extent to which the damage has occurred will determine which strategy will be used for containment. There is a need to ensure that critical services are available to the customers and that a temporal or permanent solution is availed within a few hours or days.

Eradication and recovery follow after all the incidents have been contained successfully by eliminating all incident elements from the surrounding/environment (P?unescu et al., 2018).

After the threats have been eliminated, all systems are restored, and recovery of normal operations commences as soon as possible with measures that are taken to ensure that the attack will never occur on the same assets again.

The following table provides containment, eradication and recovery measures and their descriptions, respectively:

Containment measures and description	Eradication measures and description	Recovery measures and description
Locking accounts that have been compromised	Removing malicious code – the systems that have been affected should be isolated, and their services should be discontinued immediately.	Creating backups and restore points
Shutting down systems that have been affected		Choosing alternate sites
Changing passwords on systems that have been compromised		Application of security patches
Isolating specific segments of the network		Reconfiguration of network and firewall
Disconnecting systems that have been infected from the network		Encryption of sensitive data and information
Blocking specific services and ports		Optimization of hardware and software applications
Blocking of incoming traffic in the network		Updating of security policies and procedures

These are strategies that will help TalkTalk company to recover quickly and efficiently recover from the incident. It is developed alongside the Business Continuity Plan.

The process begins by analyzing all the business activities of TalkTalk company to determine how critical they are and the resources associated alongside the requirements for ensuring resilient operations and continuity during the disruption and afterwards. 

The analysis of the business focus on the risks that are involved, the threats that are likely to face the business and the mitigation strategies for the risks. It will also address the impact of the risks to the business functions. In business impact analysis, the scope will also focus on the solutions and strategies for the impact of the risks and threats on the business. 

TalkTalk telecommunications company and internet service provider offer critical functions and services performed on a routine basis and must continue without disruption. When these services and functions are disrupted, they create a backlog in the company's normal operations, which leads to both customer dissatisfaction and financial loss for the company (Aleksandrova et al., 2018).

Detection and Analysis Phase

The following are some of the critical services that the company offers:

1. Voice services
2. Data services
3. Networking services
4. Internet services
5. Television services

Critical business functions are sensitive to a financial or legal obligation downtime issue, and they play a very significant role in maintaining the reputation of a business (Gómez Betancourt et al., 2020).

The following are some of the critical functions of the business:

1. Maintaining the infrastructure of telecommunication and the processes associated with it, such as mobiles, radios and telephones
2. Maintaining of networks
3. Data backup
4. Purchasing of new equipment
5. Sales
6. Marketing, e.g. promotion
7. Employee management functions such as hiring, payment etc. 

The RTO of the company assets refers to the time in the future in which the business will start running again, whereas the RPO refers to the acceptable time in which the IT downtime is allowed in the event of a disaster (Zabezhailo and Trunin, 2022). The targeted time for the recovery of the business or the RTO will be 2 hours. This is because the company cannot afford to lose its customers, and at the same time, it cannot afford to suffer financial loss due to disruption of services. Since this is an online web service attack, the incident can be controlled as the problem can be isolated. Control can be regained by updating security patches and maintaining their firewall and network system. Data that has been scrambled or affected can also be recovered. Backup procedures can be implemented within the timeframe of two hours. The factors to consider are availability, the response time and the time for resolution.

Regarding response time, when a support request is initiated, the contact should be relayed back quickly so that the customers can be satisfied. This should take the shortest time possible. Regarding availability, the calling hours for support should be 24/7 for the customers. This service can also be restored within two hours. Finally, regarding the resolution time, the company should restore the services as quickly as possible, and this can also be done within a maximum duration of two hours.

Since the severity of the security incidence is not too high, the RTO can be handled internally, and it will not take longer. The time taken will be two hours as indicated as the It department can resolve such technical issues. In the cases of server crashes, the estimated time is usually one hour, but since the issue needs to be investigated, another hour will be needed to get to the bottom of the issue. During the extra hour, backups can be created. The security patches can be applied. The malware can be eliminated, and also the databases can be restored. For the RTO, it is not just the time taken for recovery but also the steps taken to mitigate the specific disaster that has occurred (Charoenthammachoke et al., 2020).

Containment, Eradication and Recovery Phase

The RPO, on the other hand, refers to the amount of lost data that TalkTalk Company can accept after the disruption of its services and functions. The RPO solutions are data backups that are essential in the event of data loss (Ostadi et al., 2020). Since not many customers were affected compared to the total number, which is 4 million, the RPO threshold can be tolerated in calculating the costs of storage and recovery. Based on the RPO metric, the factor of how frequently backups should be created is considered. TalkTalk Company can use the real-time backup to clone its data in cloud storage to minimize the RTO as the possibility of failover can occur within seconds. The classification of RPO is based on the time and technology in place. For instance, in the event of eight to twenty-four hours, the backing of data in external storage will rely on the last point of restoration regarding the production environment (Walsh, 2020). In a similar case, it can only take four hours to get continuous snapshots of data, which is much faster, providing less disruption to the business. In a better case scenario, the company can work with a near-zero RTO which utilizes real-time backup of data in cloud storage for enterprise data which can be done in multiple locations so that the failover scenarios become seamless (Nawari and Ravindran, 2019). When referring to both RTO and RPO, it is important to recognize that RTO majors bring software and hardware to be online or fully operational, whereas the RTO majors on data loss which can be accepted (Haraguchi, 2019).

The business priority functions of TalkTalk can be recovered at alternate sites, preferably offsite, by a disaster management team. Depending on the functions' importance, the one that is more important than the other one will be given the highest level of priority. Since the organization heavily relies on data functions, software, hardware, and data centres, systems recovery will be the highest priority. In this case, it involves data backup, optimization of hardware and software, application of security patches. The RTO will take the shortest time possible because the SQLi attack affected the databases and not the hardware or the servers.

Task 2: Disaster Recovery Plan

The following table outlines the critical functions that will be recovered according to the level of their priority:

Order	Function	Priority level
	Locking accounts that have been compromised	Highest
	Changing passwords on systems that have been compromised	Highest
	Isolating specific segments of the network	Highest
	Disconnecting systems that have been infected from the network	Very high
	Removal of malware	Very high
	Application of security patch	Very high
	Creation of data backups	Very high
	Blocking of services and ports	High
	Optimization of hardware and software	High

There are various risks associated with the business that TalkTalk company conducts. The risks, in this case, are technological, but other risks such as human and natural hazards can also occur. The technological risks that are involved include:

1. Loss of Data
2. Corruption of Data
3. Failure of software
4. Failure of application
5. Loss in connectivity
6. Communication failure
7. Power problems 

The risks associated with the type of business TalkTalk Company does can have devastating effects such as:

1. Damaging the reputation of the business
2. Financial loss
3. Identity theft
4. Data loss
5. Disruption of business operations
6. Dissatisfaction from customers
7. Backlog in services 

Control Actions For the Risk

The risks can be controlled depending on how it affects the business. Technological risk can be controlled through technological mechanisms. In this case scenario of SQLi attack, the risks can be controlled by:

1. Removal of malware
2. Application of security patches
3. Blocking of specific ports and services
4. Creating of backups
5. Optimization of hardware and software

TalkTalk Company can use the backup and alternate site as a recovery strategy. The type of backup the company can use is cloud storage backup, which is very efficient as they can retrieve the data stored anytime and from any location. The backup can also be done in real-time, which minimizes the chances of failover. The Data also needs to be backed up in multiple locations to reduce the chances of failure. 

There are various types of backups, such as incremental full and differential. Full backup, as the name suggests, backs up everything, whereas differential only backs up the files that were changed after the full backup and incremental backup backs up the changes made after the last backup. The best option is to go with full synthetic backup, which provides several backup solutions that are fully synthesized (Reid, 2021). This means that TalkTalk Company can have a full backup by the end of every week and incremental backup for every change from the source. Using a fully synthesized backup will ensure that none of the critical updates is missing in the backup, and it reduces the chances of failure.

The company can implement backup retention policies, which will guide the company on the maximum number of days they should retain copies of data. Since the company is dealing with telecommunications and provides internet services, it is best to retain the backup for 20 – 30 years as Data also becomes obsolete with time. According to the data protection act, data should also be retained according to the data protection act, which provides a clear guideline of how long information belonging to individuals should be retained (Mochizuki, 2020). 

Business Impact Analysis

Various types of alternative sites can be used. These are cold sites, warm sites, mobile sites and hot sites. Cold sites are cheap to set up, but they have a long recovery time. The best option for the company to go with is hot sites, as they allow very little time for recovery as compared to other options, even though the cost of setting up a hot is extremely high. The hot site will be very advantageous to the company as it is already configured to support systems hardware infrastructure and has personnel that work throughout to provide the necessary support. A hot site is very useful for the company as it comes with fully packed resources such as power options, security, back up, and most of the time, they assimilate the features available in the business's data centre.

An audit program is very important as it helps assess the effectiveness of the business continuity plan (Rezaei Soufi et al., 2019). The audit program ensures that the organization complies with the standards indicated in the ISO 22301Audit and aligns to the business continuity plan. 

The following are the key risk areas that are of concern:

Data privacy and protection – For instance, who has access to customer data?

Data security – is the data stored securely? 

Appropriate controls should be exercised for the risks to ensure that they are contained. Some of the controls that can be implemented include:

1. Separation of privileges and roles
2. Application of security measures such as encryption of Data
3. Monitoring the flow of data from source to destination to detect an anomalies
4. Updating of security policies and protocols
5. Application of security patches

The scope of the audit and the objectives are as follows:

1. To determine the effectiveness of the Business continuity plan
2. To determine reported issues and corrective measures
3. To evaluate the auditing process and the alignment to a disaster recovery plan

Clause 8 of ISO 22301 indicates some practical measures that need to be followed to ensure that the BCP functions as required. It gives the actual guideline of addressing threats and hazards that face the business. For instance, it provides risk assessment and impacts analysis guidelines in regards to operations. It also addresses strategies and solutions for business continuity. It also requires that the business continuity plan have a timeline for dealing with some of the risks that have been mapped out (Rühl, 2021). In regards to clause 8, TalkTalk's business continuity plan will entail the following control functions:

1. Protection strategies for the organization
2. Strategies for continuing with the activities that have been prioritized
3. Solutions and strategies for reducing the chances and duration for disruptions that are likely to occur
4. Solutions and strategies for limiting the impact of threats and risks to the organization
5. Solutions and strategies for ensuring that the resources for deployment are readily available
6. Plan for data and information that is needed
7. The kind of equipment that is needed
8. Immediate actions for resolving the incident at hand
9. Mitigation for impact and solutions that are effective
10. Delegation of specific responsibilities and duties
11. Adaptation to changes in external and internal factors
12. Activation for the proposed solutions and the plans and details specific for deployment
13. Monitoring of the situation and the impact gained from the ongoing responses
14. Communication with involved stakeholders or parties
15. Documentation of procedures that will act as a guide to the person acting on the solutions

The following are some of the audit questions that help in determining the effectiveness of the audit program:

1. Are all red flag situations captured and addressed?
2. Our communications with relevant stakeholders and parties in place?
3. Is there a team assigned to deal with the situation?
4. Are all hardware and software applications optimized?
5. Are the solutions rendered in terms of their priority?
6. Are all actions and procedures compliant with the ISO standards 22301?
7. Are there monitoring procedures available to address the situation?
8. Is there any delegation of duties and responsibilities to personnel for the proposed actions?
9. Are there any plans for data and information?
10. Are there solutions and strategies to ensure that the organization is protected?
11. Are there solutions and strategies to ensure that likelihood of disruption is minimized?
12. Are there solutions and strategies to ensure action and deployment of proposed solutions?
13. Are there mitigation strategies for the risks that are involved?

Scope of the Business Impact Analysis

The audit program results conform to the questions in the audit assessment. The audit questions conform to the controlling clause in the ISO 22301 control clause. The requirements are captured in the policies, and the audit addresses the key risk areas of concern. 

The absence of a business continuity plan is very dangerous for a business. In this course, I have learned that a business continuity plan helps a business continue operating in the vent of a disaster. In the case study regarding TalkTalk company, I have learned that a business continuity plan must be readily available. It must clearly state the RTO and RPO functions of a business. In my view, I recommend that a team be assigned the responsibility of carrying out the functions of a business continuity plan so that all the elements included in the BCP are executed fully and that the team is accountable for all the executions. In line with that, critical functions and services should be restored in the appropriate timeframe and regards to the level of their priorities. Functions that are highly sensitive to business operations should be restored first. A business continuity plan should also have measures to ensure that the same security incident will never happen again so that the business will continue operating as usual. The business continuity plan should also be reviewed regularly by the concerned stakeholders to ensure that all critical services and functions have been well addressed to guarantee success for business continuity (Supriadi and Sui Pheng, 2018). The review should also be documented in a report for future reference.

The business continuity plan should also include risk assessment for the business to identify the hazards and the risks associated with the business. It should also include a risk mitigation strategy that will enable the business to mitigate some of the risks associated with the business (Mónica et al., 2020). I have also learned that the risks should be calculated to estimate the RTO and RPO of assets. I have learned that a business needs to have various strategies for recovery also included in the business plan. The strategies should also indicate some of the backup methods used and the period of retention for the backup. I recommend that businesses fully calculate the costs involved when preparing a business continuity plan. When a business is aware of the costs that are involved in having a business plan, it will able able to implement a business continuity plan that is suitable for its business functions without having the challenges of finance (Putra and Wahdiniwaty, 2020). The costs included in the BCP enable the business to recover quickly as they will have the financial capabilities of purchasing the needed equipment or for sourcing necessary technologies or personnel (Namdar et al., 2021). I have also learned that a business that operates without a business continuity plan will collapse as it will not be able to recover in the event of a disaster. Therefore, all businesses must have a clear and well-detailed business plan that thoroughly covers all the strategies for the recovery of the business functions and provides information on risk assessment (Trisnawati et al., 2021).

Critical Services and Functions

Conclusion

Organizations need to have a business continuity plan that will help them recover during and after a disaster (Goromaru et al., 2021). The absence of a business plan creates a risk for the business, which may lead to great loss in terms of finance and even crippling of business operations, leading to a complete shutdown or closure of the business (Kim and Amran, 2018).  

References

Aleksandrova, S.V., Aleksandrov, M.N. and Vasiliev, V.A., 2018, September. Business continuity management system. In 2018 IEEE International Conference" Quality Management, Transport and Information Security, Information Technologies"(IT&QM&IS) (pp. 14-17).

Charoenthammachoke, K., Leelawat, N., Tang, J. and Kodaka, A., 2020, September. A Development of Family Continuity Management Training for Medical Staffs Based on Business Continuity Management Concept. Proceedings of the 2020 3rd International Conference on Big Data Technologies (pp. 141-146).

Fani, S.V. and Subriadi, A.P., 2019. Business continuity plan: examining of the multi-usable framework. Procedia Computer Science, 161, pp.275-282.

Gómez Betancourt, G., Morón Vásquez, A. and Betancourt R, J.B., 2020. Risk management model, the contribution of phi value in the business continuity plan. Revista Venezolana de Gerencia, pp.112-128.

Goromaru, H., Kokogawa, T., Ueda, Y. and Fukaya, S., 2021. Study of new normal business continuity to improve resilience against uncertain threat. Journal of Disaster Research, 16(1), pp.31-39.

Haraguchi, M., 2019. Disaster preparedness and complex adaptive systems: A government continuity plan for a self-organizing community. Google Scholar, pp.1-27.

Kato, M. and Charoenrat, T., 2018. Business continuity management of small and medium sized enterprises: Evidence from Thailand. International journal of disaster risk reduction, 27, pp.577-587.

Kim, L.L. and Amran, A., 2018. Factors leading to the adoption of business continuity management (BCM) in Malaysia. Global Business and Management Research, 10(1), pp.179-196.

Mochizuki, N., 2020. Mitigating disasters using business continuity planning. Impact, 2020(9), pp.48-50.

Mónica, R., Henry, Q., Estela, M. and Washington, F., 2020, June. Why implement continuity plans in Organizations? Approach of a prospective study based on ITIL. In 2020 International Conference on Intelligent Systems and Computer Vision (ISCV) (pp. 1-5).

Mo?teanu, D. and Roxana, N., 2020. Management of disaster and business continuity in a digital world. International Journal of Management, 11(4)

Namdar, J., Torabi, S.A., Sahebjamnia, N. and Nilkanth Pradhan, N., 2021. Business continuity-inspired resilient supply chain network design. International Journal of Production Research, 59(5), pp.1331-1367.

Narula, S., Kumar, A., Puppala, H., Dwivedy, M., Prakash, S., Singh, R. and Talwar, V., 2020. Restarting Manufacturing Industries Post Covid-19: A Mind Map-Based Empirical Investigation of the Associated Challenges in Business Continuity. International Journal of Strategic Decision Sciences (IJSDS), 11(2), pp.46-65.

Nawari, N.O. and Ravindran, S., 2019. Blockchain and building information modeling (BIM): Review and applications in post-disaster recovery. Buildings, 9(6), p.149.

Ostadi, B., Alibakhshi, M. and Sepehri, M.M., 2020. Identification and prioritization the critical activities of the emergency department using business continuity management concept. International Journal of Business Excellence, 22(1), pp.98-113.

P?unescu, C., Popescu, M.C. and Blid, L., 2018. Business impact analysis for business continuity: Evidence from Romanian enterprises on critical functions. Management & Marketing. Challenges for the Knowledge Society, 13(3), pp.1035-1050.

Putra, Y.H. and Wahdiniwaty, R., 2020, July. Study of Risk Assessment and Business Continuity Management of Analog to Digital Archiving Process in order to Guarantee Reliable System. In IOP Conference Series: Materials Science and Engineering (Vol. 879, No. 1, p. 012018).

Ranf, D.E., M?nescu, G. and Badea, D., 2021. Specific business continuity management practices during the COVID-19 pandemic crisis. Land Forces Academy Review, 26(1), pp.62-68.

Reid, M.B., 2021. Business Continuity Plan. In Encyclopedia of Security and Emergency Management (pp. 52-57).

Rezaei Soufi, H., Torabi, S.A. and Sahebjamnia, N., 2019. Developing a novel quantitative framework for business continuity planning. International Journal of Production Research, 57(3), pp.779-800.

Rühl, U., 2021. Business-Continuity-Response. In Quick Guide Erfolgreiches Business-Continuity-Management (pp. 99-110).

Supriadi, L.S.R. and Sui Pheng, L., 2018. Business continuity management (BCM). In Business Continuity Management in Construction (pp. 41-73).

Suresh, N.C., Sanders, G.L. and Braunscheidel, M.J., 2020. Business continuity management for supply chains facing catastrophic events. IEEE Engineering Management Review, 48(3), pp.129-138.

Trisnawati, N.L.D.E., Kartika, R.D. and Kasih, N.L.S., 2021. Business Continuity: Toward to the Holding Company of BUMDes in Buleleng Regency. International Journal of Social Science and Business, 5(2).

Walsh, T., 2020. Disaster Recovery and Business Continuity. In Information Security in Healthcare (pp. 171-194).

Zabezhailo, M.I. and Trunin, Y., 2022. Artificial Intelligence Technologies for Business Continuity Protection in Industry 4.0. In New Technology for Inclusive and Sustainable Growth (pp. 163-174). Springer, Singapore.