- Home
- ISC Certification
- SSCP Exam
- ISC.SSCP.v2022-06-29.q999 Dumps
Question 202
The primary purpose for using one-way hashing of user passwords within a password file is which of the following?
Correct Answer: B
The whole idea behind a one-way hash is that it should be just that - one-way. In other words, an attacker should not be able to figure out your password from the hashed version of that password in any mathematically feasible way (or within any reasonable length of time).
Password Hashing and Encryption In most situations , if an attacker sniffs your password from the network wire, she still has some work to do before she actually knows your password value because most systems hash the password with a hashing algorithm, commonly MD4 or MD5, to ensure passwords are not sent in cleartext.
Although some people think the world is run by Microsoft, other types of operating systems
are out there, such as Unix and Linux. These systems do not use registries and SAM
databases, but contain their user passwords in a file cleverly called "shadow." Now, this
shadow file does not contain passwords in cleartext; instead, your password is run through
a hashing algorithm, and the resulting value is stored in this file.
Unixtype systems zest things up by using salts in this process. Salts are random values
added to the encryption process to add more complexity and randomness. The more
randomness entered into the encryption process, the harder it is for the bad guy to decrypt
and uncover your password. The use of a salt means that the same password can be
encrypted into several thousand different formats. This makes it much more difficult for an
attacker to uncover the right format for your system.
Password Cracking tools
Note that the use of one-way hashes for passwords does not prevent password crackers
from guessing passwords. A password cracker runs a plain-text string through the same
one-way hash algorithm used by the system to generate a hash, then compares that
generated has with the one stored on the system. If they match, the password cracker has
guessed your password.
This is very much the same process used to authenticate you to a system via a password.
When you type your username and password, the system hashes the password you typed
and compares that generated hash against the one stored on the system - if they match,
you are authenticated.
Pre-Computed password tables exists today and they allow you to crack passwords on Lan
Manager (LM) within a VERY short period of time through the use of Rainbow Tables. A
Rainbow Table is a precomputed table for reversing cryptographic hash functions, usually
for cracking password hashes. Tables are usually used in recovering a plaintext password
up to a certain length consisting of a limited set of characters. It is a practical example of a
space/time trade-off also called a Time-Memory trade off, using more computer processing
time at the cost of less storage when calculating a hash on every attempt, or less
processing time and more storage when compared to a simple lookup table with one entry
per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.
You may want to review "Rainbow Tables" at the links:
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
Today's password crackers:
Meet oclHashcat. They are GPGPU-based multi-hash cracker using a brute-force attack
(implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask
attack, and rule-based attack.
This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite, both very
well-known suites at that time, but now deprecated. There also existed a now very old
oclHashcat GPU cracker that was replaced w/ plus and lite, which - as said - were then
merged into oclHashcat 1.00 again.
This cracker can crack Hashes of NTLM Version 2 up to 8 characters in less than a few
hours. It is definitively a game changer. It can try hundreds of billions of tries per seconds
on a very large cluster of GPU's. It supports up to 128 Video Cards at once.
I am stuck using Password what can I do to better protect myself?
You could look at safer alternative such as Bcrypt, PBKDF2, and Scrypt.
bcrypt is a key derivation function for passwords designed by Niels Provos and David
Mazieres, based on the Blowfish cipher, and presented at USENIX in 1999. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function:
over time, the iteration count can be increased to make it slower, so it remains resistant to
brute-force search attacks even with increasing computation power.
In cryptography, scrypt is a password-based key derivation function created by Colin
Percival, originally for the Tarsnap online backup service. The algorithm was specifically
designed to make it costly to perform large-scale custom hardware attacks by requiring
large amounts of memory. In 2012, the scrypt algorithm was published by the IETF as an
Internet Draft, intended to become an informational RFC, which has since expired. A
simplified version of scrypt is used as a proof-of-work scheme by a number of
cryptocurrencies, such as Litecoin and Dogecoin.
PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is
part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically
PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces
an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.
PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC
to the input password or passphrase along with a salt value and repeats the process many
times to produce a derived key, which can then be used as a cryptographic key in
subsequent operations. The added computational work makes password cracking much
more difficult, and is known as key stretching. When the standard was written in 2000, the
recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.
The other answers are incorrect:
"It prevents an unauthorized person from trying multiple passwords in one logon attempt." is incorrect because the fact that a password has been hashed does not prevent this type of brute force password guessing attempt.
"It minimizes the amount of storage required for user passwords" is incorrect because hash algorithms always generate the same number of bits, regardless of the length of the input. Therefore, even short passwords will still result in a longer hash and not minimize storage requirements.
"It minimizes the amount of processing time used for encrypting passwords" is incorrect because the processing time to encrypt a password would be basically the same required to produce a one-way has of the same password.
Reference(s) used for this question:
http://en.wikipedia.org/wiki/PBKDF2 http://en.wikipedia.org/wiki/Scrypt http://en.wikipedia.org/wiki/Bcrypt Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 195) . McGraw-Hill. Kindle Edition.
Password Hashing and Encryption In most situations , if an attacker sniffs your password from the network wire, she still has some work to do before she actually knows your password value because most systems hash the password with a hashing algorithm, commonly MD4 or MD5, to ensure passwords are not sent in cleartext.
Although some people think the world is run by Microsoft, other types of operating systems
are out there, such as Unix and Linux. These systems do not use registries and SAM
databases, but contain their user passwords in a file cleverly called "shadow." Now, this
shadow file does not contain passwords in cleartext; instead, your password is run through
a hashing algorithm, and the resulting value is stored in this file.
Unixtype systems zest things up by using salts in this process. Salts are random values
added to the encryption process to add more complexity and randomness. The more
randomness entered into the encryption process, the harder it is for the bad guy to decrypt
and uncover your password. The use of a salt means that the same password can be
encrypted into several thousand different formats. This makes it much more difficult for an
attacker to uncover the right format for your system.
Password Cracking tools
Note that the use of one-way hashes for passwords does not prevent password crackers
from guessing passwords. A password cracker runs a plain-text string through the same
one-way hash algorithm used by the system to generate a hash, then compares that
generated has with the one stored on the system. If they match, the password cracker has
guessed your password.
This is very much the same process used to authenticate you to a system via a password.
When you type your username and password, the system hashes the password you typed
and compares that generated hash against the one stored on the system - if they match,
you are authenticated.
Pre-Computed password tables exists today and they allow you to crack passwords on Lan
Manager (LM) within a VERY short period of time through the use of Rainbow Tables. A
Rainbow Table is a precomputed table for reversing cryptographic hash functions, usually
for cracking password hashes. Tables are usually used in recovering a plaintext password
up to a certain length consisting of a limited set of characters. It is a practical example of a
space/time trade-off also called a Time-Memory trade off, using more computer processing
time at the cost of less storage when calculating a hash on every attempt, or less
processing time and more storage when compared to a simple lookup table with one entry
per hash. Use of a key derivation function that employs a salt makes this attack unfeasible.
You may want to review "Rainbow Tables" at the links:
http://en.wikipedia.org/wiki/Rainbow_table
http://www.antsight.com/zsl/rainbowcrack/
Today's password crackers:
Meet oclHashcat. They are GPGPU-based multi-hash cracker using a brute-force attack
(implemented as mask attack), combinator attack, dictionary attack, hybrid attack, mask
attack, and rule-based attack.
This GPU cracker is a fusioned version of oclHashcat-plus and oclHashcat-lite, both very
well-known suites at that time, but now deprecated. There also existed a now very old
oclHashcat GPU cracker that was replaced w/ plus and lite, which - as said - were then
merged into oclHashcat 1.00 again.
This cracker can crack Hashes of NTLM Version 2 up to 8 characters in less than a few
hours. It is definitively a game changer. It can try hundreds of billions of tries per seconds
on a very large cluster of GPU's. It supports up to 128 Video Cards at once.
I am stuck using Password what can I do to better protect myself?
You could look at safer alternative such as Bcrypt, PBKDF2, and Scrypt.
bcrypt is a key derivation function for passwords designed by Niels Provos and David
Mazieres, based on the Blowfish cipher, and presented at USENIX in 1999. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function:
over time, the iteration count can be increased to make it slower, so it remains resistant to
brute-force search attacks even with increasing computation power.
In cryptography, scrypt is a password-based key derivation function created by Colin
Percival, originally for the Tarsnap online backup service. The algorithm was specifically
designed to make it costly to perform large-scale custom hardware attacks by requiring
large amounts of memory. In 2012, the scrypt algorithm was published by the IETF as an
Internet Draft, intended to become an informational RFC, which has since expired. A
simplified version of scrypt is used as a proof-of-work scheme by a number of
cryptocurrencies, such as Litecoin and Dogecoin.
PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is
part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically
PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces
an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.
PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC
to the input password or passphrase along with a salt value and repeats the process many
times to produce a derived key, which can then be used as a cryptographic key in
subsequent operations. The added computational work makes password cracking much
more difficult, and is known as key stretching. When the standard was written in 2000, the
recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.
The other answers are incorrect:
"It prevents an unauthorized person from trying multiple passwords in one logon attempt." is incorrect because the fact that a password has been hashed does not prevent this type of brute force password guessing attempt.
"It minimizes the amount of storage required for user passwords" is incorrect because hash algorithms always generate the same number of bits, regardless of the length of the input. Therefore, even short passwords will still result in a longer hash and not minimize storage requirements.
"It minimizes the amount of processing time used for encrypting passwords" is incorrect because the processing time to encrypt a password would be basically the same required to produce a one-way has of the same password.
Reference(s) used for this question:
http://en.wikipedia.org/wiki/PBKDF2 http://en.wikipedia.org/wiki/Scrypt http://en.wikipedia.org/wiki/Bcrypt Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 195) . McGraw-Hill. Kindle Edition.
Question 203
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers does NOT have which of the following characteristics?
Correct Answer: B
Explanation/Reference:
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics Standard model for network communications enables dissimilar networks to communicate, Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its respective layer on another workstation using protocols (i.e. agreed-upon communication formats)
"Mapping" each protocol to the model is useful for comparing protocols.
Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer) All People Seem To Need Data Processing (top to bottom layer).
Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.
The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics Standard model for network communications enables dissimilar networks to communicate, Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its respective layer on another workstation using protocols (i.e. agreed-upon communication formats)
"Mapping" each protocol to the model is useful for comparing protocols.
Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer) All People Seem To Need Data Processing (top to bottom layer).
Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.
Question 204
_________ is the act of a user professing an identity to a system.
Correct Answer: C
Identification is used to establish user accountability. Many times identification takes the form of a logon ID.
Question 205
Secure Shell (SSH-2) supports authentication, compression, confidentiality, and integrity, SSH is commonly used as a secure alternative to all of the following protocols below except:
Correct Answer: D
Explanation/Reference:
HTTPS is used for secure web transactions and is not commonly replaced by SSH.
Users often want to log on to a remote computer. Unfortunately, most early implementations to meet that need were designed for a trusted network. Protocols/programs, such as TELNET, RSH, and rlogin, transmit unencrypted over the network, which allows traffic to be easily intercepted. Secure shell (SSH) was designed as an alternative to the above insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. SSH's services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel. The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates.
Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted.
The following were wrong answers:
telnet is an incorrect choice. SSH is commonly used as an more secure alternative to telnet. In fact Telnet should not longer be used today.
rlogin is and incorrect choice. SSH is commonly used as a more secure alternative to rlogin.
RSH is an incorrect choice. SSH is commonly used as a more secure alternative to RSH.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7077-7088). Auerbach Publications. Kindle Edition.
HTTPS is used for secure web transactions and is not commonly replaced by SSH.
Users often want to log on to a remote computer. Unfortunately, most early implementations to meet that need were designed for a trusted network. Protocols/programs, such as TELNET, RSH, and rlogin, transmit unencrypted over the network, which allows traffic to be easily intercepted. Secure shell (SSH) was designed as an alternative to the above insecure protocols and allows users to securely access resources on remote computers over an encrypted tunnel. SSH's services include remote log-on, file transfer, and command execution. It also supports port forwarding, which redirects other protocols through an encrypted SSH tunnel. Many users protect less secure traffic of protocols, such as X Windows and VNC (virtual network computing), by forwarding them through a SSH tunnel. The SSH tunnel protects the integrity of communication, preventing session hijacking and other man-in-the-middle attacks. Another advantage of SSH over its predecessors is that it supports strong authentication. There are several alternatives for SSH clients to authenticate to a SSH server, including passwords and digital certificates.
Keep in mind that authenticating with a password is still a significant improvement over the other protocols because the password is transmitted encrypted.
The following were wrong answers:
telnet is an incorrect choice. SSH is commonly used as an more secure alternative to telnet. In fact Telnet should not longer be used today.
rlogin is and incorrect choice. SSH is commonly used as a more secure alternative to rlogin.
RSH is an incorrect choice. SSH is commonly used as a more secure alternative to RSH.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7077-7088). Auerbach Publications. Kindle Edition.
Question 206
Which of the following statements pertaining to disaster recovery planning is incorrect?
Correct Answer: A
It is possible that an organization may not need a disaster recovery plan. An organization may not have any critical processing areas or system and they would be able to withstand lengthy interruptions.
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
Remember that DRP is related to systems needed to support your most critical business functions.
The DRP plan covers actions to be taken when a disaster occur but DRP PLANNING which is the keywork in the question would also include steps that happen before you use the plan such as development of the plan, training, drills, logistics, and a lot more.
To be effective, the plan would certainly cover before, during, and after the disaster actions.
It may take you a couple years to develop a plan for a medium size company, there is a lot that has to happen before the plan would be actually used in a real disaster scenario. Plan for the worst and hope for the best.
All other statements are true.
NOTE FROM CLEMENT: Below is a great article on who legally needs a plan which is very much in line with this question. Does EVERY company needs a plan? The legal answer is NO. Some companies, industries, will be required according to laws or regulations to have a plan. A blank statement saying: All companies MUST have a plan would not be accurate. The article below is specific to the USA but similar laws will exist in many other countries.
Some companies such as utilities, power, etc... might also need plan if they have been defined as Critical Infrastructure by the government. The legal side of IT is always very
complex and varies in different countries. Always talk to your lawyer to ensure you follow
the law of the land :-)
Read the details below:
So Who, Legally, MUST Plan?
With the caveats above, let's cover a few of the common laws where there is a duty to have
a disaster recovery plan. I will try to include the basis for that requirement, where there is
an implied mandate to do so, and what the difference is between the two
Banks and Financial Institutions MUST Have a Plan
The Federal Financial Institutions Examination Council (Council) was established on March
10, 1979, pursuant to Title X of the Financial Institutions Regulatory and Interest Rate
Control Act of 1978 (FIRA), Public Law 95-630. In 1989, Title XI of the Financial Institutions
Reform, Recovery and Enforcement Act of 1989 (FIRREA) established the Examination
Council (the Council).
The Council is a formal interagency body empowered to prescribe uniform principles,
standards, and report forms for the federal examination of financial institutions by the Board
of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS); and to
make recommendations to promote uniformity in the supervision of financial institutions. In
other words, every bank, savings and loan, credit union, and other financial institution is
governed by the principles adopted by the Council.
In March of 2003, the Council released its Business Continuity Planning handbook
designed to provide guidance and examination procedures for examiners in evaluating
financial institution and service provider risk-management processes.
Stockbrokers MUST Have a Plan
The National Association of Securities Dealers (NASD) has adopted rules that require all its
members to have business continuity plans. The NASD oversees the activities of more
than 5,100 brokerage firms, approximately 130,800 branch offices and more than 658,770
registered securities representatives.
As of June 14, 2004, the rules apply to all NASD member firms. The requirements, which
are specified in Rule 3510, begin with the following:
3510. Business Continuity Plans. (a) Each member must create and maintain a written
business continuity plan identifying procedures relating to an emergency or significant
business disruption. Such procedures must be reasonably designed to enable the member
to meet its existing obligations to customers. In addition, such procedures must address the
member's existing relationships with other broker-dealers and counter-parties. The
business continuity plan must be made available promptly upon request to NASD staff.
NOTE:
The rules apply to every company that deals in securities, such as brokers, dealers, and
their representatives, it does NOT apply to the listed companies themselves.
Electric Utilities WILL Need a Plan
The disaster recovery function relating to the electric utility grid is presently undergoing a
change. Prior to 2005, the Federal Energy Regulatory Commission (FERC) could only
coordinate volunteer efforts between utilities. This has changed with the adoption of Title
XII of the Energy Policy Act of 2005 (16 U.S.C. 824o). That new law authorizes the FERC
to create an Electric Reliability Organization (ERO).
The ERO will have the capability to adopt and enforce reliability standards for "all users,
owners, and operators of the bulk power system" in the United States. At this time, FERC
is in the process of finalizing the rules for the creation of the ERO. Once the ERO is
created, it will begin the process of establishing reliability standards.
It is very safe to assume that the ERO will adopt standards for service restoration and
disaster recovery, particularly after such widespread disasters as Hurricane Katrina.
Telecommunications Utilities SHOULD Have Plans, but MIGHT NOT
Telecommunications utilities are governed on the federal level by the Federal
Communications Commission (FCC) for interstate services and by state Public Utility
Commissions (PUCs) for services within the state.
The FCC has created the Network Reliability and Interoperability Council (NRIC). The role
of the NRIC is to develop recommendations for the FCC and the telecommunications
industry to "insure [sic] optimal reliability, security, interoperability and interconnectivity of,
and accessibility to, public communications networks and the internet." The NRIC members
are senior representatives of providers and users of telecommunications services and
products, including telecommunications carriers, the satellite, cable television, wireless and
computer industries, trade associations, labor and consumer representatives,
manufacturers, research organizations, and government-related organizations.
There is no explicit provision that we could find that says telecommunications carriers must
have a Disaster Recovery Plan. As I have stated frequently in this series of articles on
disaster recovery, however, telecommunications facilities are tempting targets for terrorism. I have not changed my mind in that regard and urge caution.
You might also want to consider what the liability of a telephone company is if it does have a disaster that causes loss to your organization. In three words: It's not much. The following is the statement used in most telephone company tariffs with regard to its liability:
The Telephone Company's liability, if any, for its gross negligence or willful misconduct is not limited by this tariff. With respect to any other claim or suit, by a customer or any others, for damages arising out of mistakes, omissions, interruptions, delays or errors, or defects in transmission occurring in the course of furnishing services hereunder, the Telephone Company's liability, if any, shall not exceed an amount equivalent to the proportionate charge to the customer for the period of service during which such mistake, omission, interruption, delay, error or defect in transmission or service occurs and continues. (Source, General Exchange Tariff for major carrier)
All Health Care Providers WILL Need a Disaster Recovery Plan HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act, the Act includes a section, Title II, entitled Administrative Simplification, requiring "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."
The legislation called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future.
The final Security Rule was published by HHS on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.
Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices. Companies with More than 10 Employees
The United States Department of Labor has adopted numerous rules and regulations in regard to workplace safety as part of the Occupational Safety and Health Act. For example, 29 USC 654 specifically requires:
(a)
Each employer:
(1)
shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees;
(2)
shall comply with occupational safety and health standards promulgated under this Act.
(b)
Each employee shall comply with occupational safety and health standards and all rules, regulations, and orders issued pursuant to this Act which are applicable to his own actions and conduct.
Other Considerations or Expensive Research questions for Lawyers (Sorry, Eddie!)
The Foreign Corrupt Practices Act of 1977 Internal Revenue Service (IRS) Law for Protecting Taxpayer Information Food and Drug Administration (FDA) Mandated Requirements Homeland Security and Terrorist Prevention Pandemic (Bird Flu) Prevention ISO 9000 Certification Requirements for Radio and TV Broadcasters Contract Obligations to Customers Document Protection and Retention Laws Personal Identity Theft...and MORE!
Suffice it to say you will need to check with your legal department for specific requirements in your business and industry!
I would like to thank my good friend, Eddie M. Pope, for his insightful contributions to this article, our upcoming book, and my ever-growing pool of lawyer jokes. If you want more information on the legal aspects of recovery planning, Eddie can be contacted at my company or via email at mailto:[email protected]. (Eddie cannot, of course, give you legal advice, but he can point you in the right direction.)
I hope this article helps you better understand the complex realities of the legal reasons why we plan and wish you the best of luck
See original article at: http://www.informit.com/articles/article.aspx?p=777896
See another interesting article on the subject at: http://www.informit.com/articles/article.aspx?p=677910&seqNum=1
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 281).
