Information Technology Reference
In-Depth Information
identify anomalies, filtering anomalies to identify events, and filtering events to
identify incidents. Response involves the CSIRT, which may lead to a digital
forensic investigation.
Event-driven activities (i.e., trigger events) kick off forensic activity that may
include automated real-time log filtering to post-event reconstruction; forensics is
an integral part of the IA operations cycle. Forensics analysis may include physical,
personnel, and cyber security; addressing such aspects as failed building or room
access attempts; presentation of false identity or privilege claim; or unauthorized or
questionable network or host activity. Successful forensics requires binding unique
identification with an individual, going through a robust authentication process,
plus managing the assignment of appropriate privileges and going through a robust
authorization process. This series of rigid procedures provides the raw data and
accountability necessary for a successful forensic investigation.
8.12.7
Commentary
A seemingly simple request for transactional nonrepudiation implies the need for
identity management and authentication that strongly bind activity to individuals.
This implies the need for digital signatures and public key infrastructure (PKI) or
similar infrastructure. This also implies the need for robust application logging that
binds digital signatures with activity, plus log management, filtering, and report-
ing—all under the requirements of evidentiary preservation. The architectural
considerations are extensive. The ability to draw on a formal IA
2
F and IA
2
P to
blueprint these complexities is critical to effective implementation and operations.
8.13
Business impact Assessment
A business impact assessment (BIA) is the radar for organizational viability; it
identifies those business functions critical for organizational survivability and
the necessary recovery time objective (RTO) for the organization to survive. “A
mission impact analysis (also known as business impact analysis [BIA] for some
organizations) prioritizes the impact levels associated with the compromise of an
organization's information assets based on a qualitative or quantitative assessment
of the sensitivity and criticality of those assets.” In brief, the BIA is a methodology
to provide guidance to focus limited resources on critical business areas during a
continuity or recovery event. The four pillars of BIA are
survivability
,
criticality
,
pri-
ority,
and
accountability
. Survivability determines the downtime tolerance (DTT)
or recovery time objective (RTO) for each business function. Criticality assigns
NIST SP 800-30,
revised:
A Risk Management Guide for Information Technology Systems
, p.
24.
