Professional Documents
Culture Documents
Topics
1. Introduction
2. Information Security, Planning, and Governance
3. Information Security Policy, Standards and Practices
4. The Information Security Blueprint
5. Security, Education, Training, and Awareness Program
6. Continuity Strategies
Learning Objectives
Content
1. Introduction
Planning Levels
When the EISP has been developed, the CISO begins forming the
security team and initiating the necessary changes to the
information security program.
✓ E-mail
✓ Use of the Internet
✓ Specific minimum configurations of computers to defend
against worms and viruses
✓ Prohibitions against hacking or testing organization
security controls
✓ Home use of company-owned computer equipment
✓ Use of personal equipment on company networks
✓ Use of telecommunications technologies (fax and phone)
✓ Use of photocopy equipment
Policy Management
Once your organization has defined the polices that will guide
its security program and selected an overall security model by
creating or adapting a security framework and a corresponding
detailed implementation blueprint, it is time to implement a
security education, training, and awareness (SETA) program.
The SETA program is the responsibility of the CISO and is a
control measure designed to reduce the incidences of
accidental security breaches by employees. Employee errors are
among the top threats to information assets, so it is well
worth expending the organization’s resources to develop
programs to combat this threat. SETA programs are designed to
supplement the general education and training programs that
many organizations use to educate staff on information
security.
Security Education
Security Training
Security Awareness
6. Continuity Strategies
Business Unit Analysis The second major task within the BIA is
the analysis and prioritization of the business functions
within the organization to determine which are most vital to
continued operations. Each organizational unit must be
evaluated to determine how important its functions are to the
organization as a whole. For example, recovery operations
would probably focus on the IT department and network
operation before addressing the personnel department and
hiring activities. Likewise, it is more urgent to reinstate a
manufacturing company’s assembly line than the maintenance
tracking system for that assembly line.
1. Planning
2. Detection
3. Reaction
4. Recovery
Warm Sites The next step down from the hot site is the warm
site. A warm site provides many of the same services and
options of the hot site. However, it typically does not
include the actual applications the company needs, or the
applications may not yet be installed and configured. A warm
site frequently includes computing equipment and peripherals
with servers but not client workstations. A warm site has many
of the advantages of a hot site, but at a lower cost. The
downside is that it requires hours, if not days, to make a
warm site fully functional.
Cold Sites The final dedicated site option is the cold site. A
cold site provides only rudimentary services and facilities.
No computer hardware or peripherals are provided. All
communications services must be installed after the site is
occupied. Basically a cold site is an empty room with heating,
air conditioning, and electricity. Everything else is an
option. Although the obvious disadvantages may preclude its
selection, a cold site is better than nothing. The main
advantage of cold sites over hot and warm sites is the cost.
Furthermore, if the warm or hot site is based on a shared
capability, not having to contend with organizations sharing
space and equipment should a widespread disaster occur may
make the cold site a more controllable option, albeit slower.
In spite of these advantages, some organizations feel it would
be easier to lease a new space on short notice than pay
maintenance fees on a cold site.
Crisis Management
The Planning Document The first document created for the IR and
DR document set is the incident reaction document. The key
players in an organization, typically the top computing
executive, systems administrators, security administrator, and a
few functional area managers, get together to develop the IR and
DR plan. The first task is to establish the responsibility for
managing the document, which typically falls to the security
administrator. A secretary is appointed to document the
activities and results of the planning session. First,
independent incident response and disaster recovery teams are
formed. For this model, the two groups include the same
individuals as the planning committee, plus additional systems
administrators. Next, the roles and responsibilities are outlined
for each team member. At this point, general responsibilities are
being addressed, not procedural activities. The alert roster is
developed as are lists of critical agencies.
These are the words that all contingency planners live by: plan
for the worst and hope for the best.
Local Law Enforcement Each county and city has its own law
enforcement agency. These agencies enforce all local and state
laws and handle suspects and secure crime scenes for state and
federal cases.
Summary
Self-Assessment Activity:
4. What are the inherent problems with ISO 17799, and why
hasn’t the United States adopted it? What are the recommended
alternatives?
13. When is the DR plan used? 14. When is the BC plan used?
How do you determine when to use the IR, DR, and BC plans?
Case Exercises:
Questions:
1. What would be the first note you would write down if you
were Charlie?
References: