Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Operations

Information security should not be ignored in day-to-day operations. It should be an integral part of all the activities. Operations need to be carried out strictly according to the established policies, procedures, and processes. Any violation to speed up the activities or ignorance can lead to serious consequences. Similarly, not carrying out certain activities which are essential as per the policies and procedures, can defeat the very purpose of information security. Hence, operations should be tightly controlled for effective information security. For example, backups were not taken because the system administrators were busy on another activity. This defeats the protection provided through backups. The installation of a patch without taking sufficient precautions can bring down the system itself. Not carrying out the maintenance of UPS can bring down the UPS leading to an abrupt shutdown of the systems leading to system or data corruption. All operations should be guided by appropriate processes (standard operating procedures) and carried out as per the plans. A non-maintained earth pit can be a significant issue. Not checking the backup media through periodical restoration may lead to the tape being not readable or restorable when required.

Monitoring

Monitoring is an integral part of any activity whether it is business related or information security-related activity. Any organization needs to keep monitoring the threats to it so that it can react to the threats effectively and on time.

This activity is time-consuming. For example, to find out about all the intruder activities manually through logs is a humungous activity. There are many tools available to monitor, filter, detect, and/or to correct and alert on such aspects. For example, firewalls and IDS/IPS. Even simple things like disk space monitoring and bandwidth usage monitoring, if not done on a timely basis, may lead to systems not being usable or available. In the field of information security, in order to understand the causes of the breaches and incidents, sometimes the forensic analysis (where the causes may not be obvious or straight forward) may have to be carried out. This will enable us to understand the causes clearly and put in place our defensive mechanisms so that such incidents can be avoided or reduced.

Legal Compliance and Audit

One of the biggest threats to an organization's existence is non-compliance to legal requirements. Organizations can be permanently shut down if the non-compliance is severe. Sometimes, organizations may be made to shell out huge penalties for non-compliance or negligence. Furthermore, there are a lot of laws enacted to prevent the misuse of information technology and those need to be adhered to. These may require special skills to understand the compliance in the context of information technology. Hence, periodic audits by knowledgeable independent or internal experts will help the organizations to understand the non-compliance issues and plug them out before they become severe.

Another thing to consider here is the compliance check on various policies, procedures, or processes implemented by the organizations. We all know that most of the time, these policies or processes are written wonderfully, but people who are trained on them over a period of time, these can be forgotten. Sometimes, the context changes, but these policies and processes are not modified. New employees join the organization but they are not trained on these policies and processes. Normally, in almost all of the organizations, most of the employees are always on either fighting one or other types of business fires, working on or solving one or another crucial burning issue. Consequently, the requisite attention and focus on effective implementation of these policies and processes takes a back seat or gets into a low priority mode. Hence, it is strongly suggested that every organization should have strong periodic internal audits coupled with external audits by independent experts occasionally. The non-conformances identified and

the suggestions made in these audits should be placed before the management and necessary actions have to be determined and implemented across the organization. Management should provide necessary focus on these so that even if the organization wades off a little, it is again brought back to the right path.

Crisis Management

The Crisis Management Plan, Business Continuity Plan, or Disaster Recovery Plan are interchangeably used to denote a single entity, even though there are subtle differences between them. For the purpose of discussion here, let us consider them as a single entity. Organizations can face crisis because of natural disasters, mistakes of employees, senior management, or because of the external attacks like the attacks from the hackers. Organizations cannot sit idle. They need to respond effectively and also restore their business back to normalcy after such attacks. Towards this purpose,

a well-planned business continuity and crisis management plan should be put in place by every organization. Disaster recovery and business continuity should become an integral part of the planning process of every organization. Ideally, every organization should carry out the business impact analysis to identify the critical businesses for which continuity is essential and also the tolerance time frame up to which the organization can wait before the business need to be commenced. A business continuity plan should be put in place clearly identifying the roles and responsibilities of all the concerned stakeholders. All the stakeholders need to be trained and the business continuity plan should be tested to check that it works as required when actually it has to be put into action. Crisis declaration is an important step. As every event or incident is not a crisis, a senior person should be empowered to identify a crisis when it arises, as he has the maturity and knowledge to declare a situation a crisis.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel