- Securing the Organization: Equipment and Access
- Managing the Availability and Integrity of Operations
- Implementing New Software and Privacy Concerns
- Regulating Interactivity Through Information and Equipment Control
- Mobilizing the Human Element: Creating a Secure Culture
- Creating Guidelines Through the Establishment of Procedural Requirements
- Determining Rules and Defining Compliance
- Securing the Future: Business Continuity Planning
- Ensuring a Successful Security Policy Approach
- Surveying IT Management
Managing the Availability and Integrity of Operations
Maintaining availability and ensuring integrity of both physical and logical equipment are the bedrocks of operation management. Its goal is to protect the organization from interruption to its regular business activities and to minimize risk of system failure.
Safeguarding information requires that measures be in place before users begin to interact with one another or the Internet. For example, an organization could only ensure the integrity of its database if its appointed agents, typically in-house IT staff, were the sole persons responsible for loading software and performing maintenance on the system. Individual users would not be allowed to download or install software on their workstations, laptops, or local networks. IT would assume that responsibility, along with the task of deploying appropriate antivirus software throughout the network and its appliances.
IT staff would also ensure that discarded hard drives, prior to being recycled or trashed, get sanitized, a process that overwrites each block of a disk drive and fills it with 0s.
Safely managing the vast amount of information organizations typically generate requires that a consistent set of practices be instituted to ensure the following items:
Systems are backed up regularly, preferably daily.
Backed-up data is stored off-site, possibly using service providers who specialize in collecting and storing tapes and CDs. Whether in-house or third-party, storage facilities should be located in geographically secure areas.
Thorough logs are maintained, enabling audit trails to be followed should an attack ever occur and forensic analysis required.
Managing security operations should include a systematic process of checks and balances, which can reduce the probability of unauthorized modification or misuse of equipment. Policies should ensure that no individual could perform all the following functions:
Request a service
Approve the required funds for the service
Interview all vendors, contractors, or product providers
Place the purchase order for the service or product
Approve and make payment to the vendor
Reorder the service
A chain of responsibility ensures that multiple individuals must give their consent before plans are put in motion. While it has the potential to become overly bureaucratic, the end justifies the meanschecks and balances are the keystone of efficient operations, security or otherwise.