Sunday, April 28, 2013

Is my ISMS working?

So we now understand where our risk is from an information security perspective, we have created policies and procedures to support our organizational goals and best practice and we have educated our information system user base on these standards to support best practice.

Has this created the desired outcome? Are we more secure with our information?

Now the real hard work starts....

Without measures and metrics and continued diligence and redefinition the process and implementation will not be as successful - period. This work is very hard difficult but ultimately allows us to continually improve our system, understand where the opportunities are and effectiveness of the solutions we have implemented.




"What gets measured, gets managed" - Peter Drucker

Sunday, April 21, 2013

Security Education, Training and Awareness

Policy is only part of information security - there are two other critical aspects to a complete security program and plan: training and awareness.

Per SANS (www.sans.org):


• Policy tells the user what to do
• Training provides the skills for performing it
• Awareness changes their behavior

If users do not know what they are suppose to do it is a policy issue. If the users do not have the skills for
performing it, then it becomes a training issue.

Quite often the user does not understand why it is important and this is a behavioral issue that needs to be changed.

It is also very important to understand that security awareness is not just a single event but a process where  the approach is reviewed continuously and improved and sustained by metrics and success measures.

Source: SANS - Securing The Human

Saturday, April 13, 2013

Information Security Policy Creation

Why information security policy is so important?

"The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality"  (Special Publication SP 500-169, Executive Guide to the Protection of Information Resources)

What are information security policies and how do they support this goal?

The Information Security Policy Framework


  • Policy - High level approach and definition of the information security approach that will be taken high senior management.
  • Standards - The steps that must be followed to support the policy.
  • Guidelines - Recommended steps to follow to support the standards and policy.
  • Procedures - The step by step, standard work to be used to carry out policy. Incorporating best practice and required controls.

Sunday, April 7, 2013

Contingency Planning

A big part of security planning is being prepared for the inevitable a failure that stops or hinders operations of business. These can come in many ways, shapes and forms including malicious attacks, mother nature and just plain human mistakes.

Contingency planning has four key part that have their own planning and task requirements.

Business Impact Analysis (BIA) includes:

  • Threat Attack Identification and Prioritization
  • Business Unit Analysis
  • Attack Success Scenario Development
  • Potential Damage Assessment 
  • Subordinate Plan Coordination
Incident Response Planning (IRP) includes:
  • Incident Planning
  • Incident Assessment
  • Incident Reaction
  • Incident Recovery
Disaster Planning Recovery (DRP) includes:
  • Plan for Disaster Recovery
  • Crisis Management
  • Recovery Operations
Business Continuity Planning (BCP) includes:
  • Establish Continuity Strategies
  • Plan for Continuity of Operations
  • Continuity Management
A total contingency plan includes all phases and will kick in during various times and sequence during an identified incident or disaster:

Plan:        IRP -------------------> DRP--------------------> BCP-------------------->DRP

Timeline: Attack Begins                  Post-attack (hours)           Post-attack (days)         Normal operations