business continuity for the White House security staff

Posted on by admin

business continuity for the White House security staff

 

Create a three page policy for business continuity for the White House security staff.
The information to use as a resource for your policy is provided below (taken from SunGard Availability Services at www.sungardas.com, limited use for educational purposes) and also in your reading for the week (See Appendix 1 for policy information).
• Plan purpose: for example, to allow company personnel to quickly and effectively restore critical business operations after a disruption.
• Plan objective: for example, to identify the processes or steps involved in resuming normal business operations.
• Plan scope: for example, the work locations or departments addressed.
• Plan scenarios addressed: for example, loss of a primary work area, loss of IT services for a prolonged period of time, loss of workforce, etc.
• Plan assumptions: for example, you may want to call out the number of work locations impacted at any given time that key personnel are available for any recovery efforts, or any assumptions you may have made about vendor or utility service availability.
Use the headings and rationale below to prepare the business continuity plan for the White House security staff. Go to http://www.whitehouse.gov to obtain ideas on security concerns.
PLAN SECTION:
Recovery Strategies and Activities

After the initial introductory section, there are usually a number of paragraphs about the strategies outlined in the plan, as well as the specific personnel undertaking the recovery and the recovery activities. Examples of sections that you may want to consider for your own BC/DR plan include:
Recovery Strategy Summary: In this section, a plan will typically outline the broad strategies to be followed in each of the scenarios identified in the plan Introduction section. As an example, if “loss of work area” is identified as a possible failure scenario, a potential recovery strategy could be to relocate to a previously agreed-upon or contracted alternate work location, such as a SunGard work area recovery center.
Recovery Tasks: This section of the plan will usually provide a list of the specific recovery activities and sub-activities that will be required to support each of the strategies outlined in the previous section. For example, if the strategy is to relocate to an alternate work location, the tasks necessary to support that relocation effort could include identifying any equipment needs, providing replacement equipment, re-issuing VPN tokens, declaration of disaster, and so on.
Recovery Personnel: Typically, a BC/DR plan will also identify the specific people involved in the business continuity efforts, for example, naming a team lead and an alternate team lead, as well as the team members associated with any recovery efforts. This section of the plan will also include their contact information, including work phone, cellphone, and email addresses. Obviously, because of any potential changes in personnel, the plan will need to be a “living” document that is updated as personnel/workforce changes are made.
Plan Timeline: Many plans also include a section in the main body that lays out the steps for activating a plan (usually in the form of a flow chart). For example, a typical plan timeline might start from the incident detection, then flow into the activation of the response team, the establishment of an incident command center, notification of the recovery team, followed by a decision point around whether or not to declare a disaster. A plan timeline may also assign the recovery durations or recovery time objectives required by the business for each activity in the timeline.
Critical Vendors and their RTOs: In this section, a plan may also list the vendors critical to day-to-day operations and recovery strategies, as well as any required recovery time objectives that the vendors must meet in order for the plan to be successful.
Critical Equipment/Resource Requirements: A plan may also detail the quantity requirements for resources that must be in place within specified timeframes after plan activation. Examples of resources listed might include workstations, laptops (both with and without VPN access), phones, conference rooms, etc.
Citation for this book:
Bacik, Sandy. ( © 2008). Building an effective information security policy architecture. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=26398.

Chapter 7: Putting It Together
Overview
The manual of style has been created, the list of initial topics has been put together, and the initial documents have been drafted. Now comes the hard part: the approval process and the actual implementation of the initial information security policy architecture.
We know from previous chapters that the cornerstone of an effective information security policy architecture is the well-written policy statement. This is the source from which all other policy architecture documents are written. That initial information security policy is the executive team’s directives to create an information security program, establish its goals and measures, and target and assign responsibilities. The current task is to take these documents, decisions, common practices, or folklore and fashion them into an approved published information security policy architecture that is used as the basis for protecting information resources and guiding employee behavior.
7.1 Topics to Start With
Many times, the hardest thing is to figure out the first set of topics or priorities for the security policy architecture and the second hardest thing is to get through the reviews and approvals. Before an enterprise can determine the top security policy architecture priority, the enterprise needs to have a statement from the top endorsing the need for security or assurance of enterprise assets. If a risk assessment has been performed, then you can start with the high risk areas. That choice will depend on the organizational structure and the amount of staffing you have. The higher-level topics were talked about in a previous chapter, so if the security policy architecture is being started from the beginning, then the highest level security policy topic needs to be completed.
Another way to start the security policy architecture is the enterprise can start with lower level process documents after the top management endorsement. These documents are the device and software security configuration standards and the security work instructions, procedures, processes, or standard operating procedures. These types of documents normally do not need to have approvals all the way up the management structure. Therefore, these documents can be written and implemented more easily than a policy statement or guideline. These lower level documents give the security policy architecture a strong hold for being implemented within the organization. This option does contradict the statements in Chapter 3 and Figure 10 for building a security policy architecture from the ground up. By contrast, an enterprise knows that there need to be configuration standards and standard operating procedures. Therefore it does fit together in the end.
The last option for priorities is addressing problem areas that have been happening within the enterprise environment. If social engineering is an issue, then maybe user awareness takes priority. If virus and worm infections are an issue, then enhancing and developing preventative documents and training take priority. If Internet surfing and downloading are an issue, then the user awareness and additional monitoring and reporting take priority. The priorities depend upon the enterprise and the direction that management wants to take.
No matter which way the security policy architecture is going to be initiated or reviewed, the information security team needs to gather the following information to ensure an understanding of the enterprise:
• Organization charts
• Network diagrams
• Existing policies
• Application list enterprise and departmental to include function
• Management tools
• Network device list to include function, vendor, and version
• Production server list to include function, operating system, and version
• Enterprise strategic plans
• Compliance and privacy requirements
• Threat, concern, risk matrix for the most precious enterprise assets or a definition of enterprise assets
7.2 Reviews
Before getting any approvals for the documents, the documents need to be reviewed. Because electronic forums are the best way to initially review documents, start the document review process with a task to the review team. A review team consists of an author who controls the review cycle, reviewers who will make comments on the document, and an observer, a staff member outside the policy team, who will review the document, but will not have a vote to move forward with the document.
The initial review team should be no more than five subject matter experts. These subject matter experts should understand risk, the operating environment, and the business requirements. With smaller organizations, the team should be about three people. As the author, you need to ensure that the document will fit into the enterprise culture.
If the review team includes staff from other countries or areas in different time zones, the review process will need to accommodate different time zones. The size of the document also determines the estimated review time for the document. Listed below are some guidelines for estimated document review times, but this does not include estimated times if the document needs to be translated before someone can review the document:
• Initial Document Review
o 201 pages or more in length: 80 business hours of review time
o 101–200 pages in length: 60 business hours of review time
o 51–100 pages in length: 40 business hours of review time
o 0–50 pages in length: 24 business hours of review time
• Subsequent Document Review
o 201 changed pages or more: 40 business hours of review time
o 101–200 changed pages: 32 business hours of review time
o 51–100 changed pages: 16 business hours of review time
o 0–50 changed pages: 8 business hours of review time
These estimated time frames take into account that staff are working on other projects and are not full time to the review team. If the members are 100 percent dedicated to the review team, then the times can be cut by at least one third.
What is the actual document review cycle? It is simple. It is just like a project requirements review:
1. Create a central point to store the information security policy documents for review. Ensure that the review team has access to the document storage. Documents should not be emailed because the team may not remember who has the most current version.
2. Publish information security policy document(s) for review. The author places the information security policy document in the central location.
3. The author sends out a notice to the reviewers. A sample email is documented below.
Subject: Review Requested: Information Security document XXX
You have been selected to be on the review team for the XXX information security policy architecture document. The purpose of this document is XXX and is to apply to the whole enterprise. The document is located XXX. Please review the document for accuracy, content, grammar, completeness, and how it would fit into the enterprise. You have full editorial liberties when reviewing the document. If there are any questions, please do not hesitate to contact me. The review comments are due by close of business on XX/XX/XX. Thank you.
4. The reviewers will edit the appropriate documents making revisions and comments and asking questions.
5. The author sends out a reminder to complete the information security policy document(s) reviews.
6. When the reviewers have completed the document review, the author will review all of the input and comments.
7. The author will merge all of the revision.
8. Repeat the review cycle with the review team if the author decides not enough changes have been made to the information security policy document(s). If there are only grammatical changes or items to better clarify statements, then the document may not need to be re-reviewed.
As the reviewer reviews the information security policy document, he or she needs to ask the following questions while reading the documents:
• Is there applicability and completeness for business requirements, compliance, and regulatory requirements?
• Can the requirements within the document be tested and have documented results?
• Does the document have correctness/accuracy?
• Does the document employ correct grammar?
• Dos the document have technical adequacy, where applicable?
• Business requirements
o Have integrity and evidential value of information been maintained?
o Is information available to properly authorized personnel?
• Is the information security policy document long enough or too long?
• Does the roles and responsibilities section cover the enterprise?
• Is the information security policy document customized enough to meet business requirements? Has the enterprise done its due diligence?
• If we give the policy to a high school student, could the student understand it and state the meaning of the document?
• Does the information security policy document state how the enterprise feels about risk and how risk will be handled?
• Would a staff member state that the information security policy document is reasonable and realistic? Will it impact their day-to-day activities?
After the review team completes and accepts the document, and then the document needs to be forwarded onto the management team for the formal approval sign-offs.
7.3 Project Approval
In preparation for getting signature approvals, electronic communication, namely e-mail, is one of the better methods to communicate with the executive team.
Many executive teams will give staff members no more than 15 minutes to make a presentation to get a point across, catch their attention, and get their agreement or approval to move forward. When you are dealing with an information security policy architecture, the issue is not whether security is necessary, but whether it is recognized as an urgent need. The executive team understands that the enterprise environment is characterized by more complex computer environments, multiple computer platforms, multiple levels of information users, and vast conglomerates of integrated computer networks. Some executive team members may not understand information security in detail, but they will understand information risk to the enterprise.
When an executive presentation is performed, the presenter needs to keep in mind the limited time that is available and remember to answer these four questions:
1. From a strategic point of view, is the enterprise doing the right thing by writing an information security policy architecture?
2. From an enterprise architecture point of view, is the enterprise approaching limiting asset risk in the right way?
3. From a value point of view, will the enterprise achieve benefits from the implementation of an information security policy architecture?
4. From a delivery point of view, is the implementation plan being done well for the benefit of the enterprise?
With these four questions, two slides with four balloons each can be the high-level presentation for getting approval to move forward with a project to develop or review an information security policy architecture. The first set of four balloons would be for project goal, project objectives, the core project team, and using the project approach, which present the business case for the information security policy architecture. Sample balloons can be found in Figures 14, 15, 16, and 17.
________________________________________
Goal
Establish an information security policy architecture that provides accountability and reliable protection to limit enterprise asset risk.
________________________________________

READ ALSO :   international business consultant

Figure 14: Sample project goal.
________________________________________
Objectives
• Ensure the confidentiality, integrity, accountability, and availability of enterprise assets
• Protect against anticipated enterprise asset risk
• Protect against unauthorized access or use of enterprise assets
________________________________________

Figure 15: Sample project objectives.
________________________________________
Core Project Team
• Executive Sponsor—CEO
• Project Sponsor—CSO
• Project Manager—Sandy
• Business Lead—Michael
• Reviewers—Mary, Bill, Stan, Mark, Kevin
________________________________________

Figure 16: Sample core project team.
________________________________________
Policy Architecture Approach
• Planning
o Perform risk assessment
o Identify gaps with existing policy architecture
o Document key business requirements for asset protection
• Phase I
o Identify a matrix of required topics
o Present findings to executive team
• Phase II
o Develop top level information security policy architecture
o Develop second tier information security policy architecture
________________________________________

Figure 17: Sample project approach.
The second set of four balloons would be to discuss keys to project success, project assumptions, project and policy architecture metrics, and a recommendation to move forward, which present the executive summary for moving forward with developing and implementing an information security policy architecture. Sample balloons can be found in Figures 18, 19, 20, and 21.
________________________________________
Keys to Success
• Implementation of an enterprise information security policy architecture to limit enterprise asset risk
• Standardization of device configuration, monitoring, and implementation
• Guides for acceptable use when evaluating business requirements
________________________________________

Figure 18: Sample keys to success.
________________________________________
Assumptions
• Risk assessment and gap analysis started within the next month
• Information Assurance policy approved and published by year end
• Information Security Program approved and published by year end
• Consultant budget approved by EQ02
________________________________________

Figure 19: Sample project assumptions.
________________________________________
Key Financial Metrics
• Availability—$250k annual cost avoidance relating to lost intellectual property through access control
• Productivity—$150k annual productivity increase across company (IT & Business) through better secured access control
• Control—$300k annual cost avoidance for asset loss
________________________________________

Figure 20: Sample project and policy metrics.
________________________________________
Recommendation
• Develop information security topics for policy architecture
• Use internal resources where possible
• Limit the use of external consultants to save costs
• Develop an awareness program
________________________________________

Figure 21: Sample recommendations.
These balloons provide the executive summary and business case to move forward with building an information security policy architecture.
7.4 Document Approval
To be ready for the approvals, you need to have that 60-second elevator speech ready and be ready to respond to any type of question that may be asked. Consider the following when a 60-second elevator speech is being developed.
• Believe in yourself and the mission. Go in thinking success. This is a given and this is a gentle reminder to yourself.
• Never give up. You do not know what you can achieve. Many times, the first answer is “no” or a conditional yes with caveats.
• Have a strategy before; meeting with anyone. You know the direction you want the enterprise to take, ensure you also understand the business.
• Know the sound bites—important, high-risk, business-related. Read the trade rags to know the risk, threat, compliance, privacy, and security headlines, especially if there are ones for your industry.
• Know who, what, where, when, why, how. Being able to answer these six questions will lessen the questions and potential resistance to implementation.
• Be flexible and adaptable. There is no such thing as totally secure and zero risk. Ensure that there are options to present to the enterprise. What is the level of risk acceptance?
What approvals do you need for what levels of documents within the enterprise? First, you need to determine the information security policy architecture document levels before you can determine who needs to approve them. The levels within an enterprise for the information security policy architecture document could be as follows:
• Enterprise
• Country
o Location
o Site
• Business unit
• Technology
The level of the document will be determined by the document scope and the roles and responsibilities. As mentioned previously, the information security policy architecture document levels are policy, guideline, standard, work instruction, memos, and forms. Then the information security team needs to determine the highest position in authority for the area for approval and enforcement. With this determination, the information security policy architecture approval matrix can be developed. See Table 10 for a simple approval matrix sample for an information security policy architecture.
Table 10: Approval Matrix
Open table as spreadsheetDocument Type[a]
Dept.Mgr.[b]
Dept.VP[b]
Highest Site Position CIO[c]
CSO[d]
CFO[e]
COO[f]
CEO[g]
Counsel/HR Board of Directors
Enterprise Policy X X X X X X Awareness
Enterprise Guideline X X X X X X Awareness
Enterprise Standard X X X X X X Awareness
Enterprise Work Instruction X X X X Awareness Awareness
Enterprise Memo X X X Awareness
Enterprise Form X X X X
Location Policy X X X
Location Guideline X X X
Location Standard X X X
Location Work Instruction X
Location Memo X
Location Form X
Business Unit Policy X X X X X
Business Unit Guideline X
Business Unit Standard X
Business Unit Work Instruction X
Business Unit Memo X
Business Unit Form X
Technology Policy X X X
Technology Guideline X X X
Technology Standard X X X
Technology Work Instruction X
Technology Memo X X
Technology Form X
[a]The document type approval is dependent on the topic of the document for the additional approvals.
[b]This could be the information security person, if the document is related to information security.
[c]Chief Information Officer or the highest position level that leads information technology or the technology of the enterprise.
[d]Chief Security Officer or the highest position level that leads the enterprise security.
[e]Chief Financial Officer.
[f]Chief Operating Officer or the highest position level that leads the operations portion of the business.
[g]Chief Executive Officer or highest level in the enterprise.Match the titles within the sample approval matrix to the highest level possible within the enterprise that can promote and endorse the information security policy architecture. For example, if the highest security level position is a Director reporting to the Chief Information Officer, then the Chief Information Officer should be the initial level to sign off on the policy architecture document and then move higher up the enterprise organization chart.
After the approval matrix has been developed, the information security team can start a marketing campaign to get the signature approvals. If you have been in an enterprise for a while, you should be able to determine the best communication method for the executive team. With all the electronic communication methods available, many executive teams prefer the electronic communication method for review over a face to face meeting. You will need to ensure that the executive approval team understands that protecting enterprise assets and meeting business requirements is the fundamental reason for the information security policy architecture. As the author for the information security policy architecture information, you need to meet face to face with each of the executives for signatures and final approval. This meeting with the executives will allow the executives to ask any last minute questions or voice any concerns. A video conference will also work when a true face-to-face meeting cannot be set or the executives are in various locations.

7.5 Support
Let us dispel some myths about getting information security support from the enterprise.
1. Executives only care about their company. Executives and management have goals and objectives to support and expand the enterprises market share or to produce new products. With either goal, the executives need to keep in mind protecting the enterprise assets in order to make that bottom line.
2. Stories and anecdotes waste time. When someone lectures and reads the slides, do you remember? Or do you remember better when someone tells an incident or story that relates to the topics on the slides, especially if the incident had severe consequences or wonderful outcomes?
3. Executives only want the numbers. The almighty dollar, the dashboards, and the scorecards play an important role in the progress of meeting a goal and objective. Within information security there is also an attitude and awareness toward asset protection, which cannot have a number put on it.
4. Executives hate auditors. Auditors are our friends. Auditors can bring good and bad news. It is when auditors bring news of issues and noncompliance that executives have issues with the enterprise and business unit methods and not the auditors themselves.
5. Executives want a return on investment (ROI). Within information security, this is return on security investment (ROSI). If asset protection is integrated into every process and into everyone’s daily job, the concern over ROSI goes away and the ROI across the enterprise goes up. If information security is only considered an insurance policy for the enterprise, then the message of integrating confidentiality, integrity, and availability is not being promoted to the benefit of the enterprise.
Paul Revere was the messenger of the revolution and the famous saying “the British are coming out!” That message is really not too far off from today’s compliance with the copious regulations. Why was Paul Revere such a good communicator? He had a specific message that needed to be spread about the risk that was entering the environment. Community lives were in jeopardy because an external force was going to invade. He ran into British road blocks and through various communication skills either talked his way through the road blocks or ran them. At the one road block where he was interrogated by British Officers, Paul Revere stated what his mission was by telling the British Officers more than they knew about their mission. Risky? Yes. In the end, the British talked among themselves, released the prisoners and began a slow retreat. What limited that threat? Telling the British they were going to run into resistance in their take-over. And the British decided the invasion was not worth the risk. Paul Revere’s warning to the communities allowed them to prepare (and add controls) to limit the risk of the invasion. As information security professionals, we need to take the lead from Paul Revere in spreading the message about business risk and ways to mitigate that risk. We need to know our own strengths and weaknesses and increase our influence within the enterprise. We can increase our influence understanding by the following:
• Being a central role in the enterprise. This does not mean the center of the enterprise’s attention. This does mean active participation in projects and activities within the enterprise.
• Skill substitutability. Yes, you are an information security professional. You also have skills to perform requirements gathering and defining, facilitating meetings and projects, and understanding how information security can be integrated into the business functions.
• Dealing with unexpected situations brings influence. You are performing daily activities and a denial of service attacks takes down the corporate network work segment. Using your incident response skills, you can activate the incident response plan and take control of the situation, including updating management on the status. You write up the post mortem, present the document, and get back to your daily routine without the expectation of a bonus or a promotion.
• Resources, information, and expertise bring influence. You should be able to face a group and say, “I do not know, but let me get back to you with additional information” (and you actually follow up). Let’s the group know you are human and do not know everything. If there is an Oracle database issues that is being discussed and you do not know Oracle security but you know what questions to ask, you then call your Oracle database reference and ask for assistance.
• Building a base of support. As we continue through our careers, we add people to our list of associates, contacts, and references that we can call on for advice and assistance.
• Associating with influential people. This does not mean to take up the sporting event of the executives or join an elite club. This means taking the time to meet with various managers to learn issues and concerns. This is the old theory of “managing by walking around.”
• Image-building. You come into an organization and the people do not know you and you do not know them. You need to build credibility without being a bull in a china shop. You need to be known for understanding and speaking in business requirements, for having active listening skills, for being dependable, for completing requests on time, for not speaking techno-babble, and for not lecturing about the missing security controls within the enterprise.
• Creating obligation to reciprocate. This is not blackmail. This is, I assisted you in enhancing your business requirements to protect our intellectual property, and this is how you can assist me in understanding your business direction.
As the information security group starts the promotion and implementation of the information security policy architecture, start the information dissemination early to let the staff voice their concerns. Sir Isaac Newton stated, “a body at rest tends to stay at rest” and enterprises that do not embrace change do not move ahead in the industry. Therefore, make sure the information security team has commitments for support from executive management for change to embrace the concept of information protection. Find a sponsor within the enterprise to ask advice and to test concepts, and become an insider to build your personal credibility. If staff are not responding, go out into the business environment to see if there is any resistance, and use active listening skills to seek out how the environment can be improved together.
After getting business unit support for an information security policy architecture, the complaints start rolling in:
• We cannot be impacted by security.
• We have project deadlines and security interferes with it.
• We do not have time to read those additional security documents or the staff to dedicate to the project.
• It’s not my job to review and keep up with the security stuff.
• Because information technology does monitoring, do we really need more information security?
• This is going to take too long to implement and we will not see any benefits.
• By whose authority do I have to follow what you say?
• We have processes to do our jobs and we do not need anyone interfering with our jobs.
The first thing to remember is, do not take the questions and issues personally. This is a theme in many organizations. This theme is changing with the myriad regulations and regulating bodies imposing compliance and requirements on the business. The key to reducing the questions and the resistance is to perform marketing about the information security policy architecture as the project task gets started. The key is knowing the enterprise, the business, and the business requirements from the executive team down to the administrative assistant level. The marketing means using the business requirements and bringing out the risks that are present every day, such as visitors walking around unescorted or permitting contractors and consultants to plug into the corporate network for access with non-standard equipment. As with the executives, the following four questions need to be promoted:
1. From a strategic point of view, is the enterprise doing the right thing by writing an information security policy architecture?
2. From an enterprise architecture point of view, is the enterprise approaching limiting asset risk in the right way?
3. From a value point of view, will the enterprise achieve benefits from the implementation of an information security policy architecture?
4. From a delivery point of view, is the implementation plan being done well for the benefit of the enterprise?
Knowing the business requirements, a set of basic answers could be as follows:
1. MYC is a global company and must comply with over 10 global regulations. Some of the global regulations, for example, privacy, state that MYC must provide a strategic plan for protecting customer and employee information. Executive management has previously stated that enterprise assets must be protected to the level of their importance to the business. We need to identify safeguards and controls to protect the enterprise assets from threats.
2. Executive management has been presented with the results of an enterprise risk assessment. The external consultants reviewed the various risk areas within the enterprise and stated that MYC needs to strengthen its policy architecture before implementing additional technology to limit the risk to the enterprise assets.
3. One of the benefits of implementing the information security policy architecture and tuning the network and technology architectures currently implemented is that MYC will be able to expand its partnerships overseas with other development companies.
4. The implementation of the information security policy architecture will be a gradual process to ensure that no business unit is shutdown by the implementation of this architecture. Before implementing additional information security policy documents or technology, meetings will be held and presentations will be done to ensure that business requirements are met and the implementation impact is very limited.
Talk to the business units about their existing threats, some of which could be used to base the information security policy architecture. Threats and risks to the business should be viewed from an enterprise point of view with potential associated costs. Business unit threats could be presented in terms of incidents that have occurred over the last year within the enterprise, such as some of the threats seen in Table 11.
Table 11: Risks Threats Costs and Controls
Open table as spreadsheetThreat Sample Situation Probability of Occurrence Possible Control Estimated Loss Risk Reduction
Unauthorized data modification In the last year, the customer technical request database became corrupt when our Brazilian partner tried to upload over 50 product enhancements. 30% Strong access controls $150k 45%
Denial of service on corporate network In testing our new product, the engineer misconfigured routing protocols and when load testing was performed, the corporate network was impacted by a flood of network traffic. 10% Firewall/switch access control lists $50K 80%
Virus The executive administrator downloaded a presentation for the CEO. The video presentation contained a worm and because she disabled the anti-virus software, the worm spread through the management network segment. 20% Internet filtering, centralized anti-virus software, user awareness training on downloading executables $45k 80%
Authorized data modification by an untrained user Last month Eric moved to a new position in finance, transferring from manufacturing. Eric’s manufacturing access was not removed and Eric was able to order and receive equipment. Eric had not been instructed that he was not permitted to perform both functions. 25% Strong access controls, segregation of duties training $10K 75%
Explain to the business units (and management) how the information security policy architecture and the subsequent technology tweaking will reduce risks and may not even impact the current business unit processes. Speaking with business units in terms of business risk and business requirements will assist the information security policy team to receive support for the approval and implementation of the information security policy architecture. Remember that the recommended information security policy architecture must be approved by decision makers and representatives who are business unit stakeholders.
As the information security policy architecture is presented to the business units, the presentation can focus on confidentiality, integrity, availability, and accountability in business requirements.
• Confidentiality of data. Can the business unit document that customer and staff information is protected from unauthorized access, disclosure, and use?
• Integrity of data and systems. Can the business assure executive management that they can confidently state that information has not been altered in an unauthorized manner and that information is free of unauthorized access and manipulation?
• Availability. Can the business unit ensure prompt and accurate access to information or systems to authorized users? Does the business unit know if the critical information is backed up regularly and can be recovered?
• Accountability of data. If the business unit has a compromise, missing data, or unauthorized alteration, can the business unit trace the actions back to the source?
As support presentations are made, the information security group needs to focus on the business requirements and the threats and risks to the business information, and to lessen the fear, uncertainty, and doubt about the impact of implementing an information security architecture. When using the 60-second elevator speech and speaking with business units on their requirements, the difference between great and average is how often you take risks. That is, calculated risks that temporarily force you outside your comfort zone often result in big wins. Most of us succeed because we are determined to succeed, not because of destiny.
Start with staff who understand risk and want additional guidance on protecting their information. These staff can be the group that the information security policy architecture documents and concepts can be tested against for applicability and usability. This group will give the honest feedback on the proposals and directions. The information security group will know this staff because they will be ones who invite the information security group to their meetings, projects, and requirements sessions. They will be the ones who ask for help and listen and hear what the information security group is saying about risk and threats.
When the presentations start with other business units, throughout the meetings remember to
• Hear their questions
• Hear their needs
• Hear their expectations
• Hear their business requirements
• Hear their responsibilities
• Watch for hidden agendas
As the meeting proceeds, determine
• What are the information security goals and objectives and how can you assist the business unit to accomplish their goals and objectives?
• How can the goals and objectives be merged to assist the business unit?
• How do both sets of goals combine to make a stronger business?
• What is most productive way to accomplish the goals and objectives?
• By knowing the business, you can list past accomplishments (or key failures) that can assist both groups.
• Is there a way to start small and non-impacting, for all to reach their goals? Is there a way to start incorporating some of the information security rules in daily activities and responsibilities?
• Also, be sure to remember you are promoting asset protection and you are not selling anything to the business units.
• Good communication skills with the business unit by avoiding jargon, staying focused, and establishing your credibility.
In summary, remember to actively listen to the enterprise for business requirements and merge the information security policy architecture into those business requirements.
7.6 Publishing
The information security team has developed the information security policy architecture and received the executive team approval and support in writing. That was the easy part. The next piece of the architecture is to publish the information security policy architecture and ensure that the enterprise understands the document set. Publishing the information security policy architecture at an enterprise level provides a framework for the business units to easily access and on which to develop their business practices. Publishing the information security policy architecture to all staff is a critical component of the information security program. Initially this can be distributed at new hire orientation, but it must also be distributed to existing staff through user awareness training throughout the year. The publication of an information security policy architecture is critical. The main questions that will need to be answered before publishing your information security policy architecture are as follows:
• Who within the enterprise is responsible for publishing security policies and procedures?
• How are the information security publications reviewed and validated before publication?
• How are document updates published to everyone?
It is hoped that within the enterprise, there is a communications or publications group. If such a group exists, then go to that group for suggestions on enterprise publications and time frames for publishing. If not, then the information security team will need to establish its own criteria for the responsibilities of publication. In this and the previous chapter, we talked about reviewing the documents for approval. What is needed also to know who is going to validate the format for publication. Again that would go back to the communications or publications groups or to a technical writer. Someone needs to have the responsibility that the current document format can be reformatted into the appropriate media for publication. As with software versioning, there needs to be an enterprise document management system for version control of documents. The author is not endorsing a third-party or a home – grown system; the author is endorsing the business requirement of document versioning. If there is no document versioning or document management system, how is the enterprise to know which is the most current and active set of documents?
When it comes down to the actual question of what options are available for publishing documents, the answer is two: print them in hard copy or publish them electronically.
Hard copy. Information security policies are not interesting. Volume sets are space consuming and can quickly become obsolete. By contrast, short paper documents can be carried around for easy reference and can be quick read. So an implementation technique for the information security policy re-enforcement could be summary sheets, reference cards, posters (or advertisements), buttons, or stickers. These types of media will enhance the information security awareness training programs. On the downside, there may be so many printed copies that it will be difficult to find and update every copy. The question also becomes one of finding the page or section to print and insert, rather than just reprinting the whole document. And many staff do not have the time to stick pages into a manual. If a new employee violates a policy and the printed copy is an older or mis-updated copy, it may be difficult to justify dismissal for wrongdoing and could become a legal nightmare.
Electronic copy in today’s technology advancements and the work style of staff make electronic publication more conducive to the enterprise environment. Electronic publication has a huge administrative advantage if it is centrally managed and a statement is made about the master source location for the information security policy architecture and that any additional copies (electronic or printed) are not to be used. There are various formats of electronic publication: hypertext markup language (HTML), rich text format (RTF), proprietary word processing format, portable document format (PDF), and help file format. Depending on the enterprise, a combination of electronic publication formats may be implemented. In the electronic format, the enterprise needs to ensure that only the publishers have read-write access to the document areas and that all other staff (including contractors, consultants, visitors, vendors, and partners) have read-only access. Hypertext is the most valuable contribution to the enterprise’s electronic publications because hypertext permits the reader to jump to sections and return easily. More importantly, hypertext within the information security policy architecture can provide definitions and acronyms without the need of having the reader go to another reference location. The following are some pros and cons of the various methods.
• HTML. It is one of the most widely used formats today. A simple and quick mouse click and a person can jump to another page. This format permits a person to move freely from page to page and text to text within a page. A new window can be opened to view documents simultaneously. The main con is that you need to understand HTML coding to have an efficient HTML page. Word processing and other applications will convert documents to HTML pages, and this can make it a potential nightmare for quick tweaking of a document.
• Rich text or proprietary word processing format. Linking documents and using hypertext with word-processing files will work as long as all parties use the same word-processing software. Depending upon the word-processing software, pop-ups may display by clicking or just mousing over. But some obscure (or old) software may display nothing or you get an information balloon to display. Would every person be able to communicate what they saw and read?
• A combination of HTML and word process format would be hypertexting and PDF. Adobe Acrobat’s PDF provides the benefits of hypertexting while giving the effect of a word processing document. PDF documents can be locked down from an access control point of view on the network, as well as within the PDF document itself. The PDF document can have hyperlinks to other documents, definitions, or acronym explanations.
Help files. Help files can provide hypertext capability, but many help file utilities are not centrally managed and updates will need to be pushed out. With help files, you will need to know the operating system that a person is using to customize the help file format.
Publication in a non—home country’s language or for a sight-impaired person adds to the complexity of the information security policy architecture. When translating the enterprise’s information security policy architecture into another language you need to ensure that it is translated almost word for word. The enterprise cannot afford to have the document translated into another language only to have the translator interpret what the document was trying to state and change the wording. Work with an enterprise translator who is proficient in both languages and work with the translator to ensure the meaning and intent have not been changed in translation. There can be some proficient staff members who are sight-impaired and cannot directly read text or the words on a screen. The enterprise needs to decide how it will handle the publication of the information security policy architecture to those staff. Braille would be one way or digitally recording the information security policy architecture. Whatever publication methods are used by the enterprise need to cover everyone who accesses an enterprise asset.
7.7 Updates—Effective Versioning
A central document repository or document library is a location where a collection of files is stored. There are many applications that can assist with maintaining a central repository. Document versioning—allowing the enterprise to keep multiple versions of documents—can cause complications. With document versioning, if an enterprise change needs to be reversed, the document can be reverted to the previous version and the enterprise can continue to work. An automated document management system enables an enterprise to
• Standardize on document version numbering
• Know who has checked out/in a document
• Know who made the changes
• Know when a document was initially created
• Know when the document is/was obsolete
• Know who is the owner of the document
• Automatically create a backup of the previous version when a document is checked back in
Based on business requirements, the enterprise needs to evaluate and implement a document management system to work productivity, to free server space, and to streamline document management processes by providing a centralized location for documents, as well as methods for tracking changes from members of a work team.
7.8 Acknowledgment of Understanding
Confucius said, “What I hear, I forget. What I see, I remember. What I do, I understand.” Normally an enterprise has a new hire document that acknowledges a new staff member has received the Employee Handbook. If the Employee Handbook includes the documents from the information security policy architecture, then the new hire process may be completed for acknowledgment. Every enterprise should have a new hire process that specifically includes information assurance training and acknowledgment. This can be done the day of new hire or within a week of the start date, but it needs to be standardized and formalized.
As part of the information security architecture, the enterprise should have an annual acknowledgment of the information security policy architecture. This annual acknowledgment would be attendance at a training session, completing a computer-based training session with a set of questions at the end, or sending a notice to everyone and trusting them to review and return the acknowledgment document. The method needs to fit into the enterprise culture and each mentioned method has a pro and con. For example,
• Having everyone attend, in person, a training session would cause scheduling and logistic issues, but, by contrast, the information security team would be able to meet everyone in the enterprise.
• With the computer-based training, you will have people start it, not know there are questions at the end, and say they completed it, or some will skip to the end and just answer the questions, but you also will be able to track who performed the training, how long they were in the program, and how many questions they answered correctly.
• Using the signed or e-mail accepted acknowledgment means trusting in all of the staff to complete the review and acknowledge on their own, but again you will be able to track receipt and acknowledgment and know if they really reviewed the information security policy architecture documentation.
The enterprise needs to determine the best method for new hire acknowledgment and for the annual reacknowledgment.
The enterprise also needs to determine how far this acknowledgment goes—contractors, consultants, vendors, visitors, customers. If there is an extended need, the information security team needs to ensure the information security policy architecture documents are available to all classes of people and needs to have a documented method for acknowledgment by these people. For non-employee types, there may be a different set of policy architecture documents that include the topics such as
• Business ethics
• Intellectual property
• The overarching information security policy
• Exceeding or attempting to exceed granted access
• How to request access through business point of contacts
• How and to whom to report issues
See Appendix R, Appendix S, and Appendix T for three sample acknowledgment forms—hard copy, electronic, and nonstaff.
7.9 Exceptions to the Information Security Policy Architecture Documentation
Although it would be extremely nice, cost effective, and efficient to have every information system and every business unit in compliance with all documents within the information security policy architecture, that may be a dream. Every enterprise has situations for a specific period of time when something or someone will be noncompliant with a policy, guideline, standard, or work instruction. The information security team needs to be able to respond when those situations occur and be able to monitor and reassess the environment.
An enterprise must have an exception process for documenting an exception to compliance with the published information security policy architecture. The scope of this document will apply to all publishing information security policy architecture documents that are owned and maintained by the information security group. The enterprise will need to describe the circumstances for which an exception may be requested:
• Accidental noncompliance. The business unit was unaware of the published information security policy architecture. A new hire was unaware of the location of the information security policy architecture.
• Another acceptable solution is available. The business unit is recommending a solution with better information assurance controls and the exception can be granted until the published documented has been updated.
• A legacy system is being allowed to go to end of life. This would be a managed risk with a definitive end date.
• Lack of resources. A new piece of software is being implemented, there are not enough available resources for the segregation of duties, and this risk needs to be managed.
Then the process document will define what the business unit needs to perform to be granted the exception. If the noncompliance is due to anything other than a better solution, the enterprise needs to document what must be in the exception request, such as
• Description of the noncompliance
• Anticipated length of noncompliance, no more than 12 months
• Risk assessment associated with noncompliance
• Plan for alternate means of risk management or compensating controls
• Method for monitoring and evaluating the risk
• Review date to evaluate progress toward compliance
If the noncompliance is a result of a superior solution, an exception will automatically be granted until the information security policy architecture document is updated with the new information.
Many times an exception cannot or will not be granted and sometimes saying that no is difficult. Saying no means that the team has set limits on the enterprise acceptable risk, and it also means that that team may need to assist the business unit in offering a different option or creating compensating controls for the risk. When the team says no, the whole team needs to be in agreement in both verbal and nonverbal communications. When an exception cannot be granted, as part of the exception process the team must
• Acknowledge the other person’s request by repeating it
• Explain its reason for declining it
Regardless of the decision, the information security team needs to keep a record of all exceptions, whether they were granted or not, the actions performed for each exception, and when the next review for each exception is being performed. The information security team needs to be proactive in maintaining the exceptions to the information security policy architecture and be able to report to management at anytime what exceptions exist.
See Appendix U for an exception request work instruction and form.
PLACE THIS ORDER OR A SIMILAR ORDER WITH US TODAY AND GET AN AMAZING DISCOUNT 🙂