Information Technology Reference
In-Depth Information
Emergency Response Planning
In any organization, the best possible listing of all identified risks will
likely miss a few. Generally, a risk registry might identify and address up
to 90% of the potential (known) threats to the enterprise. The other 10%
must be identified as rapidly as possible upon occurrence, through log
and service review, and addressed through mitigation practices based on a
well-designed action plan that is regularly tested, reviewed, updated, and
communicated to all parties. The time for disaster planning is not after
the emergency exists (“Okay, the data center just disappeared into a sink-
hole. . . who wants to discuss offsite backup media strategies first. . . .”). It
is important to build an effective response team with clear communication
channels and designated responsibility well ahead of an actual emergency
in order to have any chance at response, recovery, or continuity of opera-
tions, rather than simple after-action reconstruction.
Don't Forget the Little Things
The growing use of mobile, often personally owned, devices for access to
organization resources requires the creation and communication of clear
security policies for all devices used for business purposes. In addition to
on-device encryption mandates, additional policies might include man-
dates for malware defenses for remote desktops, or device update and
on-idle automatic locking requirements. Because these devices continue
to expand in variety and number, policies addressing mobile security
requirements should be reviewed at least quarterly or upon the release of
a new popular platform.
Summary
This chapter has included a review of security threats to the enterprise and
examples of solutions and policies meant to mitigate the risk they present
to organizational functions. Numerous regulatory and legal mandates may
provide a number of “must address” constraint items in the risk registry,
and should be considered first in any security prioritization efforts. Opera-
tions that depend on other functions within the organization may also
play a part in determining risk priority, requiring regular review to identify
changes in the organization, its functions, and technologies in use.
