June 6, 2008
Risk Based Security Plan – Whitepaper
This whitepaper has a good overview of key components of a risk based security plan, which have been put into practice on several occasions. This provides good direction with a decent amount of detail.
Site Requires Registration:
http://searchsecurity.bitpipe.com/detail/RES/1212429613_869.html
The document is about 12 pages explaining the steps for performing a risk assessment to developing a security plan to determining security budget.
May 9, 2008
Information Security Staffing – Skills Identification and Training Budget
One of the key problems a security manger must tackle is defining the budget for security training. Many awareness program guides break it out into a method similar to the following:
- Identify security roles and responsibilities
- Conduct a needs assessment
- Identify the gaps
- Develop and implement the training plan
Skills Identification
The key step here is the identification of roles and responsibilities. Identification of security roles and responsibilities is probably one of the most important fundamental aspects to a successful security program. Although, writing sample roles and responsibilities or breaking out each of the above steps is not the focus of this topic, it is important when defining the core security staff’s training to build on the role definitions by creating a skills identification table. A skills identification table will work for most organizations because it provides a quick profile of each security professional. To create a skills identification use excel or a similar program and setup a structure similar to the one shown in the table below.
List each employee in the security program in the left column and then ask each one of them to fill in their certifications and training. Columns should be added for all security certifications and training associated with employees. This information will provide the security leader with the organizations current security capabilities. It will also be easier for the security leader to assign the appropriate personnel to security issues based on their training and certifications. For career planning you could also expand this model to include a section for desired certifications, training, or expertise.
Applying to Budget
Now that each employee has provided their information the identification table can be used to help with the annual training budget. Ideally the security leader should set the annual training budget for at least one training session a year for each employee. The security leader should also take one training a year, but if cost becomes an issue then offset the security leader training by attending conferences and conventions. If possible training schedules and classes can be used to prepare for new corporate projects by attending training with specific project needs. Otherwise training should be defined with each employee based on their career goals and the goals of the organization.
Depending on the size of the core security team an average week of training may cost anywhere from $2500 to $5000 depending on location and accommodations. To define and annual budget take the number of staff and budget for the $5,000 per person annually. For example, 5 core security staff should have an annual budget of $25,000 dedicated solely to security training. Determining the actual classes beforehand will help predict the budget more accurately and possibly save costs on travel. If you are in a large organization, especially one that is decentralized the budget may increase significantly. One way to reduce the cost is to identify key security gaps, such as application security, and pay for onsite training. In this situation budgeting will have to be performed by contacting a vendor(s) to obtain pricing quotes. Keep in mind there may be an issue with taking a large amount of employees away from their regular work.
Overall there are several advantages to this staffing an budgeting approach. One immediate advantage of increasing the security training may be reduced consulting costs. Another advantage will be increased employee moral, as well as improvement of overall security.
December 19, 2007
Disaster Recovery – Alternate Site Geographical Distance
There is an article that came out earlier from DRJ (Thomas L. Weems) based on a study that provides guidelines on the required geographical distance for alternate site locations. This is good news for those performing risk assessments where this is considered vulnerability, because as far as I know FEMA has provided no specific guidelines.
http://www.drj.com/articles/spr03/1602-02.html (registration required to view)
Ideally 105 miles point to point is the key number for all the threats listed below. For those who don’t have access to the article below is a breakdown of the recommended geographical distances based on the threat.
NOTE: The article provides a graph so the numbers below is based on my interpretation of the graph.
Alternate Site Distance Recommendations
Hurricane: 105
Volcano: 75
Snow/Sleet/Ice: 70
Earthquake: 60
Tsunami: 52
Flood: 48
Military Installation: 45
Forest Fire: 42
Power Grid: 36
Tornado: 35
Central Office: 29
Civilian Airport: 28
None of the Above: 21
Off Site Storage Facility Distance Recommendations
Hurricane: 85
Volcano: 64
Snow/Sleet/Ice: 56
Tsunami: 45
Earthquake: 43
Flood: 43
Military Installation: 41
Forest Fire: 38
Power Grid: 36
Central Office: 25
Tornado: 24
None of the Above: 24
Civilian Airport: 22
Also the key here is to remember that the off site storage facility should accessible from the alternate site facility, which is a mistake many organizations make.
Problems and Revisions
Based on some quick research there are a few problems with the current distances above. For example, I took three common disasters and did a quick analysis and here are the results along with some suggested changes.
Hurricane – Katrina spanned a much larger distance then 105 files proving that this distance is not adequate in a very large hurricane storm. The article below explains that Katrina expanded over 780 miles whereas the outer regions were probably only affected by rain. However, from my research severe damage was over about a 200 mile radius. Therefore, I would suggest doubling the current metric to 210 miles.
http://earthobservatory.nasa.gov/NaturalHazards/shownh.php3?img_id=13083
Volcanoes – Although the current figure will probably be fine in most cases there is information to support that volcanoes can spread ashes up to 100 miles as displayed in the below article. Therefore, this number should be revised to 105 miles based on the type of volcano.
http://pubs.usgs.gov/gip/volc/types.html
Earthquake – Similar to the volcano this distance will probably be sufficient but why take the chance when there is evidence that a 7.8 earthquake ruptured 220 miles of a fault. Therefore, this number and the definition should be clarified to be at least 60 miles from a major fault line.
October 16, 2007
Security Spending – How Much of IT Budget
There is an article on The Register web site claiming security spending has soared to 20% of the IT budget. This is based on a poll of 1070 organizations.
http://www.theregister.co.uk/2007/10/11/comptia_security_survey/
It is a shame the article doesn’t provide more detail. It would be nice to know the industries surveyed, size of the organizations, and all of the categories assessed. Does this review include staffing, business continuity, disaster recovery, Application security, etc.?
My experience shows that most organizations can’t account for the actual security dollars spent. When evaluating IT security within an organization, excluding physical security and business continuity, most organizations I review are in the 1% to 5% range of the IT budget with the exception of the major financial firms and a few others. These numbers are also pretty much inline with the CSI/FBI annual surveys conducted.
- What is your experience?
- Can you account for your total security budget?
- What does that budget include?
Unfortunately this area of security is still lacking in the amount of free information available to the public and many of the assessments are limited to less then 1000 respondents. I would be happy to post some links on this site if anyone has some good free resources or whitepapers.
August 3, 2007
BS 31100 Code of Practice for Risk Management
The BS 31100 Code of practice for risk management is also out in draft form free to download and review. This document has the same deadline as the BCM.
BS 25999-2 Business Continuity Management
The BS 25999-2 Specification for business continuity management is out in draft form free to download and review. My apologies for sitting on this so long and not getting it out earlier because the deadline is today for review. Anyway it’s still good to download while you can.
July 19, 2007
MTA NYC Explosion: Poor Business Continuity
It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct. The link below has a summary of the disaster scenario
Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city. Usually the commuters take the Metro North trains. Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.
Problem
More then 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action. If you dialed the MTA-Info number listed on their web site you would be out of luck. Response – All lines are busy. The website did not have a service alert message for commuters.
Ok phones out of service expected, except that only MTA’s phones are the issue. Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City. 311 staff didn’t know the status of the MTA trains. 311 staff also couldn’t contact MTA because phones were still out of service at MTA. Out on the street it was worse. The police were controlling the area, so they were the only government staff that a person could ask a question. The answer the police responded with was “you have to wait around”.
I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north. Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.
Improvement
This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines. MTA needs to update their current plan to include:
Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).
Faster update of the website for emergency situations.
Identify key contacts to improve downstream communications to the police on the street.
Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.
Good Practice
What did MTA do right? They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.
More on Emergency Management and Business Continuity
FEMA has a great deal of information on Emergency Management
http://www.training.fema.gov/EMICourses/EMICourse.asp
DRJ has a good deal of information on business continuity and disaster recovery
June 20, 2007
Good HIPAA – RISK Assessment Topics
I came across a pretty good list of topics that Auditors ask for in a HIPAA audit. This is usually the stuff looked at during a HIPAA risk assessment too. If you haven’t incorporated all of these topics in your risk assessment then now is a good time to go through the list and update your tactics.
