Executive Rolls and Responsibilities - an Information Assurance Mind Set
Essay by review • December 24, 2010 • Essay • 1,800 Words (8 Pages) • 1,381 Views
Essay Preview: Executive Rolls and Responsibilities - an Information Assurance Mind Set
Executive rolls and responsibilities
"An Information Assurance Mind Set"
In any corporate setting or military installation, a need to define proper boundaries and procedures for safeguarding data can be a daunting and sometimes a seemingly impossible task. Delineating, clarifying, and communicating the responsibilities for protecting and defending information resources is the first step in creating a culture that is sensitive and responsive to information security issues.
A busy executive with a data integrity mind set has to control information coming in, through its processing phases and ending in the customers hands as a usable product. Free from any modification and as accurate as it can possibly be, If they get the information at all. (DOS in mind). Information security executive needs to ensure that the organization has procedures for account management, backup, incident handling, standardized and authorized software and hardware, disaster recovery, and a Continuity of Operations Plan, or COOP. Moreover, identifying whom is responsible for what plays an important role as well.
Account management procedures define when and how new users should be added and when other users should be removed from the system. Password control may be included here. I have been apart of the Navy active and Reserve components for 8 years, working as either a Cryptologic Technician Operator (Communication) or Assistant ISSO for Operations department. One thing that has remained in tact if not for security purposes, for resource monitoring and control, was the management of accounts. The deletion and creation of accounts had a set of people usually two assigned to just that task. Moreover, account management also is used for punishment purposes and not just the controlling of ports and times of availability. The denial of internet access or email privileges for improper usage is as important as stopping the impending hacker for penetrating your firewall.
Backup procedures define the requirements for systems/server offsite backup.
Incident handling procedures define information security incidents and cover the who, what, when, and how of handling, communicating, and reporting such events. This is one of the more important items on the lists of "things to do" that I can think of. One reason only, damage control. We live in a world of backups. We have car insurance, house insurance, health insurance, we even have death insurance for the ones we leave behind. That is so asinine that we can't stop worrying after we're dead. The point being is that bad things happen and there's no getting around it. If it's not the hackers, crackers or the or the overly inquisitive and bored employee in the IT department who wants to know how much the rest of his coworkers are getting paid, then gets irate and decides you don't certain services for a few hours. (Does not sound like much, but shutdown EBay during holiday season and watch CNN to see how many people "resigned " from there jobs.) Would make me order Rogaine to keep whatever few follicles I have left on my head.
Arbor Networks plans to release a report Tuesday confirming what many in IT security already know: denial of service is still a very popular means to disrupt networks.
"September 12, 2006 (Network World) In its second annual Worldwide Infrastructure Security Report, Arbor surveyed 55 network operators, including ISPs, network providers at universities and even some large enterprise networks. DoS attacks at 46% and bots at 31% pose the most significant operational threats, according to survey respondents. Worms, compromised infrastructure, DNS and Border Gateway Protocol route hijacking were also mentioned, but only 4% to 7% said these posed significant threats."
The ability to recover from a crisis and return to normal operations can save a company millions in revenue, recovery standing and potential consumer confidence is paramount. When you really think about it we live in a pretty trusting but unforgiving society when it comes to economic confidence. Save yourself the heartache, backup your data, and minimize loss. This would be a great time to segway to defining disaster recovery at this juncture of executive responsibilities.
Disaster Recovery Plan (DRP) identifies the plans for reconstructing an organization's computer facilities and/or other information resources in the event of a natural or man-made disaster or series of incidents, disasters that destroys part or all of a business's resources, including IT equipment, data records and the physical space of an organization. The goal of a DRP is to resume normal computing capabilities in as little time as possible. A typical DRP has several stages:
-Understanding an organization's activities and how all of its resources are interconnected
-Assessing an organization's vulnerability in all areas, including operating procedures,
physical space and equipment, data integrity and contingency planning
-Understanding how all levels of the organization would be affected in the event of a disaster
-Developing a short-term recovery plan
-Developing a long-term recovery plan, including how to return to normal business operations and prioritizing the order of functions that are resumed
-Testing and consistently maintaining and updating the plan as the business changes.
Standardized software and hardware procedures identify the requirements, methods, and responsibilities for determining any standard software and hardware, including any controls required for authorizing non-standard software and hardware. Also contains procedures and identifies tools for reviewing, identifying, and removing unauthorized items.
Continuity of Operations Plan, or COOP, includes having secondary systems that can be put into operation in case the primary systems fail. This includes the physical facilities, power, communication lines, and computer equipment. A complete set of backups should be stored in an off-site location. The secondary systems should be kept up to date to ensure timely recovery. See the Resources section for a sample COOP.
With the consumer's personnel welfare in mind, the Information Assurance executives are guided by Federal Laws regulating the mishandling of data. Laws resembling 18 U.S.C. 1030 sub section 4 of the Fraud and Related Activity in Connection with Computers states, § 2701. Unlawful
...
...