Preface

You are probably reading the preface to see if the rest of the book merits your attention, so I am not going to disappoint you. This book presents those elements most organizations need to plan, prepare, and address critical incidents. Critical incident management requires forward thinking, shifting paradigms, and sometimes ruffling a few feathers. It involves deliberately refining business operations, not spouting business buzzwords while talking around the problem.

Basically, your organization's systems can be defined in terms of its critical assets, meaning those assets required to continue profitably. Pursuing the organization's mission while safeguarding critical assets is the responsibility of every person connected with the enterprise, from the CEO to the parking lot attendant.

The most critical assets in any organization are its people. Valuable employees are challenging to find and difficult to retain but the dividends last longer than the organization itself. They are the company's owners, partners, executives, managers, employees, contractors, interns, and temps.

Data is the business' information, processes, customer lists, employee information, contracts, trade secrets, proprietary information, and intellectual property. In the structure of critical assets, it is ranked second.

Do not let the term physical facilities fool you into thinking only of heating and air conditioning. Ranked third, they are a significant part of profitable operations. Physical facilities include office furniture, hardware, workstations, servers, cabling, software, and tangible and intangible items. All factors considered, for these system components to function together successfully requires a complex and well-coordinated dance.

Many organizations spend vast amounts of their resources and capital dealing with outside system attackers; yet, the greatest financial harm originates from attacks inside the company. Although you have read of spectacular and well-publicized attacker events, the most costly, critical incidents originate from inside, e.g., avoidable lawsuits and intellectual property theft.

Critical incident management is a balancing act involving an organization's risk management program, policies and procedures, auditing, critical incident response, legal and law enforcement issues, and privacy. Sometimes you feel like the circus performer who balances the spinning plates while standing on her head. In fact, critical incident management is a lot like playing basketball: the more you sweat before the game, the less you sweat during the game.

You are going to read about matters of planning, preparation, execution, and learning from mistakes. In my experience, most organizations have been reluctant to take preparatory steps toward addressing potential damage caused by harmful events. Due to internal political pressures or poorly conceived programs, organizations spend their resources protecting "junk." It is not a matter of "if"; it is only a matter of "when" harmful events will happen.

This book is written from an Information Technology (IT) perspective, and the reason is simple. We are completely and inexorably dependent on IT for everything in our lives. The concepts detailed here are not academic or theoretical. My intention is to speak plainly and clearly.

This book will mention commercial, shareware, and freeware products. These are not recommendations; they are intended to serve merely as examples. There are new and better products announced daily, so look for products that might be directed toward your specific requirements.

This is a practical book. In my experience, books requiring readers to remember small and seemingly insignificant paragraphs because important sections depend on them later confuse readers and cause them to become disinterested. I know I do. I have a redundant style of writing. I tell you what I am going to tell you, I tell you, and then I tell you what it was I told you (say that three times, quickly). This is not my invention; it was borrowed from some very good instructors I have had over the years.

So that is the style in which I wrote this book; getting to the point and not wading through seas of trivia.

Please note the book contains many bulleted lists, and exhibits in the form of tables and figures, constituting items to be incorporated into reports and other documents. The text intentionally emulates presentations in which the speaker knows the audience is knowledgeable of relevant topics and is providing meaningful instruction.

Do not get confused when I constantly refer to employees. The term references anyone who has any type of regular access to an organization. Whether they are contractors, vendors, consultants, part-timers, interns, temporary employees, or unpaid family members (including your brother-in-law), they all fall under my broad category of employees.

My view of enterprise includes any type of business structure, profit, not-for-profit, nonprofitable, barely profitable, and government agencies. The size and nature of your organization are not important for most of the chapters because the concepts are intended to be adaptable.

Notice the paragraphs labeled Experience Notes. These are small but interesting paragraphs to lighten your reading.

I make reference to senior managers. They are the "C" levels of executives: CTO, CFO, CIO, CISO, CSO, Chief Legal Officers, Chief Network Administrators, Chief Auditors, and Senior Managers. This book is directed primarily to you.

I avoid giving specific names, dates, and places. It is not my intention to harm or embarrass people for something they may have done or said.

We live in a litigious world. Stockholders, employees, competitors, managers, executives, and government agencies are successfully suing organizations today. Litigation poses a serious risk, and wise managers are taking affirmative steps to close or at least minimize their exposures. One of the most viable defenses will be your ability to show due diligence in safeguarding your critical assets. This book provides steps you can implement to legally defend your actions.

I am going to make references to events taking place in the courts. Court decisions can negatively affect your organization and often can be avoided by demonstrating some professionalism and common sense. If you and your staff do not have legal knowledge, seek experts. You will be glad you did. Legal decisions can be anticipated and effectively addressed, but you have to consider them as manageable and not as merely unavoidable.

Overall, the philosophy of this book is one where "an ounce of prevention is worth a pound of cure." I do not like professional surprises. I would rather deal with backed-up data than try to recover it from a devastated hard drive. I believe organizations must have proactive programs consisting of tested plans, developed and executed by trustworthy people, instead of chaotic alternatives. I am going to address these steps in each of the six chapters.

The book begins with the need for establishing a risk management program, including elements of critical asset identification, threats, vulnerabilities, information classification, disaster recovery, and restoration. It may seem like a daunting task, and it is, but it is like eating an elephant - it is done one bite at a time. Take special note of the risk management section on dealing with the press; most organizations fail when they deal with press inquiries during crises.

The second chapter deals with policies and procedures. Recently, there has been a surge of literature published about these subjects. Much of it has merit and will go a long way to improve your business' performance. More than one organization has been saved from the fires of ruin because of having well-developed policies and procedures. When reading about policies and procedures, do not get mired in definitions. Take the steps to get them drafted, vetted, approved, and implemented. Get the auditors to see to their adherence.

Auditing is the third chapter. Auditors must look at policies, procedures, standards, processes, and the way organizations safeguard their critical assets. Saving your hard-earned assets is the name of the audit game.

The fourth chapter deals with critical incident response. Identifying a critical incident, handling its investigation, reporting, and evidence collection will be covered. There are two overarching concepts in this chapter: do not perform evidence collections and examinations for which you do not have the expertise, and do not do anything that is going to alter the evidence. Here, I discuss the development of critical incident teams, including their structure, development, function, funding, and reporting requirements.

Chapter 5 deals with the matter of law enforcement, what it can do, and how to deal with it. Computer-related crimes including economic espionage, theft of intellectual property, and trade secrets are described here.

Completing the book is a chapter on privacy. Like it or not, it is the wave of the future. Depending on the activity, people are entitled to different levels of privacy; with that in mind, I am going to provide some insight into the reasonable expectations in this area.

A little about me. Many years ago I spent some time dealing with secure electronic communications as part of my U.S. Air Force experience. At that time, communication networks were considered sophisticated, and they actually were if judged by the standards of their early years. I joined the Federal Bureau of Investigation, and for the next 24 years enjoyed many experiences while assigned to Dallas, New York City, San Juan, Puerto Rico, and Salt Lake City. Regardless of some opinions, I found the support employees, Special Agents of the FBI, and police officers in the trenches of law enforcement dedicated to preserving our freedoms. God bless them.

Thanks to my family and particularly to my wife, Tina, for her infinite love and support.

I would also like to thank Rich O'Hanley and his staff for their professional abilities and attitudes.

I am certain there are mistakes in this book. Please excuse me; I have taken every effort to ensure accuracy. If you find something you want to discuss, feel free to email me at <absterneckert@yahoo.com>.