| < Day Day Up > |
|
The way organizations approach implementing homeland security initiatives in enterprise IT varies by both the size of the organization and the industry sector in which the organization operates. As a guide for managers responsible for implementation, the action checklists from each chapter have been compiled into the following three lists (see Tables 12.1-12.3):
The Enterprise Action Checklist shows those action items that are of enterprisewide concern. The IT department or function will need to participate in executing most of those actions items but will work in conjunction with many other departments or corporate officers. The departments involved are indicated for each action item. When the term security is used, it means the corporate or enterprise security department, rather than the IT security function, unless they are within the same functional unit.
The IT Management Action Checklist shows those action items that are of primary concern or are the primary responsibility of the IT department. It is probable that the IT department will take the lead role in the activity, but when appropriate, the involvement of other departments is indicated. When the term security is used it means the corporate or enterprise security department, rather than the IT security function, unless they are within the same functional unit.
The IT Security Action Checklist shows those action items that are of primary concern or are the primary responsibility of the IT security unit. It is probable that the IT security unit will take the lead role in the activity, but, when appropriate, the involvement of other departments is indicated. When the term security is used, it means the corporate or enterprise security department, rather than the IT security function, unless they are within the same functional unit.
Action Item | Chapter and Item | Departments Involved |
---|---|---|
Determine if the organization has taken a position on homeland security. | Chapter 1-1 | CEO, IT, legal counsel, business units |
Evaluate what actions the organization needs to take if the threat level is raised by the government. | Chapter 1-5 | CEO, security, IT, business units |
Determine the status of implementation of DRPs and what related training has been achieved. | Chapter 2-5 | CEO, HR, IT, disaster recovery, contingency management, business units |
Determine the status of implementation of plans for the management of data privacy and what related training has been achieved. | Chapter 2-8 | CEO, HR, business units, privacy management |
Conduct a structured threat assessment to determine if the organization is a component of the critical national infrastructure. | Chapter 3-1 | CEO, security, IT, legal counsel, business units |
Conduct a structured threat assessment to determine the level of dependency on components of the critical national infrastructure. | Chapter 3-2 | CEO, security, IT, business units |
Conduct a structured threat assessment to determine the proximity of the organization's facilities to facilities or structures that are components of the critical national infrastructure. | Chapter 3-3 | CEO, security, IT, business units |
Initiate a security improvement process. | Chapter 3-4 | CEO, HR, security, business units |
Develop procedures for reporting computer-related incidents. | Chapter 4-2 | CEO, IT, legal counsel |
Assign staff responsibilities for reporting computer-related incidents. | Chapter 4-3 | CEO, IT, legal counsel |
Evaluate security initiatives for sectors in which the organization has operations. | Chapter 5-1 | CEO, IT, security, business units |
Assess organizational plans to meet security needs. | Chapter 5-2 | CEO, IT, security, business units |
Evaluate the methods by which the organization communicates and conducts business transactions with suppliers. | Chapter 6-1 | CFO, IT, business units |
Determine the vulnerabilities in the systems used to work with suppliers and develop an action plan to improve security in those systems. | Chapter 6-2 | CFO, IT, business units, security |
Evaluate the methods by which the organization communicates and conducts business transactions with customers. | Chapter 6-3 | CFO, IT, business units |
Determine the vulnerabilities in the systems used to work with customers and develop an action plan to improve security in those systems. | Chapter 6-4 | CFO, IT, business units, security |
Evaluate the methods by which the organization communicates and conducts business transactions with service providers. | Chapter 6-5 | CFO, IT, business units |
Determine the vulnerabilities in the systems used to work with service providers and develop an action plan to improve security in those systems. | Chapter 6-6 | CFO, IT, business units, security |
Determine if the organization's view of the health of cyberspace is influenced by political, economic, or business issues that could impact IT policies and computer-incident response plans. | Chapter 7-5 | CFO, IT, business units, security |
Determine if DRPs are up-to-date and if any changes or updates need to be made to the plans. | Chapter 7-7 | IT, disaster recovery, contingency management, business units |
Determine if there are opportunities to work with local lawenforcement agencies on joint training exercises. | Chapter 8-2 | CEO, PR, disaster recovery, business units |
Evaluate the physical security of computer and network facilities to determine if it meets minimum standards or customary standards for the industry sector; modify physical security procedures as necessary. | Chapter 8-9 | IT, business units, security |
Determine if the organization wants to make recommendations for priorities in cybersecurity research. | Chapter 8-10 | CEO, IT, legal counsel |
Determine if the organization can or must provide direct assistance to the federal government in assessing threats and vulnerabilities. | Chapter 10-1 | IT, business units, security, legal counsel |
If the organization can or needs to work with the federal government on assessing threats and vulnerabilities, develop a plan to accomplish that work. | Chapter 10-2 | IT, business units, security, |
Determine if the organization needs to address the goals and objectives regarding trusted individuals using government computer systems. | Chapter 10-3 | IT, business units, security, legal counsel |
If the organization needs to work on a trusted individual's program, develop a plan to implement the program, including the use of agreements to safeguard information and warning banners on computer systems. | Chapter 10-4 | IT, business units, security, legal counsel |
Determine if the organization can or must provide direct assistance to the government in securing outsourcing or procurement operations. | Chapter 10-7 | IT, business units, security, legal counsel |
If the organization can or needs to work with the government on securing outsourcing or procurement operations, develop a plan to accomplish that work. | Chapter 10-8 | IT, business units, security |
Determine if the organization can or must provide direct or indirect assistance to the state government in assessing threats and vulnerabilities. | Chapter 10-9 | IT, business units, security, legal counsel |
If the organization can or needs to work with the state government on assessing threats and vulnerabilities, develop a plan to accomplish that work. | Chapter 10-10 | IT, business units, security |
Determine if the organization can or must provide direct or indirect assistance to the local government in assessing threats and vulnerabilities. | Chapter 10-11 | IT, business units, security, legal counsel |
If the organization can or needs to work with the local government on assessing threats and vulnerabilities, develop a plan to accomplish that work. | Chapter 10-12 | IT, business units, security |
Determine if the organization has operations in any country that is a signatory of the CoE Convention on Cybercrime and analyze how that may impact IT policies, procedures, and operations. | Chapter 11-4 | CEO, IT, legal counsel, business units |
Devise plans to influence countries in which the organization has operations and that are not signatories of the CoE Convention on Cybercrime to become signatories. | Chapter 11-5 | CEO, IT, legal counsel, business units |
Action Item | Chapter and Item | Departments Involved |
---|---|---|
Evaluate how the organization's position on homeland security impacts IT. | Chapter 1-2 | CEO, IT, legal counsel |
Assess how the USA Patriot Act impacts IT support requirements. | Chapter 1-3 | CEO, IT, legal counsel |
Assess if the formation of DHS impacts IT support requirements. | Chapter 1-4 | CEO, IT, legal counsel |
Evaluate what actions the IT department needs to take if the threat level is raised by the government. | Chapter 1-6 | CEO, IT, legal counsel, business units |
Evaluate changes in IT management practices that were made as a result of terrorist attacks of September 11, 2001, to determine if new procedures are still adequate to address current security conditions or needs. | Chapter 2-1 | IT, business units |
Evaluate changes in IT management practices that were made as a result of the establishment of DHS to determine if new procedures are still adequate to address current security conditions or needs. | Chapter 2-2 | IT, business units |
Assess the level of training within the IT department to determine if the skill base necessary to evaluate, test, maintain, and improve policies, plans, and procedures exists. | Chapter 2-3 | IT, HR |
Evaluate IT staffing to determine if the staffing level and staffing mix are adequate to address current needs. | Chapter 2-4 | IT, HR, business units |
Assess the level of training of IT users to determine what securityrelated training should be implemented. | Chapter 2-9 | IT, HR, business units |
Establish an internal organization process to monitor technology development, standards for technology use, and technologies that have been tested and proven effective. | Chapter 3-5 | IT, security, business units |
Establish policies for reporting computer-related incidents. | Chapter 4-1 | CEO, IT, legal counsel |
Determine how IT security staff are trained and develop a program to improve training. | Chapter 8-1 | IT, HR |
Determine if the technology used by the organization meets the Common Criteria standards and make plans to migrate away from technologies that do not meet the standards. | Chapter 8-5 | IT, business units |
Determine if the technology acquisition process used by the organization requires that products meet Common Criteria standards and modify procedures as necessary. | Chapter 8-6 | IT, purchasing, business units |
Evaluate the configuration management processes and procedures of the organizations to determine if they provide sufficient levels of control to improve security; modify procedures as necessary. | Chapter 8-7 | IT, business units |
Evaluate the process and procedures for installing patches to eliminate vulnerabilities; modify procedures as necessary. | Chapter 8-8 | IT |
Determine if the organization needs to address the goals and objectives regarding wireless communications with government computer systems. | Chapter 10-5 | CEO, IT, security, business units |
Determine if computers or networks that are owned or operated by the organization located in other countries are or have been under attack. | Chapter 11-1 | CEO, IT, security, business units |
If computers or networks that are owned or operated by the organization located in other countries are or have been under attack, develop a reporting mechanism to alert authorities in the United States of these occurrences. | Chapter 11-2 | CEO, IT, security, business units |
Action Item | Chapter and Item | Departments Involved |
---|---|---|
Determine the status of implementation of IS security plans and what related training has been achieved. | Chapter 2-6 | IT security, business units |
Determine the status of implementation of computer-incident response plans and what related training has been achieved. | Chapter 2-7 | IT security, business units, HR, security |
Assign staff responsibilities for participating InfraGard or professional organizations. | Chapter 4-4 | IT security |
Evaluate IT solutions that address security needs or support new security requirements. | Chapter 5-3 | IT security, business units |
Compare IT solutions that address security needs or support new security requirements for effectiveness, usability, and return on investment. | Chapter 5-4 | IT security, business units |
Select and acquire IT products or services. | Chapter 5-5 | IT security, business units |
Deploy and test applicable IT solutions. | Chapter 5-6 | IT security, business units |
Monitor performance of IT solutions and tune, enhance, or migrate product sets. | Chapter 5-7 | IT security, business units |
Evaluate the organization's ability to participate in and benefit from a national cyberincident response system. | Chapter 7-1 | IT security, business units, security |
Develop processes and procedures to utilize information provided by the national cyberincident response system. | Chapter 7-2 | IT security, business units, security |
Determine if the organization is using reports, analyses, standards, and recommendations provided by researching agencies such as the NSA and the NIST to improve IS security. | Chapter 7-3 | IT security, business units |
Evaluate how security standards and procedures are set in the organization. | Chapter 7-4 | IT security, business units, security |
Evaluate the sources of cybersecurity information that the organization has, including vendors, service providers, and other organizations that can be used to maintain security during threat situations. | Chapter 7-6 | IT security, business units, security |
Determine how the organization obtains information on vulnerabilities and develop steps to obtain more timely information on vulnerabilities. | Chapter 8-3 | IT security, business units, security |
Determine if the organization actually uses information on vulnerabilities to keep security methods updated, and make changes in the approach if necessary. | Chapter 8-4 | IT security, business units |
Develop and launch a technology-focused cybersecurity training program for various types of employees, including executives, managers, supervisors, project leaders, and end users in all capacities. | Chapter 9-1 | IT security, HR, business units |
Develop and launch an information security-focused training program for different types of employees based on their levels and areas of responsibilities. | Chapter 9-2 | IT security, HR, business units |
Evaluate the need for certified computer-security professionals in the organization, and determine a course of action to increase the level of certification of in-house staff. | Chapter 9-3 | IT security, HR, business units |
If the organization needs to work on securing wireless communications, develop a security plan to implement the plan. | Chapter 10-6 | IT security, business units |
Develop a policy and procedure to assist in attack attribution and response, and modify the computer-incident response plan accordingly. | Chapter 11-3 | IT security, business units, legal counsel |
| < Day Day Up > |
|