Designing an Information Assurance Strategy


Now that you are aware of the vulnerabilities and threats and the implications of acting or failing to act, you need to design a strategy that recognizes the firm s operational requirements and pairs those requirements with the necessity to protect the assets inherent to the firm and its customers while mitigating exposure to entities that wish to cause harm.

An information assurance strategy is comprised of several independent yet interrelated action plans: the firm s strategic plan, contingency operations plan, the disaster recovery plan, and the infrastructure security plan.

First, the firm s strategic plan is integral. This plan outlines the roadmap that guides the firm into the future. This plan should contain information that identifies future initiatives and requirements, the core competencies, the vision of how the firm will satisfy the demands of its customers, financial expectations, the roles that departmental structures play, and the expectations of the stakeholders and how the firm will integrate those expectations with their performance goals.

Second, the contingency operations plan (COOP) outlines in detail how the firm will operate in the event of a change in the operational posture of the firm. It focuses on the details of how the firm will operate in the event of a natural or man-made disaster, or terrorist event. The plan specifies alternate work locations and accompanying infrastructure design, remote telecommuting plans, required hardware and software inventories, procurement strategies, key emergency personnel contact rosters, and data accessibility requirements.

Third, the disaster recovery plan identifies the critical technological resources and approach for restoring access to the information stored on such devices. It outlines the strategy to procure resources and critical milestones that must be accomplished to recover from the disaster. The critical technological resources are prioritized and target recovery timelines are established. These critical resources represent the minimum resources that are necessary to continue the operations of the firm.

Care should be taken when designing the disaster recovery plan. Organizations tend to priorities all resources as being critical when, in fact, they are not critical in the overall perspective. It is important only to identify those resources that must be restored to continue operations. Interdependencies of automated systems should also be identified in this plan and matched to the appropriate criticality priority.

Fourth, the infrastructure security plan identifies the known vulnerabilities and threats to the existing network infrastructure. This plan, as with the preceding plans, should be a living document. As new hardware and software are implemented within the network, the plan should be adjusted to embrace any new vulnerabilities and threats. It details the mitigating strategies and security mechanisms that are in place within the firm. It also includes a 100% inventory of all technological assets, as well as all telecommunication connections.

The information assurance plan incorporates all of the above resources at a minimum. Depending on the unique requirements of the specific firm, additional plans should be incorporated into the information assurance plan. Overall, the information assurance plan outlines a comprehensive strategy for securing the firm in any setting to assure unimpeded continued operations. Key timeframes should be identified, such as the target hour for restoring partial operations and timeline for the restoration of all operational capabilities.

This information assurance plan should have the widest dissemination throughout the firm. Modification to the plan should be distributed and periodic review of the plan should occur at regular intervals. Typically, a moderate review should be performed annually, and a clean-slate review should be performed every three years .

The information assurance strategy should include a security audit. This audit should examine the above documented plans and ensure their accuracy and current applicability in the existing infrastructure. The audit may also include penetration testing performed by a disinterested examination body. The scope of penetration testing is variable depending on the needs of the firm. Results of the penetration testing should be held in strict confidence and should be performed unannounced to employees with the exception of the senior executives, including the information security officer. Preempted disclosure of the penetration test will reveal skewed results.

Feedback based on the security audit and penetration testing should be examined, and resolution strategies should be initiated to mitigate security vulnerabilities if representative of critical failures.




Information Technology Security. Advice from Experts
Information Technology Security. Advice from Experts
ISBN: 1591402484
EAN: N/A
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net