Your organization's information security department or function protects you and your fellow employees from unauthorized...
access into your networks, applications, systems and data. A key part of this is protecting your organization's electronic perimeter using various techniques, such as firewalls, virus detection, and intrusion detection systems. But their activities are even more complex than that. In this article we'll examine the "infosec" activity and how information security policies interface with disaster recovery (DR) and business continuity (BC) professionals.
Information security often involves devices that analyze incoming and outgoing data packets, and devices that monitor overall systems and network performance and how they could be impacted by a security breach.
Information security departments typically have a set of policies and procedures that govern their daily activities. Audit controls, such as those specified in ISO/IEC 27001:2005, and the global infosec standard, should also be in place. Compliance with ISO/IEC 27001 is increasingly important for organizations of all sizes and helps to ensure that methods for protecting their firm's infrastructure are consistent.
Additional information security activities include:
- 24/7 monitoring of all elements of the firm's internal and external networks, firewalls and access points for information ingress and egress.
- Testing for network porosity to identify potential vulnerabilities.
- Providing training for staff in good security practices.
- Assisting users in configuring their desktop and/or laptop computer security provisions that receive, process, resolve and close out security inquiries and possible breaches.
- Investigating and evaluating new information security equipment.
- Installing and testing hardware and software and changing security profiles for users.
- Setting security parameters of hardware and communications devices.
- Reviewing audit data and documenting information security policies and procedures.
- Conducting forensic tests of security breaches; and reporting on information security issues to management.
As a disaster recovery professional, your input to and unique perspective on security activities could be valuable to your infosec colleagues, and can increase your value to the company. You involvement can also help you increase your knowledge of this important risk-related activity, and it should be a strategic element in your long-term professional growth.
Relationship to business continuity and disaster recovery professionals
By regularly exchanging information about threats, vulnerabilities and how they can be addressed, the information security and disaster recovery professionals can provide added value to the organization. By sitting on each other's planning committees, as well as the firm's risk organization, the benefits of each discipline can benefit the firm. Furthermore, if information security and disaster recovery professionals share their expertise with each other, that can ensure that both groups are aligned with each other's strategic and operational goals.
While the two functions overlap somewhat from planning and operational perspectives, infosec deals with ongoing and immediate threats, while BC/DR prepares for potentially serious business interruptions. Cross-training and rotating positions between the two organizations are two good ways to share experiences and to establish a backup staff in case of an emergency.
Both BC/DR and information security are responsible for protecting the company's ability to stay in business. Therefore, it's a good idea to identify opportunities for joint projects, such as operational assessments of the firm's external and internal risks or a supply chain assessment using each group's unique perspectives. By strategically combining the results of such an assessment, management will have a more precise view of the firm's current risk position, and will be better able to precisely target investments that will preserve and protect the organization. Furthermore, regular joint meetings of all risk-related departments can provide broader insights to the company's risk health, than if those units operated in independently of each other.
This independent, or "silo mentality" is more often the norm for many business, rather than the exception. Because of this independent mentality, it's probably the most difficult situation to overcome in a business setting. It takes real leadership -- both from senior management and department leaders -- to break down the barriers to collaboration. By doing this, each of these specialized units -- as well as the company -- can benefit.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.