Experts in continuity-of-operations planning suggest these six ways you can harden your COOP.
1. Replicate at each backup facility all security policies, intrusion-detection and intrusion-prevention systems, and firewalls used to protect primary facilities.
2. Test the reliability of cipher locks, biometric readers, video monitors and, where necessary, plans for stationing guards to safeguard the physical security of shuttered primary sites and backup locations.
3. Use network access controllers to scan mobile devices for viruses and to check for missing security patches before allowing users to log on to networks.
4. Implement two-factor user authentication with the help of smart cards, biometric readers and passwords.
5. Encrypt data when it is stored on mobile devices and whenever it is transferred between data centers and remote locations.
6. Check to see that auditing capabilities in operating systems, databases and information technology appliances are set to log the activities of everyone who signs on to the network and accesses data during emergencies.
— Alan Joch
Editor's note: This is the second of a two-part series on continuity-of-operations planning. Read the first part of the COOP series.
In the past, continuity-of-operations planners had a primary objective: Re-establish government operations as quickly as possible after a natural or man-made disaster. But now as COOP planners become more aware of information security vulnerabilities that can open up when primary information systems go down, some of them are taking a more cautious approach to recovery.
“Today there’s more emphasis on ‘How do I get up and running securely?’ ” said William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination (OCSCIC).
Pelgrin said agency managers must evaluate the circumstances before deciding whether to recover quickly or recover as securely as possible. “If there is an immediate threat to life, safety or health, then you do whatever you have to do to make sure that you can address that situation,” he said. Some emergency situations might dictate physically transporting a hard drive with unencrypted data if getting the information to first responders will reduce casualties.
“But absent that, you need to ask ‘How do I make sure that I’m moving forward with the recovery effort while also making sure that I don’t add to the disaster?’ ” by inadvertently allowing an information security breach to occur, he said.
COOP experts say the answer lies in combining policies and information technologies that maintain security continuity throughout a period in which a government office is closed and workers regroup at secondary sites, telework centers and home offices. Coming up with that combination requires that security considerations be part of continuity planning from the start.
“When security gets bolted on at the end [of COOP development], that’s the worst scenario,” said Jim Kennedy, business continuity/disaster recovery practice lead at telecommunications vendor Alcatel-Lucent. “That means there hasn’t been the necessary continuum of thought required to make sure that you’ve considered all the little nuances that go along with security, whether it’s physical, administrative, or technical security.”
Digg
De.licio.us
Slashdot
Technorati
