There Is No Strength In Reaction Mode
We live in unusual times and unfortunately, these bring new security problems at an ever increasing pace.
It is all too easy to let events get ahead of us and pretty soon we struggle l like a fighter on the ropes.
Rather than let that happen, let us help you anticipate and prepare for the security challenges which are coming.
You can reach us at
(772) 781-7300 or email tianuzzi@infosecurityconsult.com --Tom Ianuzzi
|
Hurricane Season Is Almost Upon Us, Will You Be Ready?
Kenneth Worster, MBA
In August of 1983, Category 3 Hurricane Alicia made her way up the Ship Channel from the Gulf of Mexico and slammed downtown Houston - hard. She was a Category 3 causing an estimated $ 4.3 billion in damages. This hurricane was notable for shattering thousands of windows in downtown Houston with loose gravel from the roofs of new skyscrapers and by other debris picked up by the wind and hurled into the unprotected glass. Experts had known for many years that small airborne debris was a major cause of glass failure to glass in all types of buildings, but Alicia proved that little tiny pieces of gravel could take out windows forty stories up and above. Officials vowed to strengthen building codes and did. New codes, however, only apply to new construction and there wasn't going to be much of that in downtown Houston - it was already built Meanwhile, buildings tall and small that lost windows could not operate. Offices were gutted and papers, files, computers, work stations, cubicles, desks, chairs, computers, etc were scrambled about by hurricane winds and rain. All companies affected suffered catastrophic losses, and many simply became fatalities of Alicia
Architects, engineers, code officials, risk managers, and yes, politicians too, assured everyone that weaknesses would be identified and fixes put in place.
Problem solved. Never again. Even if all the others can't be trusted, politicians always can, right?
Fast forward 25 years to September 2008. Category 2 Hurricane Ike is taking aim at Houston. Nothing to worry about except power outages and such, because Alicia had told her story, and everyone had listened, learned, and fixed everything that needed fixing.
(Continued at right) |
|
Six Essentials For Any Security Program
Thomas Ianuzzi, CPP, CISSP, CFE, CCE
This is the second in a series of articles written for experienced security managers who have recently been tasked with responsibilities in information security. The security landscape is changing, attacks on computer systems roughly doubled last year. With a tough economy and growing desperation, every type of security problem is on the rise. This is catching many managers flatfooted. The physical security manager may see the IT security problem as overwhelming but in fact the same approach which is used to design a physical security program will produce an effective information security plan.
1. Make sure you have managements full support
Failing to get managements full support is an extremely common cause for the failure of all security programs. Although management may be enthusiastic about the program at its inception, often because they need to comply with some external requirement. they may lack the resolve to follow through. This is usually due to an unwillingness to expend the necessary time and money when the perceived crisis has passed. Discuss these issues upfront. There is little point in preparing a plan which at best sits on the shelf and gathers dust and at worst sets the organization up for catastrophic failure.
2. Do a thorough risk assessment
This is a basic requirement but, it is amazing how often is neglected. Failing to do a proper risk assessment results in was planning based on past understandings of the security issues. This often leads to critical gaps in the final program. Today, we have a large and creative criminal element dedicated to exploiting those gaps.
3. Design your program around established frameworks and standards
Choose the necessary frameworks and standards which best meet the company's needs. In some cases, this seems easy because it appears that the program can be driven by the external requirements. Be careful in these cases because these requirements may fall short of accomplishing the necessary level of security. it may require careful research and consultation with your technical advisers to select the best standards to meet the security needs, not just the legal requirements.
4. Produce a written plan
This one should be obvious but, it's amazing how many "plans" are never reduced to writing. That Is, the responsible parties believe they have a plan which evolved from their daily experience but in reality all they have is a haphazard assortment of practices which have never been documented. Unfortunately, the security efforts of most companies fit into this category. Generally, these "programs" suffer from significant gaps.
5. Train personnel
Everyone understands the necessity for employee training but somehow when many companies establish plans they never get around to it . Effective training may be sidestepped by distributing a new manual and requesting that the employees read it. Unfortunately, without some means to document that the necessary training has actually been accomplished, it generally isn't done.
6. Make provision for updating the plan
Again, this is one of those obvious and simple things that often gets overlooked in the day-to-day activities of running a business. Unless you schedule the update activity when you adopt the plan, it will probably fall by the wayside.
As you can see there is nothing really different about IT security plans, if you keep your mind on the basic management principles and surround yourself with a team which can provide strong technical guidance there is no reason you can't be successful in this role.
|
(Hurricane Season Continued)
Well, maybe not. Once again, thousands of windows are shattered, adding to the $31.5 billion in Ike's damages. Once again, the hub of America's petroleum industry is closed for business, this time during a very fragile time in our nation's economy. Once again, many businesses will be closed - permanently. What happened, and who is to blame?
What happened is simple: We did not learn from our mistake(s). Who is to blame: We all are. Certainly Mother Nature deserves some of the blame. She delivers about 2 major hurricanes every 3 years somewhere along the U.S. Gulf or Atlantic coast. She also churns out about 6 hurricanes per Atlantic hurricane season, 95% of which make coastal landfall do so somewhere between Texas and Florida. In 2008 dollars, the top 25 land falling storms have caused over $350 billion in damages. But we are also to blame because we don't believe it can happen to us and we don't prepare our buildings with the one tool they all need to weather the storm: glass protection. Shutters, impact glass, plywood, and protective window films have all proven effective. If you have glass windows or doors, and live or work in the danger zone, get protected or get damaged - your choice.
So, we know how damaging they are, and we know where (and when) they are likely to strike. We also know that the architects, engineers, code officials, risk managers, and politicians can't protect us from damaging weather. The reality is that we must take responsibility for this task ourselves as managers, owners landlords, tenants, and homeowners.
The good news is that hurricane protection is affordable, can be retro-fitted to almost any structure, and product such as protective window film will also pay for itself with lower cooling costs and lower electric bills.
No problem Houston, just prepare properly. And as for the rest of us - learn the lesson or pay the price .
|
|
