similarities between security & continuity
Post on 11-Apr-2017
28 Views
Preview:
TRANSCRIPT
SIMILARITIES BETWEEN ICT SECURITY & ICT CONTINUITY
BERT HILBERINK (BERT.HILBERINK@GMAIL.COM)
Contents
Similarities = Gap between Theory and Practice
Gap: Causes
Gap: Effects
Gap: Solution Approach
2
Gap between Theory and Practice (1)
Standards, policies, and guidelines for Security and Continuity in Datacentres, Infrastructure and IT Applications (however necessary and sound), in practice often get watered down to an alarming degree
This is caused by lack of attention and effort at several levels
The causes and effects are quite similar for Security and Continuity; as is the solution for closing this gap
3
Gap between Theory and Practice (2)
4
Distance between Security/Continuity Departments and Innovation/Operations
Human awareness (or plainly ignorance)
(Perceived) priority issues —> “Innovation and Operational problems always have precedence”
Budget cuts —> “We don’t have money, people, and time”
Hardware or Software misconfigurations
Failure to stay up2date
Incomplete or incorrect asset administration
…
Gap: Causes
5
SECURITY CONTINUITYDEFICIENCY IN … CAUSED BY …
DESIGN Insufficient security built-in Insufficient redundancy built-in
IMPLEMENTATION Design not properly implemented Design not properly implemented
MAINTENANCEInsufficient Regular Patch Management.Insufficient Security Patch Management.Insufficient Vulnerability Management
Insufficient Technical Management.Insufficient Application Management.Insufficient Life Cycle Management
REDUNDANCY & BACKUPS (N/A) Failovers not production like or not up2date.Backups not usable
CMDB* CMDB not complete & correct CMDB not complete & correct.Redundancy not explicitly mentioned
TESTS & EXERCISES Insufficient Vulnerability Management; if present, only after incidents
Infrequent tests; if present, only low-level.Hardly ever ‘live’ exercises
RECOVERY PLANS Not present; or if present, unusable or not up2date
Not present; or if present, unusable or not up2date
3RD PARTIESSecurity chapter in contract missing or substandard.3rd Party not up to the task
Continuity chapter in contract missing or substandard.3rd Party not up to the task
CALAMITY TEAM (N/A: security incidents normally tackled by other department)
Insufficient tools and documentation.Insufficient awareness and training
*: Configuration Management Database
Gap: Effects
6
SECURITY CONTINUITYDEFICIENCY IN … EFFECT …
DESIGN
IMPLEMENTATION
MAINTENANCE
REDUNDANCY & BACKUPS
CMDB
TESTS & EXERCISES
RECOVERY PLANS
3RD PARTIES
CALAMITY TEAM
Legend:: Hardly any effect
: Large effect
.
.
.
Gap: Solution Approach
For Continuity there exists a proven method of closing the gap; see presentation ‘Improvements in ICT Continuity’
For Security this method can easily be adapted
7
Thanks for your Attention!
top related