We will go into more depth, discussing two very important documents each of which will be organisation specific. Your challenge is to get it right for your environment and how you want to protect your information.
Firstly we will look at those areas that are generally within your control and understanding. Then we will take a brief look at those things that are unknown to most people but make you vulnerable to a major hack.
Start with the corner pieces
Like doing a jigsaw, it might appear overwhelming at the outset but if you get your foundations right, like putting the corner pieces in place first, the way forward becomes clearer.
By producing the following documents a lot of subsequent actions will become apparent. Firstly a word of warning. The natural tendency is to give this project to the “IT guys” to look after. Whilst they will need to involved, they might not be the best people to oversee this process. This one might be a little “too close to home” for them.
Information Security Policy
Start by defining what you are trying to achieve. There will always be areas of risk and you need to determine what levels of risk you are willing to accept.
Your policy will be a relatively short statement along the lines of, “to ensure our business continuity and to minimise the risk of damage and intrusion into our IT infrastructure.” It is a far reaching statement and you might include a few bullet points such as:
protecting information against unauthorised access
maintaining the integrity of information
the importance of client confidentiality
educating staff in related disciplines.
Responsibility for the policy and its implementation resides with your CEO or equivalent.
Business Continuity Plan (BCP)
Producing a BCP will help you to identify both your readiness to meet your stated Information Security Policy and your vulnerabilities. Your BCP is not just about preventing unwanted intrusions into your IT systems. It is about how you keep your business operating when the unlikely happens. The following structure may help you to develop your BCP.
1. Business Impact Analysis: What are the feasible events that could impact your business continuity and what is their likelihood? These might include physical damage such as fire, loss of power or a meltdown of your IT infrastructure.
2. Prevention strategy: What strategies do you employ to ensure that the likelihood of a disabling event is minimised? If one does occur, what processes are in place to ensure your business continuity and service provision can be re-established in the shortest possible time? In terms of your IT infrastructure you might consider:
Physical access to servers and other key, central infrastructure
Application of anti-virus and mail protection services
Hardware redundancy including: physical server redundancy and virtualisation
Pro-active preventative maintenance
Backup and recovery capability including off-site backups. You should include a testing regime to ensure that if restores are required, they will work.
3. Event readiness: Consider the applicability of all insurance policies and maintenance contracts.
4. Implementation strategy: For each of the events that could impact your business continuity, document what steps would be taken to recommence full operations. Are they feasible and implementable?
5. Recovery timelines: Consider the feasible timelines to recovery should a major event occur. Are they acceptable or are additional infrastructure and services required to meet your required timelines?
Remember, your BCP will be designed for your processes and your level of acceptable risk. Constantly ask yourself, “Does this meet the requirements of our Information Security Policy and our required downtime/recovery criteria?”
Not knowing what you don’t know
You might now be satisfied that that your systems are bullet proof and that you meet all the requirements of your Information Security Policy. However up until now, you have only covered all the areas that you can think of such as hardware failure and even a major fire. But as we know determined, malicious intruders are increasingly technically capable and they often endeavour to infiltrate without being discovered and in ways that most people would not imagine or understand.
Ethical hackers and pen tests
Everybody knows about hackers; those stereotypical bad guys who wear hoodies and sit in dark rooms full of computer screens. There is however another type of hacker. The “ethical hacker” works only with the express permission of your organisation and, in many cases, might be certified by CREST, Australia’s representative organisation for professionals in the technical information security marketplace. The ethical hacker’s task is to attempt to bypass system security and find points of weakness that could be exploited by malicious hackers.
These professionals use penetration testing, or a pen test, in an attempt to evaluate the security of your IT infrastructure by safely trying to exploit vulnerabilities. The list of areas that can be evaluated using advanced pen testing is extensive and of course, very technical. In many cases, they will use an array of high-end tools and techniques; similar to those used by attackers on the internet.
They will provide a full business report on their findings and make a list of recommendations for your consideration including procedural and strategic changes. The amount of “unknowns” is massive. At the end of this exercise you should have a much better understanding of your risk exposure.