234 7.19 Training Staff for the Business Recovery Process
are running on the same host. It makes no assumptions about specific
services being tied to specific hosts.
Test cooperation. The security tests performed by Nessus are designed
to cooperate with services detected on the host so that useless informa-
tion is not reported. For example, if an FTP server does not allow
anonymous logins, then Nessus is intelligent enough to determine that
any anonymous-related security checks need not be performed.
Complete, exportable reports. Nessus will not only tell you what’s
wrong on your network, but will, most of the time, tell you how to
prevent crackers from exploiting the security holes found, and will
give you the risk level of each problem found (risk levels are catego-
rized from Low to Very High). The UNIX version of the Nessus cli-
ent can export Nessus reports in ASCII text, LaTeX, HTML,
“spiffy” HTML (with pies and graphs), and an easy-to-parse delim-
ited file format.
Full SSL support. Nessus has the ability to test SSL-type services such
as https, smtps, imaps, and more. You can even supply Nessus with a
certificate so that it can be integrated into a PKI-like environment.
As you can see, the features available in Nessus allow the auditor many
capabilities to perform audit checks. By varying configurations, the auditor
can vary the depth of the checks to meet the specific needs of the organiza-
tion. It is not uncommon for an auditor to maintain a suite of plug-in mod-
ules that test most common vulnerabilities. Usually, these tools have been
refined by auditors over numerous audits and provide excellent informa-
tion. As a security manager, it is a good idea to start the use of such a pro-
cess in your organization so the auditors can perform their tasks in a more
automated fashion and do their work in shorter and shorter time frames.
For more information on Nessus, the reader is encouraged to visit their
Web site, http://www.nessus.org.
7.19 Training Staff for the Business
Recovery Process
Managing the training process is crucial to establishing an effective BC pro-
gram. To accomplish this, the BC team must develop objectives and define
the scope of training. They must determine what training needs to be con-
ducted and what materials should be used for the training. A schedule
should be prepared for all organizational personnel involved in BC activi-
7.19 Training Staff for the Business Recovery Process 235
Chapter 7
ties, and that schedule should be announced in formal communications to
the organizational staff. The BC team should prepare a budget for each
training phase, and part of this should include a recurring training pro-
gram. The following sections will provide more detail about training con-
siderations.
7.19.1 Develop Objectives and Scope of Training
The objectives and scope of the BCP training activities are to be clearly
stated within the plan. The BCP should contain a description of the objec-
tives and scope of the training phase. This will enable the training to be
consistent and organized in a manner where the results can be measured,
and the training fine-tuned, as appropriate. The objectives for the training
could be as follows: To train all staff in the particular procedures to be followed
during the business recovery process. The scope of the training could be along
the following lines: The training is to be carried out in a comprehensive and
exhaustive manner, so that staff become familiar with all aspects of the recovery
process. The training will cover all aspects of the Business Recovery activities sec-
tion of the BCP, including IT systems recovery. Consideration should also be
given to the development of a comprehensive corporate awareness program
for communicating the procedures for the business recovery process.
7.19.2 Training Needs Assessment
The plan must specify which person or group of persons requires which
type of training. It is necessary for all new or revised processes to be
explained carefully to the staff. For example, it may be necessary to carry
out some processes manually if the IT system is down for any length of
time. These manual procedures must be fully understood by the persons
who are required to carry them out. For larger organizations, it may be
practical to carry out the training in a classroom environment; however, for
smaller organizations the training may be better handled in a workshop
environment. This section of the BCP should identify, for each business
process, the type of training required and which persons or group of per-
sons need to be trained.
7.19.3 Training Materials Development
Once the training needs have been identified, it is necessary to specify and
develop suitable training materials. This can be a time consuming task, and
unless priorities are given to critical training programs, it could delay the
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
