C.2 Security Management Areas of Responsibility 299
Appendix C
activities with the federal government, including vulnerability assessments,
strategic planning efforts, and exercises.
C.2 Security Management Areas of Responsibility
This section covers the basic areas that should be addressed as part of any
security plan for any organization. It does not go into details about how to
configure equipment, develop scripts, or so on; it is strictly a management
perspective of the “coverage areas” that need to be addressed to ensure ade-
quate organizational protections are in place. These areas are generally
implemented by establishing policy. Consider these areas the basic require-
ments; policy is used to implement the requirements, and the security team
is there to enforce the requirements and adjust as needed to ensure currency
with changing business conditions.
When putting together a Site Security Plan, it is important to build a
strategy that satisfies the needs of the organization. To accomplish this, of
course, you must first determine what the organization’s needs are by con-
ducting a needs assessment. The results of this assessment will aid in defin-
ing the security program appropriate for your organization. Review the
program with senior staff to ensure you have their buy-in on implementing
the programs, and set up a process to periodically review these programs to
ensure they meet the business needs. The next step is to develop an aware-
ness and training plan, identify the various audiences (or constituencies, as
some prefer to call them) and begin training. Let’s discuss this program in a
bit more detail.
C.2.1 Awareness Programs
Successful computer security programs are highly dependent on the effec-
tiveness of an organization’s security awareness and training program. If
employees are not informed of applicable organizational policies and proce-
dures, they cannot be expected to properly secure computer resources. The
dissemination and enforcement of the security policy is a critical issue that
can be addressed through local security awareness and training programs.
Employees cannot be expected to follow policies and procedures of which
they are unaware. In addition, enforcing penalties may be difficult if users
can claim ignorance when caught doing something wrong. Training
employees can also show that a standard of due care has been taken in pro-
tecting information. Simply issuing policy without follow-through to
implement that policy is not enough to get the job done. Many organiza-
tions use acknowledgment statements to verify that employees have read
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
