Re: Business Continuity Plans for an Information Security Office

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

I would bring to your attention a draft of a "Business Continuity
Planning Model" available at www.CampusRelief.org.  More resources on
this topic are also available at
http://www.educause.edu/Browse/645?PARENT_ID=142  We are in the process
of adding more resources to this website so any further sharing of
information in response to Jim's request would be most welcome.
 
Finally, just a reminder that a new list on Business Continuity has been
set up (http://www.educause.edu/12480) with over 300 subscribers in just
a few weeks so it is likely to be a good source of information.
 
Thanks,
 
-Rodney

--------------------------------------------------
Rodney J. Petersen, J.D.
Government Relations Officer & Security Task Force Coordinator

EDUCAUSE
1150 18th Street, N.W., Suite 1010
Washington, D.C.  20036
(202) 331-5368 / (202) 872-4200
(202) 872-4318 (FAX) 
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security <http://www.educause.edu/security> 
-------------------------------------------------- 

 

________________________________

From: James Moore [mailto:jhmiso () RIT EDU] 
Sent: Tuesday, January 09, 2007 5:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Business Continuity Plans for an Information
Security Office



I admit that my own business continuity plans were on my "to do" list
for longer than I would like.    Does anyone have or know of a template
that I can start with for business continuity planning of the
Information Security Office.

 

The easy thing is to say that we have to do the same things that we
always do, but differently.

 

Risk Assessment - Only a subset of functionality will come back on line.
Some will have been reviewed for risk, and others not.  There will have
to be some dynamic risk assessment.

 

Communications - The natural thing to do is to relax security in the
different environment so that as much functionality as possible can be
achieved.  Users find allies, etc.  Communications will need to
integrate with Business Continuity communications, but still will have a
role to guide people to safe business resumption.  Communications to
executive leadership is also regular, but concentrates on service
restoration.

 

Budgets / Administrative - Need to continue, as resources are available.

 

Strategic - May be for rebuilding.  Or may shift to standards
enforcement for existing standards.

 

Investigations / Forensics - Needed for when things go wrong, and are
noticed

 

This is a high level.  And what I wondered is if anyone had a detailed
business continuity plan for their office/role.

 

Thanks

 

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio