Educause Security Discussion mailing list archives
Re: The role of Information Security in BC
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 3 Sep 2009 12:17:34 -0600
Stephen, To deconstruct this, I start with the CIA acronym. Business continuity, while relying on confidentiality and integrity considerations, is largely about the A part, availability. An appropriate view of security objectives and security management will absolutely address availability, and that is I think the key touchpoint here. As was pointed out already in one response, that availability has not only technological consideration, but human resource considerations. So Information Security must be able to contribute to both strategic and tactical discussions regarding availability regarding two primary resources/assets: DATA, and Personnel. I hope I haven't just stated the obvious here, but unless the security role/plan has exposure in the strategic and tactical business forums, independent of operational management to some degree (from a risk management perspective perhaps) then I think security has not been fully and properly engaged. And the topic is availability. The statement below "but rather when availability is non-existent" is problematic to me, the objective of security is to ensure an acceptable degree of availability. I'm reading that statement therefore to mean "typical" availability. Security is ensuring adequate availability, even when that implies alternative or less desirable means. The compromise point is on a risk acceptance/tolerance basis. Speaking in part from a previous Internal Audit perspective, but I think it works from more operational viewpoints too. I guess the role then is to help define availability tolerances for each asset class (I've chosen people and data, perhaps there are more) and tolerable risk when the primary availability mechanisms are unavailable or compromised. There's a degree of risk acceptance that occurs in continuity plans, and that risk acceptance regarding availability should be a clear security concern or touchpoint. So no real plan to point to here, only what I see as the objective and role area for security regarding availability. Hope this is helpful bounding for parsing your responses and inputs. Best regards, Jim Dillon -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen C. Gay Sent: Thursday, September 03, 2009 6:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] The role of Information Security in BC I would like to solicit the group's opinion on the following question: What is the role of Information Security in Business Continuity implementation? An important point: - There is no question that InfoSec is a critical player in Incident Response, Disaster Recovery, and Business Continuity Planning (key word "planning"). The question isn't about any of those scenarios, but rather when availability is non-existant, critical infrastructures have been disabled, and life safety is at the forefront...what is the role of Information Security? While I think the answer will vary from institution to institution, I am very interested in your individual thoughts and plans. Warm regards, Stephen C Gay CISSP ITS Associate Director - Information Security Office KSU Information Security Officer sgay () kennesaw edu
Current thread:
- The role of Information Security in BC Stephen C. Gay (Sep 03)
- <Possible follow-ups>
- Re: The role of Information Security in BC Guy Pace (Sep 03)
- Re: The role of Information Security in BC Plesco, Todd (Sep 03)
- Re: The role of Information Security in BC Jim Dillon (Sep 03)
- Re: The role of Information Security in BC Hugh Burley (Sep 03)
- Re: The role of Information Security in BC Les Mitchell (Sep 03)
- Re: The role of Information Security in BC Matthew Gracie (Sep 04)