Re: The role of Information Security in BC

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

Stephen,

To deconstruct this, I start with the CIA acronym.

Business continuity, while relying on confidentiality and integrity considerations, is largely about the A part, 
availability.  An appropriate view of security objectives and security management will absolutely address availability, 
and that is I think the key touchpoint here.

As was pointed out already in one response, that availability has not only technological consideration, but human 
resource considerations.

So Information Security must be able to contribute to both strategic and tactical discussions regarding availability 
regarding two primary resources/assets: DATA, and Personnel.

I hope I haven't just stated the obvious here, but unless the security role/plan has exposure in the strategic and 
tactical business forums, independent of operational management to some degree (from a risk management perspective 
perhaps) then I think security has not been fully and properly engaged.  And the topic is availability.  The statement 
below "but rather when availability is non-existent" is problematic to me, the objective of security is to ensure an 
acceptable degree of availability.  I'm reading that statement therefore to mean "typical" availability.  Security is 
ensuring adequate availability, even when that implies alternative or less desirable means.  The compromise point is on 
a risk acceptance/tolerance basis. 

Speaking in part from a previous Internal Audit perspective, but I think it works from more operational viewpoints too.

I guess the role then is to help define availability tolerances for each asset class (I've chosen people and data, 
perhaps there are more) and tolerable risk when the primary availability mechanisms are unavailable or compromised.  
There's a degree of risk acceptance that occurs in continuity plans, and that risk acceptance regarding availability 
should be a clear security concern or touchpoint.  

So no real plan to point to here, only what I see as the objective and role area for security regarding availability.

Hope this is helpful bounding for parsing your responses and inputs.

Best regards,

Jim Dillon  

-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen 
C. Gay
Sent: Thursday, September 03, 2009 6:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] The role of Information Security in BC

I would like to solicit the group's opinion on the following question:

What is the role of Information Security in Business Continuity implementation?

An important point:
- There is no question that InfoSec is a critical player in Incident Response, Disaster Recovery, and Business 
Continuity Planning (key word "planning"). The question isn't about any of those scenarios, but rather when 
availability is non-existant, critical infrastructures have been disabled, and life safety is at the forefront...what 
is the role of Information Security?

While I think the answer will vary from institution to institution, I am very interested in your individual thoughts 
and plans.

Warm regards,

Stephen C Gay   CISSP
ITS Associate Director - Information Security Office
KSU Information Security Officer
sgay () kennesaw edu