Re: The role of Information Security in BC

[Les Mitchell <Les.Mitchell () USQ EDU AU>]

From: Les Mitchell <Les.Mitchell () usq edu au>
Date: Fri, 4 Sep 2009 08:51:36 +1000
To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] The role of Information Security in BC

Stephen,

Depends on structure of your response team, and the assigned roles and accountabilities but some thoughts based on the 
premise that various information systems will be required for the response team to be able to get on with their role 
effectively:


 *   Information security assist provision of BCDR systems appropriately secure. Would not be nice to have temporary 
systems needed for response taken offline by an attack while trying to deal with the first
 *   Oversee the secure disposal of physical and digital information of a sensitive or private nature. I.e. Disposal of 
damaged hardware, paper records should be handled securely
 *   Depending on the incident, information security may be required to make temporary amendments to existing security 
controls to allow response teams to work effectively. I.e. Network rules, new accounts for temporary staff
 *   Depending on the length of the incident, there may also be a role in ensuring that temporary BCDR are being 
adequately backed-up
 *   There may be a need for increased monitoring of unaffected systems in the event that someone tries to take 
advantage of the situation to breach secure/sensitive systems.

 If I appreciate your enquiry correctly, these are types of things that come to mind where information security may 
play a role in the implementation of a BC plan.
--
Les Mitchell CISM MIIA(Aust)
Manager (Audit, Compliance & Risk) | Sustainable Business Management & Improvement
University of Southern Queensland
Telephone: +61 7 4631 2483
Email: mitchell () usq edu au


On 3/09/09 10:37 PM, "Stephen C. Gay" <sgay () KENNESAW EDU> wrote:

I would like to solicit the group's opinion on the following question:

What is the role of Information Security in Business Continuity implementation?

An important point:
- There is no question that InfoSec is a critical player in Incident Response, Disaster Recovery, and Business 
Continuity Planning (key word "planning"). The question isn't about any of those scenarios, but rather when 
availability is non-existant, critical infrastructures have been disabled, and life safety is at the forefront...what 
is the role of Information Security?

While I think the answer will vary from institution to institution, I am very interested in your individual thoughts 
and plans.

Warm regards,

Stephen C Gay   CISSP
ITS Associate Director - Information Security Office
KSU Information Security Officer
sgay () kennesaw edu

This email (including any attached files) is confidential and is for the
intended recipient(s) only.  If you received this email by mistake,
please, as a courtesy, tell the sender, then delete this email.

The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland.  Although all
reasonable precautions were taken to ensure that this email contained no
viruses at the time it was sent we accept no liability for any losses
arising from its receipt.

The University of Southern Queensland is a registered provider of
education with the Australian Government (CRICOS Institution Code No's.
QLD 00244B / NSW 02225M)