SIMILARITIES BETWEEN ICT SECURITY & ICT CONTINUITY

BERT HILBERINK (BERT.HILBERINK@GMAIL.COM)

Contents

Similarities = Gap between Theory and Practice

Gap: Causes

Gap: Effects

Gap: Solution Approach

2

Gap between Theory and Practice (1)

Standards, policies, and guidelines for Security and Continuity in Datacentres, Infrastructure and IT Applications (however necessary and sound), in practice often get watered down to an alarming degree

This is caused by lack of attention and effort at several levels

The causes and effects are quite similar for Security and Continuity; as is the solution for closing this gap

3

Gap between Theory and Practice (2)

4

Distance between Security/Continuity Departments and Innovation/Operations

Human awareness (or plainly ignorance)

(Perceived) priority issues —> “Innovation and Operational problems always have precedence”

Budget cuts —> “We don’t have money, people, and time”

Hardware or Software misconfigurations

Failure to stay up2date

Incomplete or incorrect asset administration

…

Gap: Causes

5

SECURITY CONTINUITYDEFICIENCY IN … CAUSED BY …

DESIGN Insufficient security built-in Insufficient redundancy built-in

IMPLEMENTATION Design not properly implemented Design not properly implemented

MAINTENANCEInsufficient Regular Patch Management.Insufficient Security Patch Management.Insufficient Vulnerability Management

Insufficient Technical Management.Insufficient Application Management.Insufficient Life Cycle Management

REDUNDANCY & BACKUPS (N/A) Failovers not production like or not up2date.Backups not usable

CMDB* CMDB not complete & correct CMDB not complete & correct.Redundancy not explicitly mentioned

TESTS & EXERCISES Insufficient Vulnerability Management; if present, only after incidents

Infrequent tests; if present, only low-level.Hardly ever ‘live’ exercises

RECOVERY PLANS Not present; or if present, unusable or not up2date

Not present; or if present, unusable or not up2date

3RD PARTIESSecurity chapter in contract missing or substandard.3rd Party not up to the task

Continuity chapter in contract missing or substandard.3rd Party not up to the task

CALAMITY TEAM (N/A: security incidents normally tackled by other department)

Insufficient tools and documentation.Insufficient awareness and training

*: Configuration Management Database

Gap: Effects

6

SECURITY CONTINUITYDEFICIENCY IN … EFFECT …

DESIGN

IMPLEMENTATION

MAINTENANCE

REDUNDANCY & BACKUPS

CMDB

TESTS & EXERCISES

RECOVERY PLANS

3RD PARTIES

CALAMITY TEAM

Legend:: Hardly any effect

: Large effect

.

.

.

Gap: Solution Approach

For Continuity there exists a proven method of closing the gap; see presentation ‘Improvements in ICT Continuity’

For Security this method can easily be adapted

7

Thanks for your Attention!