Musings on Information Security

This Month

Month Archive

November 2005
October 2005
September 2005
August 2005

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

« September 10 | September 13 »

Sunday, September 11

Simplified Security - Tip #4: Set Realistic Security Objectives

by RaviC on Sun 11 Sep 2005 06:20 PM PDT

Security Objectives - Benefit is company will set realistic objectives based on asset risk assessment within the estimated budget

Now that we have data from the security/compliance audit and approximate security budget cost from the asset risk impact assessment, with these inputs, we are in a strong position to set our security objectives realistically based on our security context and budget. Once the list of objectives are set, we also need to make a decision whether we need Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)

BCP involves assessment of risks, creation of policies, procedures to minimize impact of those risks on organization if the risks were realized. DRP outlines steps that organization executes to resume normal operation after disaster strikes.

BCP needs to be implemented to minimize the impact of those assets (which includes personnel) in asset impact assessment. Not all assets will need a BCP. It is for a company to question the criticality of an asset, whether it matters, and decide if it really needs BCP. By being selective about assets that need BCP, significant cost reduction can be achieved. Moreover, having too many items in the BCP results in scattered wasteful effort.

The next big question is whether a company needs disaster DRP. This is where most company's go wrong by overspending. The answer depends on the company's context. The key answer here is "mean tolerable downtime". If a company can stay down for a month without significant impact - why spend money on a dedicated hot backup site? A prudent approach would be to have a reliable backup strategy of existing data and a plan to recover the data on duplicated servers within the specified time frame. There is no rule that every company needs a DRP. If a company is nimble enough they can always relocate to an area prone to less disasters if the cost of DRP is too high. Also, by staying focused on critical assets a company can realize significant cost savings in DRP.

Thought #4 - Can DRP be considered as a part of BCP?

Leave Comment | Permanent Link | Cosmos

Like what I do?
I practice in the domain of Information Security, Application Security, ISO 27001 Compliance, Security Policies.

Introduce me @ nTroduction