Security and Change (pt. 1): Blackouts

My next three columns are about change, how change, whether it be accidental or intended, can affect security, and how security might impact change.

This first column is about relatively commonplace events, such as power failures, snowstorms, hurricanes, tornadoes, fires, and floods. The second column will look at how to handle intentional changes such as mergers and acquisitions, outsourcing, “right-sizing,” migration to new technologies, and facility relocations. The third column will examine catastrophes, where the degree of change is “off the scale.” We will consider how catastrophe contingency planning must necessarily differ from regular planning.

I first became aware of the negative impact of operational disruptions on security, and vice versa, some twenty-odd years ago. At the time, I was developing and implementing business continuity and disaster recovery plans (collectively, contingency plans) for a mid-sized financial firm. I began to think about how security might be compromised during confusion that often accompanies an incident. So naturally I wrote an article on the subject, called “Security during Recovery and Repair.”

The article was published in the Information Systems Management Journal (Vol. 7, No. 1, 1990, pages 42-47) and an updated version appeared as chapters in two books, namely, Business Continuity Planning: Protecting Your Organization’s Life and Enterprise Operations Management Handbook.

I note that the vast majority of security procedures are designed for equilibrium or steady-state conditions. These procedures are usually followed reasonably well day-in and day-out and are the ones with which individuals are most familiar, and at which they are most adept. When a disruptive transient event, such as a snowstorm, occurs then one falls back on policies and procedures which, if they exist at all, are seldom if ever exercised and are likely to be out of date, incomplete, and not at one’s fingertips. For minor events, one can sometimes get by with ad hoc procedures, which are created on the spot. However, for more serious events, shooting from the hip won’t do. Hence we see increasing interest by lawmakers and regulators, particularly in the banking and finance, telecommunications and energy sectors, in ensuring that critical components of our economy are resilient and that contingency plans are in place and have been successfully tested at regular intervals.

From my experience, even well developed contingency plans do not usually pay sufficient attention to security. We need to consider security weaknesses that are exacerbated by contingency situations. We also need to address how the physical and logical security systems and processes themselves might be damaged or prove inadequate in an emergency. A particularly sad example of the latter was the inability of personnel from different emergency services, such as the fire fighters and the police at the scene, to communicate with one another during the 9-11 catastrophe in New York City because of incompatible radio systems.

There are many issues, both in the physical and logical security space, which security professionals should consider and for which they should develop and test contingency procedures. Here are some to consider:

Physical Access

Arrangements with guards need to be set up in advance. During an incident, additional guard services will be needed to protect assets and manage access in damaged facilities, ensure the safe movement of employees and secure transportation of critical and sensitive information resources to backup facilities and to protect assets in, and administer access to, the backup facility.

In other situations automated physical entry systems and employee notification systems need to be resilient enough to withstand power and system failures. Equivalent systems at backup facilities should be maintained with up-to-date employee, contractor and vendor lists, including those who might have been engaged specifically for their backup and recovery services. For those who really want to be ahead of the curve, you should maintain a list of contractors and consultants who can help with forensics, recovery plans, and reconstruction efforts.

Logical Access

For backup data centers and business facilities, all individuals must be appropriately authenticated and authorized in any of a number of scenarios, such as for primary business locations to backup data centers, backup business locations to primary data centers, backup to backup, remote access to various locations, etc.

These are but a few of the many security considerations that must be taken into account when planning and operating contingency plans. You need to consciously address such matters and ensure that there is a security section in each and every contingency plan – including that of the security function.

Now is the time to make sure that security is included in all your contingency plans. Don’t wait for that next incident … by then it will be too late.

Post a Comment

Your email is never published nor shared. Required fields are marked *