What's been your message as operations slowly return?
Ozmun: From an information security standpoint, all of our rules are in place. In an emergency, there are things you don't normally do that people start to feel is OK to do in certain circumstances. I really have to ensure that the risk is still verbalized, and make sure my superiors and data managers understand what's going on. I have to vocalize that risk.
With most of the center's development staff evacuated, how do you help restore productivity?
Ozmun: We've got a lot of folks who are geographically dislocated. We have one gentleman who relocated to family in Virginia because his house here is gone. He's a software developer and we're trying to determine ways how he could work from up there; either via RAS (remote access server) or VPN. The outcome was to load a system with what he needed, FedEx it up there to him and do a remote connection to our staging servers.
I think in a lot of cases of emergency, oftentimes security can be thought of as optional, but that's the worst time to have that frame of mind. There will always be somebody out there lurking and just waiting for that.
Have you noticed targeted attacks since the disaster?
Ozmun: We've been watching our firewall logs, and there's some script kiddie hammering away at us. I don't know if it's random or they've selectively chosen our site. We don't have classified information, but our information is part of a public trust domain. A lot of our data is used to make determinations. Billions of dollars and where they go and how it's spent is determined by the kind of information we have and how it's presented. We have a public trust that the information is accurate, available and its integrity is kept.
Especially during an emergency, you have to watch for that. A lot of the folks around us tend to get a lot more lax, 'Get the job done, it's a big project.' It's important to have the voice of the information security officer to watch out for folks. In some cases, management is willing to take more of a risk. In that case, a security officer's job doubles; you have to have more log checks and make sure your IDS is up and running, and watch for patterns you don't normally see there.
Is it more of a challenge during a disaster to express risk to management anxious to get operations running?
Ozmun: You have to be a lot more vigilant in that case. If you need to convince them a particular risk is too great, run it through the NIST formulas and bring it to them. Ask them if this the kind of risk you want to take? Have them talk to insurance companies and get a qualitative value. Sometimes the risk is OK to take in management's eyes. Security officers have to have a flexibility about us as well. If we accept the risk, then kick it into high gear on the IDS side of the house, for example. Stay alert amidst all of that chaos going on.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.
This was first published in November 2005