When
Annually.
Why
Understanding what's been accomplished and what worked well, and determining what's still to be done, and what still needs fixing is intrinsic to planning a well-run, proactive security operation for the upcoming year. At this series' beginning I said The Perpetual Calendar is powerful because it:
-
Illustrates to management your security responsibilities over the course of a year;
- Acts as a checklist;
- Demonstrates to your staff their appropriate division of responsibilities;
- Helps determine adequate staffing;
- Acts as a time management tool, allowing you to project for potential issues.
Strategy
After reflecting on everything you accomplished this year, 'tis the season to be thankful. Make sure you thank and recognize your people for all their work throughout the year. While making sure your people are taken care of, don't forget about yourself -- ensure your boss recognizes what you've done as well. You can help make it easier by listing what you've accomplished using the Information Security Protection Matrix.
Physical security
-
Week 31: Physical security -- It is part of information security [confidentiality]
- Week 16: Spring cleaning, part 2 -- Hardware [confidentiality]
- Week 3: Restore a back-up tape and recover usable data [data integrity]
- Week 4: Disaster recovery/business continuity plans, part 2 -- Hardware [availability of service]
- Week 10: Are you throwing out company secrets? part 1 -- Physical records [accountability]
Administrative
-
Week 41: Your PDA/PED policy [confidentiality]
- Week 35: Incident response [confidentiality]
- Week 30: Privacy Impact Assessments [confidentiality]
- Week 19: Configuration Management (CM) [data integrity]
- Week 17: Spring cleaning, part 3 -- Data [data integrity]
- Week 29: Can you go on vacation? [availability of service]
- Week 34: Mid-year status check -- What's going right? [accountability]
- Week 18: Budgets [accountability]
- Week 8: Reviewing your policies and procedures [accountability]
Personnel
-
Week 13: Social engineering --The low-tech side of high-tech [confidentiality]
- Week 6: Your information security education, training and awareness program [data integrity]
- Week 28: New technical manager challenges and pitfalls [availability of service]
- Week 7: Training yourself and your IT staff [accountability]
- Week 27: Credentials -- To be or not to be certified [accountability]
Communication
-
Week 47: Switch security tips [confidentiality]
- Week 46: Router security tips [confidentiality]
- Week 32: Wireless -- Less wires, more issues [confidentiality]
- Week 43: Permissions -- How world-writeable are you? [data integrity]
- Week 26: Contingency planning [availability of service]
- Week 1: The security manager's daily checklist [availability of service]
- Weeks 20-25: The dreaded risk assessment [accountability]
Computer system
-
Week 48: SANS Top 20 [confidentiality]
- Week 45: Firewall security tips [confidentiality]
- Week 33: Pretty Good Privacy --More than pretty good [confidentiality]
- Week 2: Passwords -- Updating, selecting and recording user and administrative passwords [confidentiality]
- Week 44: Permissions, part 2 -- Who owns what when? [confidentiality]
- Week 15: Spring cleaning: Part 1 -- Accounts and space [data integrity]
- Week 14: Malicious code -- When viruses and worms run amok [data integrity]
- Week 11: Are you throwing out company secrets? part 2 -- Data destruction [data integrity]
- Week 42: Protecting Web servers [availability of service]
- Week 36: Ports -- Don't have an 'open house' sign out [availability of service]
- Week 40: Understanding Windows logs [accountability]
- Week 38, 39: Understanding Unix auditing and logs [accountability]
- Week 37: Who's afraid of auditing? [accountability]
- Week 12: Your Web site -- Quality of your copyright, privacy policy and links [accountability]
- Week 9: Banners in support of system monitoring [accountability]
- Week 5: Licensing and seat management [accountability]
This is also a great time to update your job description in preparation for your annual review. Do your duties match your job description, and vice versa? If you had to hire someone just like you, what qualifications and knowledge do they need to bring to the job? For the mid-year status check [Week 34] we talked about everything you had done to this point -- you'll find good annual review verbiage there. Did you get everything on our checklist done? Why or why not? Do you need a larger staff?
More information
See the Perpetual Calendar and the column archive.
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
