Understanding what's been accomplished, what worked well, determining what still needs to be done and what still needs fixing is intrinsic to a well-run, proactive security operation.
How do you start thinking about planning for a year? Model the Information Security Protection Matrix and/or the Perpetual Calendar to get started. What worked for your organization? What wasn't relevant? What wasn't listed and should be? [Please drop me a note.] Afraid you'll forget about something? Have a session or working lunch and invite a few key people to brainstorm a workable list; these can be folks on your staff or people from key sections of the enterprise you're protecting.
Going through the list of tips should trigger topic ideas, such as those on budgets, licenses and disaster recovery. For example, October was the beginning of the government's new budget year. Does yours align with the government's fiscal year or the calendar year? Assess what you spent on supplies and equipment-related peripherals -- stock up now, or see what you can trim or get a better deal on. The holidays are beginning, and soon family will be all around us -- who's part of your organization's family? Review all of your Non-Disclosure Agreements, Memorandums of Agreement/Understanding, etc and Service-Level Agreements (SLAs) with providers. Are they still current and favorable to your operating requirements? Software licenses and systems may be due for renewal or inspection, for example, the fire suppression system in your server room(s). Also, it's the end of hurricane season in the south, but winter weather's upon us … are you prepared for power outages, etc?
What's keeping you updated in the security world? Time to review those input channels and see where you can trade time for quality information. What courses do you need to take? Any conferences coming up that your folks should attend? Coordinate coverage for events like these now.
You need to protect your enterprise and practice defense-in-depth by using, at a minimum, all of the tips from this past year. In addition, the following topics are likely to need your attention as they're hot for the coming year:
- 1. Supervisory Control and Data Acquisition (SCADA) systems
- 2. Power over Ethernet (PoE)
- 3. VoIP advances
- 4. Wireless advances
- 5. Forensics
For a refresher, see 52 weeks of security: A security practitioner's guide I've enjoyed bringing you these weekly tips over the past year. I hope I've taken some of the fear and mystery out of running a comprehensive information security protection program. You have the tools to be proactive and in control of your security program. You should feel great about starting the New Year! Good luck and good planning!
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.