52 weeks of security: A security practitioner's guide

Here you'll find Shelley Bard's outline for a year's worth of security-related activities.

by Shelley Bard, CISSP

Introduction How many activities does the average security manager have to accomplish over the course of a year?...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

A year sounds like a long time, but before you know it, things will snowball if you don't plan for them. A proactive, strategic plan is necessary to help you account for all it takes to effectively run a security practice. Our Perpetual Calendar uses a calendar to plot all of the recurring responsibilities and best practices dictates a security manager should accomplish in a year's time. You will need to determine what frequency for each task is appropriate for your organization, based on your requirements.

The activities of Information Security System Managers (ISSM) can be broken down into the following five categories: functional security; coordination; documentation; configuration management and certification and accreditation; and risk management. Accomplishing all of the tasks associated with these five areas ensures an ISSM is limiting his/her organization's liability, and is accomplishing due diligence in support of the organization as well as any customers associated with the organization.

The Perpetual Calendar is powerful because it:

Illustrates to management security responsibilities over the course of a year
Acts as a checklist
Demonstrates to your staff their appropriate division of responsibilities
Will help determine adequate staffing
Acts as a time management tool, allowing you to project for potential issues

Understand that you will never have enough talent, time, money, people or resources, so you have to target your activities to use the best of these to protect your most critical assets.

Typical security-related activities you need to plan:
Daily activities (use a summary checklist for each month)

Verify all daemons are running

Verify all applications are working

Verify receipt of any push or pull actions

Examine audit logs

Back up the server(s)

Back up database transaction logs

Back up audit files (separate tape)

Weekly activities

Back up the server(s)

Back up the database

Monthly activities

Back up the server(s)

Back up the databases

Archive audit data

Push out virus updates

Check for current/unused accounts

Bimonthly activities

Hold configuration management board meetings

Quarterly activities

Change passwords (alert users)

Back up any master databases

Circulate/post site security training and awareness information

Restore a random backup tape

Quarterly backups

Semi- and/or annual activities

Security training

Practice contingency plan

Alert users to delete unnecessary files

Check standard operating procedures are still current/policy review and update

Risk management review/update

Test uninterruptible power supply (UPS)

Annual backups

As needed

Update site password list

Back up new software installs

Software licensing and key renewal/seat management

Destruction of documents and/or equipment

Halon/fire suppression/water system (physical plant) inspection

In addition to what you know has a reoccurring schedule, what is not on the calendar that you must allow time for?

Daily backups
Daily checklist
Equipment rollouts/upgrades
Vacation/sick leave
Bad weather-related delays
Training -- technical, mandatory corporate compliance, new personnel orientation, new IT people and general (management, leadership, school, other)
Meetings -- regular/ad hoc
Data and/or equipment recovery
Out-of-cycle updates for virus-related events
Incident response
Compliance inspections and/or audits

The weekly series then examines 52 facets of security, emphasizing one each week. Each column will discuss:

What event we'll be looking at more in depth
When/how often the event occurs
Why it's important to security
Implementation strategy
More information

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to securityplanner@infosecuritymag.com.

This was last published in February 2004

Dig Deeper on Information security certifications, training and jobs

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Resources

Dig Deeper on Information security certifications, training and jobs

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.