For most members of a business continuity team facing potential security threats, the successful use of information security tools often assumes total correction of those potential risks. However, that assumption may leave you and your organization still at risk. The reason you may be at more risk than you realize has to do with reaching an understanding of what it means to be secure. That understanding gets confused because security is not something to be thought of as a binary value – i.e. where you assume something is secure or not. Your ability to have a secure status depends on a constant monitoring of threats to that security. In fact, without active integration and review, the security levels of an organization will degrade over time simply because the threats to that security are constantly changing over time. Conclusion: Be careful how much confidence you put into information security tools being able to solve your security problems over time.
Information security checklists and the development of those lists should be thought of as ongoing activity for every organization. All too often organizations do not fully realize the true importance of keeping that checklist relevant to the unique requirements of their organization. While there surely are components of that list that are common to many organizations, the real effectiveness of that checklist include those vital elements of control and monitoring that will produce the most effective levels of security for that organization. A continuous improvement approach to keep that information security checklist totally relevant and effective must be constantly supported, monitored and measured by management.
Too often many people confuse business continuity with disaster recovery. And, while the differences are well documented by subject experts, very often the first exposure many companies receive to an evaluation of their business continuity capabilities happens when that company is asked to complete a business continuity questionnaire. By the end of the process, it becomes very evident that a disaster recovery plan is but one component (albeit an important part) of a total business continuity plan.
Information security reporting is a controversial component and yet often a critical element of an organization’s security control plan. The reason it is controversial often relies on the fact that the information security event reported is not regarded as important enough to be given full management support and /or funding. Then too, the lack of relating that event in a measurable way to have an impact on the organization leads to diminish the importance of that event. An example might be that when evaluating the effectiveness of a spam filter on the inbox of an organization’s email, the organization overlooks the additional value created by that security control as it also lowers the wasted time employees spend with spam email and increases productivity by those employees.