Educause Security Discussion
mailing list archives
Re: Business Continuity Plans for an Information Security Office
From: James Moore <jhmiso () RIT EDU>
Date: Wed, 10 Jan 2007 12:56:13 -0500
Brad raises a good issue that is part of the bigger picture of BCP for a
university, at least our university.
We have a lot of small groups. We are more like a city. Sometimes, key
people have no backup. It seems that we live with a lot of aggregate
risk coming from the wide range of functions supported. My guess is
that most of the time, there has been some conscious or unconscious
decision to allow significant impact to segments of business function,
as opposed to moderate impact to general business functions (i.e.
benefits of specialization are high, all specializations will not be
lost simultaneously = most customers happy, most of the time). This of
course means that processes and infrastructure must be analyzed
carefully for single points of failure.
But, musings aside, Brad, thank you for your analysis. I am definitely
From: Brad Judy [mailto:Brad.Judy () COLORADO EDU]
Sent: Wednesday, January 10, 2007 11:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Business Continuity Plans for an Information
I want to toss in a reminder here that while it is important to plan for
possible larger scale events, it is also important to plan for the more
common small scale events. Too often in IT and higher ed (particularly
after Katrina et al), large scale plans are developed and plans for
smaller scale common events are not.
The reality for most IT security offices (and many groups in general) is
that the most likely business continuity scenario is the abrupt loss of
a key staff member (via job departure, illness, lottery winnings, etc).
Most security offices are small groups and the loss of a single staff
member might amount to an immediate 50% loss in capabilities of the
Naturally, security offices are also at least partially reliant on
technology assets, so the loss of assets should be addressed as well.
With some good attention on BCP right now, I'd hate to see focus only on
the large scale events and have folks fail to document procedures or
policy for smaller scale events. I'm putting together a list of basic
common scenarios that I think every IT group on our campus should have a
plan to address in addition to their large scale event plans.
IT Security Office
Information Technology Services
University of Colorado at Boulder
From: James Moore [mailto:jhmiso () RIT EDU]
Sent: Tuesday, January 09, 2007 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Business Continuity Plans for an Information
I admit that my own business continuity plans were on my "to do" list
for longer than I would like. Does anyone have or know of a template
that I can start with for business continuity planning of the
Information Security Office.
The easy thing is to say that we have to do the same things that we
always do, but differently.
Risk Assessment - Only a subset of functionality will come back on line.
Some will have been reviewed for risk, and others not. There will have
to be some dynamic risk assessment.
Communications - The natural thing to do is to relax security in the
different environment so that as much functionality as possible can be
achieved. Users find allies, etc. Communications will need to
integrate with Business Continuity communications, but still will have a
role to guide people to safe business resumption. Communications to
executive leadership is also regular, but concentrates on service
Budgets / Administrative - Need to continue, as resources are available.
Strategic - May be for rebuilding. Or may shift to standards
enforcement for existing standards.
Investigations / Forensics - Needed for when things go wrong, and are
This is a high level. And what I wondered is if anyone had a detailed
business continuity plan for their office/role.
- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)
"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information" - Peter Presidio