CyberSecurity Institute

This article provides tips on what to include in your policy is excerpted from an article on incident management published by their sister publication Information Security magazine.

An effective incident management program must assign responsibilities and specify routine procedures in the event of an incident.

Next, getting down to brass tacks, your computer incident response team (CIRT) policy should specify first responders, responsibility for management of the response to a specific incident, and follow-up and reporting responsibilities.

That’s the mostly-technical first part of a more detailed and comprehensive IMP. Besides the MIS and network technical staff who are first responders, who should be part of the IMP?

At the very least: risk management, corporate legal, corporate security, public relations, human resources and labor relations, the office responsible for regulatory compliance, and all major business units with oversight and advisory responsibility. Further, while initial response in many cases will be technical, IT staff can’t make decisions in a vacuum.

California’s Database Security Breach Notification Act (SB 1386), which went into effect last July, requires companies to inform California customers of incidents involving the compromise of their names in combination with their Social Security, driver’s license or credit card numbers.

More info: [url=http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci945247,00.html]http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci945247,00.html[/url]

Surveys show that any large organisation lose between 3-5% of their laptops every year.

Relaying laptop theft stories in the local pub is almost as common-place as people boasting how much their houses have shot-up in price over the last two years. However, with an increasingly mobile workforce, often using privately bought mobile devices, the board and IT departments have to take greater notice of who is carrying what around with them and take a rain check of the damage that could be caused if this information was lost and broadcast to the outside world.

[i]One[/i] You must have a mobile Use policy or ensure that your corporate IT security policy has specific provision for mobile devices and you update it whenever you adopt new hardware categories such as combined PDA/phones.
[i]Two[/i] Take the responsibility of IT security away from the end-user and centrally manage and deploy it.
[i]Three[/i] Invest in a solution which is usable and flexible.
[i]Four[/i] Have a blanket approach to security by owning every mobile device that leaves your office and make access control and encryption mandatory.
[i]Five[/i] Be realistic with passwords
[i]Six[/i] Become a realist

The outsourcing providers–which included IBM, Accenture, Electronic Data Systems and Hewlett-Packard–are all technically competent, Meta analyst Dean Davison said.

A customer choosing between them should consider factors such as industry-specific knowledge and how their corporate cultures mesh with its own, he suggested.

IBM, Electronic Data Systems, Computer Sciences, Accenture and Science Applications International Corp. all made it into Meta’s category of outsourcing “leader.”

More info: [url=http://zdnet.com.com/2100-1104_2-5141899.html]http://zdnet.com.com/2100-1104_2-5141899.html[/url]