Availability

Service Restoration Planning - Part IV

Considering information systems are generally critical to enhancing productivity, it is imperative deployed IT provide availability with service responsiveness meeting user utilization demands, even during crisis situations. Entity susceptibility as well as IT operational resiliency impact speedy and systematic redress for fulfilling efficiency, effectiveness, availability, and compliance requirements. Furthermore, neither business nor IT resides within static environments. Thus, environmental dynamics can generate changes altering system activities that require timely response and restoration to ensure continuous service delivery.

Whenever a natural or unnatural disaster strikes, recovering data usually is the top managerial priority for entities. Given the common, advance state of transactional processing dependence on technology, most entities’ will immediately suffer a diminished capacity for achieving operational efficiency goals, if IT is not restored in a timely manner. How expeditiously an entity resumes business processing after a tragedy normally depends on well documented and tested alternative plans for emergencies, and the velocity with which a disaster recovery site can receive back-up media and restore user services.

“View Part I of the Service Restoration Planning series here“

Service Restoration Planning - Part III

Cost effective strategies should be designed to prevent, detect and/or mitigate the impact of potential crises. Reducing system vulnerabilities is typically accomplished by delineating then remediating single as well as combined configuration failure points. Various resources that can contribute to the remediation process should be identified as continuity enablement factors. These resources — including essential personnel (and their roles and responsibilities), information, applications, and infrastructure — should be documented in a plan demonstrating commitment to continuity.

Disaster recovery systems and resources should be perpetually monitored as part of the entity’s operational plans. Beneficially, monitoring designated disaster recovery systems permits accountability for configuration items crucial to reinstating business processes. Resources that will support systems mitigating emergencies should also be monitored to ensure availability and expected performance during incident or event activation.

“View Part I of the Service Restoration Planning series here“

Hardware Protection… Dust, Temperature, and Humidity - Oh My! – Part V

Decreasing computer hardware replacement cost has not eliminated the need for adequate environmental protection. To avoid humidity corruption, information security managers should verify humidity and temperature levels are maintained within the operating range specified in supplier documentation for deployed IT. Periodically, an information security professional should inspect for obvious external influences such as close placement to air conditioners, elevator shafts, industrial equipment or other sources of potential atmospheric variations. If a high level of reliability is required, then optimal conditions should be maintained. Maintaining equipment at the optimum climate range aids in protecting hardware from corrosion problems associated with high humidity levels and failures caused by static discharge when humidity is too low.

“View Part I of the Hardware Protection… Dust, Temperature, and Humidity - Oh My! series here“

Hardware Protection… Dust, Temperature, and Humidity - Oh My! – Part IV

IT can, and does, operate within a wide humidity range. Seasonal humidity changes are usually easier to control than hourly fluctuations. Under either circumstance, normally the primary environmental concern is preventing conditions that permit humidity alterations where condensation is the result. Data culled from analysis of historical psychrometer reading can be instrumental in determining seasonal changes or outside influences. Technically, a psychrometer is a hydrometer consisting of two thermometers with bulbs, one wet and one dry. One bulb is kept wet so the cooling that results from evaporation permits registration of a lower temperature than the dry bulb. The difference between the two readings constitutes a measure of atmospheric dryness.

“View Part I of the Hardware Protection… Dust, Temperature, and Humidity - Oh My! series here“

Hardware Protection… Dust, Temperature, and Humidity - Oh My! – Part III

When the relative humidity is high, water particulates are formed corresponding to the heat index. High humidity can warp hardware configuration cards. In addition, without adequate insulation, any conditions that cause moisture to be deposited on equipment will eventually depreciate hardware functionality. Maintaining the optimal temperature and humidity enable planning minimum user impact responses to hardware configuration item failures.

“View Part I of the Hardware Protection… Dust, Temperature, and Humidity - Oh My! series here“

Hardware Protection… Dust, Temperature, and Humidity - Oh My! – Part II

Climatically, strategizing optimum environmental conditions for information assets is a managerial safeguarding responsibility. Environmental conditions such as heat production, airflow, and humidity are factors that should be considered during IT site preparation as well as operational sustainability. Concerning heat production, equipment utilizing energy releases thermal units that can substantially increase ambient temperature. Air movement must be enabled or temperature and humidity will normally escalate within an unregulated confined space. When ambient temperature is at the manufacturer’s recommended level, there usually is adequate cool air flow for minimizing IT availability risks.

Low humidity can generate static electricity, causing shocks, electrical malfunctions, paper jams, and recording media errors. In too dry a climatic, dust can accumulate on system boards; where the first components typically effected are the central processing unit modules, thus potentially causing system reliability problems that translate to IT availability issues.

“View Part I of the Hardware Protection… Dust, Temperature, and Humidity - Oh My! series here“

Hardware Protection… Dust, Temperature, and Humidity - Oh My! – Part I

‘Plug-and-Play’ devices should never be regarded as ‘Install-and-Forget’ hardware. Though computer operations personnel are normally responsible for IT related hardware implementations, monitoring environmental adequacy falls within the realm of information security due diligence. In particular, accurate and comprehensive monitoring of environmental support equipment and installation conditions is critical for reliable processing within complex and sensitive hardware configuration areas.

Physical Token Protection - Part IV

Regarding provisioning physical authentication mediums, an entity’s deployed access control process should clearly define the way encoded identification is delivered to users — within the context of promoting adequate confidentiality, integrity and availability. Specifically, the process to dispense tokenized authentication attributes to users should employ a different delivery channel than the physical item. When physical items are tokenized prior to individual assignment or usage, security management should ensure the identification mechanism remains dormant and protected until the authentication verification enabler reaches the intended owner empowered with activation and usage rights.

As suggested in COBIT Security Baseline: An Information Security Survival Kit; depending on the country, state or industry, information asset usage is subject to various laws and regulations. These laws and regulations need to be known and obeyed to enable appropriate IT security. Domains covered by such rules include privacy, information retention, minimal system protection requirements as well as attestation requirements. Consequently, physical tokenized access items should receive the same protection consideration as other entity information assets.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part III

As a corollary requirement, when considering physical tokens, functionality is directly related to capabilities. Consequently, physical token appropriateness should be evaluated based on the set of attributes applicable to the existing set of activities and their specific properties. In other words, determining physical token functionality is a characteristic association ensuring the quality of hardware and/or software products utilized for accessing objects meet intended purpose expectations throughout their life cycle. Adequate physical token functions are those that satisfy stated or implied criteria of users and management. These value drivers emanate from business and governance domain perceptions, where the former is typically focusing on functionality and delivery velocity, while the latter tends to emphasize cost-efficiency, return on investment and compliance.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part II

Information asset usability implies availability to perform requested services as well as transparency. Determining physical token usability necessitates assessing relevant and pertinent services for the access process as well as secure user delivery in a timely, correct, and consistent manner. Whether access control is outsourced to a third party or is maintained internally, the time frame for processing of each user security administration operation should be defined and agreed to by the entity’s representatives through a service level agreement (SLA) that aligns with corresponding service objectives and goals. For example, if providing timely user provisioning is established as a goal, user resets for critical applications should be responded to within the SLA specified time period. Where a SLA does not stipulate the response time, a best practice standard should be adopted and sustained by management to monitor performance achievement.

“View Part I of the Physical Token Protection series here“