In Q4 2010, The FSA announced that the taping of Mobile Phones will no longer be treated as an exemption.   Subsequently, the rules and requirements were published, leaving affected financial institutions no more than 1 year to take ‘reasonable’ steps in implementing a recording strategy for all relevant Mobile Phones. For some businesses, this meant significant changes in both business process and IT infrastructure. Naturally, a substantial amount of resistance was generated; nevertheless the regulatory requirement stands, and is now in force.

So! That being said, it would be great to hear about your involvement in becoming compliant. What challenges did you encounter, and how were they overcome? More importantly, did you meet the deadline?

I worked on implementing Mobile Voice Recording for several large-scale projects in order to meet compliance.  It would be great to hear your story!

Further information can be found at http://www.fsa.gov.uk/pubs/cp/cp10_07.pdf

Employing this model has several benefits; its primary focal points are the following:

• Tool for engineering organizations to evaluate security engineering practices and define improvements to them
• Standards mechanism for customers to evaluate a provider’s security engineering capability
• Basis for security engineering evaluation organization (system certifiers and product evaluators) to establish organization capability-based confidences (as an ingredient to system or project security assurance)”

In addition to this the maturity model addresses Continuity, Repeatability, Efficiency, and Assurance

So what exactly is the SSE-CCM? Well, it’s a process reference model which focuses on the requirements for implementing security across systems in the Information Technology Security Domain.  The SSE-CMM has a relationship to the ISO/IEC TR 15504 standard (particularly ISO/IEC TR 15504-2)

Practices

Within the SSE-CCM there are several Generic Practices, these are considered applicable for to all processes. The generic practices are used in a process appraisal to determine the capability of any process. These practices are grouped according to common feature and capability level.

Capability Level 1 – Performed Informally
Capability Level 2 – Planned and Tracked
Capability Level 3 – Well Defined
Capability Level 4 – Quantitatively Controlled
Capability Level 5 – Continuously Improving

More Information: http://www.sse-cmm.org/docs/ssecmmv3final.pdf

The SABSA Matrix – Enterprise Security Architecture

The SABSA matrix  provides a detailed analysis of each of the six layers (see below). If all of these layers are addressed then you have covered the entire range of questions to be asked and you can have a  high level of assurance that your security architecture is complete.

To be more specific, the SABSA matrix aids us in mapping through the implementation of the Enterprise Security Architecture, focusing on the What, Why, How, Who, Where and When security is implemented on assets through different perspectives, or layers.

Each row should be perceived as a layer which adheres to the processes of different organisational units or departments. According to SABSA, each layer element can be translated as follows

More information on the SABSA methodology can be found here: http://www.sabsa-institute.org

Which Fire Extinguisher?

* Fire Extinguishers should always be within 50 meters of Electric Equipment

Fire Suppression Systems

- Wet Pipe
This is the most commonly used Fire Suppression system. Usually, water will discharge at a predefined temperature. This type of system can have problems with leakage, and pipe freezes

- Dry Pipe
In a dry pipe system, the pipes normally contain either air or nitrogen under pressure. This type of system is less common, and is usually implemented when Wet Pipe systems are subject to freezing conditions.

- Pre Action
Pre-action supression systems are hybrids of wet, dry, and deluge systems, depending on the desired goal. These systems are specialised for use in locations where accidental activation is undesired, such as Museums.

- Deluge System
“Deluge” systems are systems in which all sprinklers connected to the water piping system are open. These systems are typically used when rapid fires are a concern. There are no reset functions with this system, once tripped manual intervention is required to stop the system.

Fire Drill!
It is of huge importance that Fire Drills are performed atleast once a year. This is done for a number of reasons, such as the training of personnel, and the assurance that in a real-life fire, the evacuation of employees will be done so in a efficient and controlled manner.

- Tests and Drill
—– Prepare Personnel
—– Provide a controlled environment
- Evacuation and emergency response plans
—– Need to be developed
—– Put into action
—– Need to be documented
—– Put in easily accessible places
—– People assigned specific tasks
—– Taught and informed how to fulfill those tasks
- Drills should take place at least once a year
- Entire program continually updated and improved
—– Agree upon parameters for drills and tests:
—– Timing and duration of the exercise
—– Who will participate in the execercise
—– Who will receive which assignments
—– What steps should be taken

One De jure standard which sparks particular interest is the DRII Top Ten Professional Practices, which is actually the basis of the NFPA 1600.

The DRII Top Ten Professional Practices is a Business Continuity Management (“BCM”) program, which has been structured/broken down into 10 key areas.  The primary objective of this program, much like any other BC program is to allow the company executives to continue to manage the organization under adverse, or undesirable conditions, by the introduction of appropriate business continuity strategies.

Project Initiation and Management
Where do you begin the task of developing a Business Continuity Plan for your organisation?  Take time in establishing the need for BCP. It is crucial to obtain support from senior management, without this level of support, the Business Continuity Program will most certainly fail.

Risk Evaluation and Control 
Identify the events and environmental surroundings which can adversely affect the organisation, and the appropriate preventative controls required to erradicate, or mitigate the probability of risk.

Business Impact Analysis
BIA is paramount when developing a Business Continuity Plan.  Identify the impacts that result from events which cause disruption to business operation, and formulate techniques to quantify said impacts.  For example, assess “time-sensitivity” for business functions.

Developing Business Continuity Strategies
Define Business Continuity Strategies which fit the needs of the organisation. The recovery strategy is typically driven by the time-frames required by the business functions. Examples of such strategies are, Surviving Site, Dedicated Alternate Sites, and External Suppliers.  

Emergencey Response and Operations (ERO)
Plan, develop, and implement procedures to respond to and stablize the situation following an incident or event. This should include the Emergencey Notification List. (ENL)

Developing and Implementing Business Continuity Plans 
Compile the details gathered from the previous areas, and produce the first draft of the BCP which provides recovery of business functions within the defined Recovery Time Objective (RTO)

Awareness and Training Programs 
To prepare a program to create corporate awareness and enhance the skills required to develop, implement, maintain and execute the BCP.  The more familiar employees are with the Business Continuity Program, the more effective the program will be.

Maintaining and Excercising Business Continuity Plans
Preplan, coordinate, evaluate, test, and excercise the plan, and document the results. Develop processes to maintain the currencey of the plan in accordance with the strategic direction of the organisation.  Document the results in a clear, concise manner. This will potentially save you a significant amount of time.

Public Relations and Crisis Communications 
To develop, co-ordinate, evaluate and exercise plans to handle the media during crisis situations. To develop, co-ordinate, evaluate and exercise plans to communicate with and, as appropriate, provide trauma counselling for employees and their families, key customers, critical suppliers, owners/stockholders and corporate management during crisis. Ensure all stakeholders are kept informed on an as-needed basis. 

Coordination with Public Authorities
Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with local authorities while ensuring compliance with applicable statutes, and regulations.

The C-I-A (Confidentiality, Integrity, and Availability) is a fundamental principle when it comes to effective information security. Organisations which have an active approach towards information security and adhere to the C-I-A concept are in the optimal stance in preventing unwanted influences, attacks, and other malicious activity.

As mentioned, the C-I-A is comprised of three important elements.

Confidentiality:  Refers to the efforts made in ensuring information is not disclosed to those individuals who do not have the need, or write to see it. For example, If a user were to intercept an email between the CIO and CEO of the organisation, confidentiality has been breached.  

Integrity:             The concept of integrity means that data has not been modified by unauthorised users. In business terms, data integrity is the assurance that data is consistent, and is identically maintained throughout any operation, such as transfer, storage, and retrieval.  For example, a MitM (Man in the Middle) attack is executed by intercepting the data, between the intended end-points, modifying the data, and re-sending the data to the destination.

Availability:       this refers to the efforts made to ensure data is always available. These efforts will involve preventative controls to mitigate disruption to service or productivity.  

The way in which the C-I-A is implemented is bespoke and depends entirely upon the organisation and its function. For example, an ISP may invest more in Availability than a financial institute, such as a Bank where their primary concern might be Integrity.

“The goals of information security are to ensure the continued C-I-A of an organisation’s assets. This includes both physical assets (such as buildings, equipment, and of course, people) and information assets (such as company data and information systems) ”     – Official (ISC)2 Guide to the CISSP CBK Second Edition.

Welcome to my personal Blog. My name is David Prince. For the past several years I have been a Systems/Security Engineer with a strong focus on Networking & Telecommunications, Information Security, and Virtualization. 

LinkedIn:   http://www.linkedin.com/pub/david-prince/21/502/104
Twitter:     http://www.twitter.com/DavidPrince88

Throughout the duration of my CISSP studies I will be writing articles and posting relevent thoughts, findings, and experiments regarding the CISSP exam and its vast syllabus (and on some occasions other areas of interest). Although the primary purpose of this blog is to aid my personal studies I welcome feedback.

About the Author