Response | Policy

• Define security policy as part of risk management

  • Organization managers responsible for policy
  • Includes disaster recovery
  • Plan, in advance, how to respond to successful InfoSec attacks
    • Define the team who will respond to security incidents
    • Desired: Decide, in advance, to commit necessary resources and endurance to prosecute intruders

• Separation of duties

  • Don’t put ultimate trust in anyone... not even system administrators
  • Separate duties so that no single person can maliciously compromise the system undetected
    • Probability of detection increases with the number of people involved
    • Mandatory vacations