228 7.14 Perimeter Audits
trolled test environment than a production environment where every
minute of downtime can cost thousands, if not hundreds of thousands, of
dollars to the organization.
7.13.5 Segregation of Duties
In most corporate environments today, the infrastructure is so complex and
difficult to maintain that it would be a huge risk for one individual to have
access to all components of that infrastructure. It is important to segregate
incompatible duties and establish related policies to properly protect the
organization. For example, you would not give the person responsible for
building maintenance the keys to the IT server room. His or her duties
would be considered incompatible. Similarly, your firewall team has no
need to know what the systems-level password is for all applications and
database servers. Once again, incompatible duties should drive the deci-
sion-making process to segregate those duties. Establish access controls to
enforce segregation of duties. Do not make it easy for systems administra-
tors or network administrators to share device passwords. Establish controls
that maintain the integrity of the segregation policies. Control your person-
nel activities by establishing formal operating procedures, maintaining good
supervision, and conducting frequent, recurring reviews.
7.13.6 Service Continuity
To keep an operation running in today’s 24/7 business environment, it is
important for a security manager to assess the criticality of computerized
operations and identify supporting resources. Take steps to prevent and
minimize potential damage and interruption by working to develop and
document a comprehensive contingency plan, and periodically testing and
adjusting it as appropriate. Having proper contingency plans in place can
often save an organization from sure disaster, because personnel are able to
make the right responses at the right times. In a crisis situation, there is lit-
tle chance of recovery if no one knows what to do.
7.14 Perimeter Audits
As networks have become mission-essential to the business needs of an
entity, the network becomes a critical resource that must be protected, both
from activities at the perimeter and within, from unwanted intrusions, run-
away applications, eavesdropping operations, network protocol architec-
ture(s) lack of security provisions, and many other potential security

Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.