The emergence of web-based commerce has

accelerated the expansion of a worldwide
network capable of transmitting information
reliably and securely across vast distances.
Unfortunately, some components of a firms
infrastructure are not inherently reliable. The
reliability of processing systems depends on how
they are designed and managed.

Businesses need policies that determine how to

integrate redundant elements into a companys
overall infrastructure: how backup systems and
equipment will be brough online, how problems
will be diagnosed and triaged, and who will be
responsible for responding to incidents.
Making the wrong decision in designing or
maintaining infrastructure or in responding to
incidents can severely harm a business.

In modern context, a 98 percent availability rating

for a system usually means that its probability of
being up and running at any given time is 98
percent period.
Moreover, for real-time infrastructure, 98 percent
is not nearly good enough.
In fact, the availability of todays IT infrastructure
is often expressed in terms of a number of nines
(99.999) percent.

1.
2.
3.
4.
5.
6.

Uninterruptible electric power delivery

Physical security
Climate control and fire suppression
Network connectivity
Help desk and incident response procedures
N+1 and N+N redundancy

Classification of threats
1. External atttacks
2. Intrusion
3. Viruses and Worms

Defensive measures
1. Security Policies
2. Firewalls
3. Authentication
4. Encryption
5. Intrusion detection and network monitoring

1.
2.
3.
4.
5.

Make deliberate security decision

Consider security a moving target
Practice disciplined change management
Educate users
Deploy multilevel technical measures, as many
as you can afford

Managing incidents before they accur

1. Sound infrastructure design
2. Disciplined execution of operating procedures
3. Careful documentation
4. Established crisis management procedures
5. Rehearsing incident response

Managing during an incident

1. Emotional responses, including confusion, denial,

fear and panic

2. Wishful thinking and groupthink
3. Political maneuvering, diving for cover and ducking
responsibility
4. Leaping ti conclusions and blindness to evidence that
contradicts current beliefs

Managing after an incident

1. Rebuild parts of the infrastructure
2. Sometimes erasing and rebuilding everything from

scratch is the only way to be sure the infrastructure is

restored to its preincident state
3. It is essential to communicate the seriousness with
which a company protects the information entrusted
to it

How available do our systems need to be? Are our

infrastructure investments in availability aligned with
requirements?
2. Are we taking security threats seriously enough? How
secure is our current infrastructure? How do we assess
information security on an ongoing basis? Have IT staff
members received adequate training? How do we
compare with information security best-in-class
organizations?
1.

3.

Do we have plans for responding to infrastructure

incidents? Do we practice them on a regular basis? Are
staff members trained in incident response? What are
our plans and policies for communicating information
about incidents to external parties such as customers,
partners, the press and the public?