| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 74.0 | Organization and Maintenance of Computer Emergency Response Team | The State must organize and maintain a computer emergency response team (CERT) that will provide accelerated problem notification, damage control, and problem correction services in the event of computer related emergencies such as virus infestations, hacker break-ins, and the like. | The classic CERT that has been the model for many in-house CERTs can be found at Carnegie Mellon University, in Pittsburgh, Pennsylvania, USA; their e-mail address is cert@cert.org. The Carnegie Mellon CERT assists users of the Internet network, while other CERTs coordinate investigations and problem eradication efforts on an international basis. By formally defining an in-house CERT, an organization becomes better prepared to deal with security-related contingencies. Use of an in-house CERT also reduces the probability that problems will become public knowledge. The intention of this policy is thus to require that Data Processing or related technical management set-up and support a CERT. Also see the policies entitled "Internal Reporting of Information Security Violations & Problems," and "Information Security Alert System." |
| 76.0 | Information Security Alert System | Agency Computer Security Officer must establish, maintain, and periodically test a communications system a method to allow workers to promptly notify appropriate staff about suspected information security problems. These problems include computer virus infestations, hacker break-ins, improper disclosure of internal information to outsiders, system service interruptions, and other events with serious information security implications. | The intention of this policy is to make sure that management establishes and supports an appropriate communications system for the prompt notification of information security staff. This is different from an organizational structure for the prompt mobilization of information security staff, for example a Computer Emergency Response Team (CERT). Without such a communications system, all too often attacks are ignored, thus allowing attackers to continue to try other methods. Similarly, unless such problems are promptly communicated, there is a serious danger that total losses will be much greater than they need to be. This can be clearly seen with virus infestations on a computer network, where each minute of delay means further business interruptions and additional data destruction. In many organizations, the notification process will involve pagers, telephone number calling trees, and other methods. Also see the policies entitled "Organization and Maintenance of Computer Emergency Response Team," and "Required Reporting of Information Security Incidents." |
| 77.0 | Update & Test Information Systems Contingency Plans | For computer and communications systems, management must prepare, periodically update, and regularly test contingency plans. These plans must provide for the continued operation of critical systems in the event of an interruption or degradation of service. | In this context, the words "contingency plans" apply to both emergencies as well as disasters. In the course of preparing contingency plans, organizations should go through what is called a business impact analysis, which examines the effects of various loss scenarios. For example, if a bomb were to go off in a computer center, what would the impact be? Only when the impacts are determined and ranked by priority, can contingency planning resources be allocated efficiently, and can a logical contingency plan be prepared. This policy is intended to mandate the regular update and testing of contingency plans. The information systems field moves so fast that updates are required at the very least annually, and very often more frequently. Of course, other types of contingency plans will also be needed. For example, if a bomb goes off in an organization's headquarters building, then personnel will need another set of offices if the organization's work is going to continue. This backup office space would generally be covered in a facilities contingency plan. Also see the policy entitled "Annual Information Security Planning Process Required." |