Organizational and Operational Security

This chapter focuses on organizational and operational security. Organizational and operational security is mostly concerned with people, processes, and procedures. The people within your organization can represent the biggest threat. These threats could be intentional and unintentional. One can use technology to enforce the processes and procedures, but a lot of it has to do with user education and training. One needs to ensure that employees know what to do in certain situations. Whether there's some sort of security incident or natural disaster, all employees need to understand their roles and responsibilities and the procedures they need to follow. Having a plan provides structure and helps prevent confusion and mistakes. Formalized policies and procedures are crucial in ensuring that employees understand and follow the security guidelines. An end user education program helps to drive home the key themes and message of the security policy. After all, what good are policies and procedures if no one knows about them? No matter how hard one plans, there will be security-related incidents. They could be big or small. But one must have a plan for dealing with them. If one doesn't have a plan, a relatively small incident could have a huge impact on organization. Once the plan is developed, it should be make sure to test it. A plan that doesn't work is just as bad as not having a plan at all.