Bob's Blogs

Utter CERTainty

Does your organization have a CERT (Computer Emergency Response Team) or anything else similar?

Have you ever discovered a problem, incident or other issue that isn't in your back yard? The larger or more geographically spread out the enterprise, the more likely this is to happen. Unless it is an ongoing clear and immediate danger, the first step is usually to contact a team member or someone in the location or organization in question, usually by telephone, IM or e-mail. If you can't make contact with that office within the first day or two, the perceived urgency tends to drop, usually pushed aside by something newer.

In almost every organization I've worked in (either as an employee or outside consultant), the emergency contact list -- if one exists -- is out of date. Why? Because no one "owns" it, and more to the point: No one maintains it. In almost every one of these places, I've found it necessary to rebuild the contact lists for names, phone numbers, e-mail addresses, network charts/maps. And where the list does have correct information, the individual people on the list often don't know each other, which can lead to turf wars when an incident does occur.

If you are in the security role/function/team, and you don't have a CERT (Computer Emergency Response Team) by that name or any other, form one. And make sure you get management support. Not just your management, but written (e-mail) permission of the manager of each person whom you want to join the team. An effective approach I've found is to "nominate" the candidate of your choice, but leave the final decision to their manager. You won't always get who you want, but by getting the manager's buy-in, in writing, the occasional emergency that sucks up more time than anticipated will continue to get support.

Let's now assume that you have management support. Find out who the IT people are in every location. Call them up and talk to them. Introduce and identify yourself, since in many cases, they may not know you from Adam (or Eve, as the case may be). Ask them who "owns" what and who should be contacted for what. Find out who their management is. Provide them with your contact information.

In some cases, the organization has been so fractured that I've had to call sales offices to find out where they get their IT support from. In other words, the organization chart (and sometimes the IT/IS org chart) failed to provide enough structure to provide a clue as to where they existed. In a few extreme cases, I've discovered small IT organizations that existed basically in a vacuum. In any event, the next step is to put the entire list together and share it with everyone. In many cases, the contact may not be an IS/IT person, but simply a useful contact. Keep an open mind.

Now comes the maintenance. Keep them all in touch. Send out updates, notify them about new tools -- anything to keep the lines of communication open between you and all of them. Monthly conference calls and discussion groups build the idea of a team whether they are email, conference call, or web based. At least once a year (preferably more) call up each person for some informal reason. Find out if there have been or are going to be organizational changes. Did they get a new manager? Then get the new manager's buy-in. Have they been promoted? They may or may not have time to devote to the team. Have any e-mail addresses or phone numbers changed because of technology changes (brand of mail server, VoIP, move to new facilities). Unless you have a HUGE organization, this maintenance should take less than an hour a month.

Meeting Network Security & Control Requirements: (408) 395-3921