The IA Professional's Toolkit Part 7

Problem Management

In this, the final segment of security consultant Gordon Merrill's series on fundamental management tools for IA professionals in general and IA security consultants in particular, we look at how to handle problems wisely.

* * *

Whether you work as an information assurance (IA) employee or as an IA consultant, you will inevitably encounter problems in the processes affecting security. Sometimes the problems will be narrow: they will be localized to specific policies and procedures tied to a particular unit of the organization. For example, a technical support manager may take it into his head to declare that the most important priority for HelpDesk employees is the speed of closure of their open calls; the inevitable result will be calls closed at every possible opportunity, including immediately after telling a caller to try a possible solution – but before finding out if the solution works. The statistic will look great; the reality will be awful.

On the other hand, the problem may be systemic, such as the situation when a culture promoted by upper management punishes any information that does not conform to a rosy-tinted view of the perfection of the organization. That way madness lies: warning signs are discounted, intelligent employees are punished for their powers of observation and analysis, and the organization is headed for a catastrophic confrontation with reality.

The other aspect of problem management that IA professionals must consider is that you cannot have an incident without a problem but you can have problems that have not yet become incidents. If you are called soon after the organization notices a problem, there's a good chance that the culture of the organization values a proactive approach to problem handling and especially problem prevention. If, however, you find that the usual response to a problem is to ignore until it causes an incident, the organization has unfortunately sunk into a reactive stance. 

Sometimes the corporate culture of passivity and reaction may be due to personalities; sometimes it is an unfortunate but realistic response to resource starvation. In either case, experience teaches us that in every sphere of life, waiting for problems to erupt is almost always more expensive than preventing them.

Managing problem resolution and incident handling

There is far more to managing problems than will fit in a single column, so please refer to the White Paper on "Computer Security Incident Response Team Management" available free online as a PDF file. There is also a free online course available from the US Defense Information Systems Agency (DISA) that can be freely downloaded as a ZIP file. If you want to listen to a narrated lecture on problem-solving, see the PowerPoint (in a WinZIP archive) available online from the MSIA program. Finally, please see the paper "Documentation for Less Work: Will This Have to be Done Again?" which reviews the benefits of systematic record-keeping.

* * *

Merrill, MSIA, currently lives and works in Tennessee. His career has taken him to 48 of the 50 states and to six foreign countries. His information assurance background has included working for major computer companies such as IBM, managing IT projects for Fortune 250 companies in the risk management field, owning his own business, and working as a private consultant. You may contact him by e-mail.

This series is based on some of the papers Mr Merrill wrote during his MSIA Program at Norwich University from 2007 through 2008. Merrill and I have collaborated closely in rewriting his research for this series.

Learn more about this topic

The IA Professional's Toolkit Part 1

The IA Professional's Toolkit Part 2

The IA Professional's Toolkit Part 3

The IA Professional's Toolkit Part 4

The IA Professional's Toolkit Part 5

The IA Professional's Toolkit Part 6

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.