Chapter 3 - Developing A Security Program; Forming A Security Team; Identifying Assets To Be Secured; Identifying And Evaluating Threats - Honeywell dolphin 70e black Network And Security Manual

3
Developing a Security Program

Forming a Security Team

When forming a security team, you should:
• Define executive sponsors. It will be easier to ensure the success of security procedures if you have the backing of senior
management.
• Establish a core cross-functional security team consisting of representatives from:
– Building or facility management (i.e., individuals responsible for running and maintaining Honeywell Dolphin 70e
Black devices and infrastructure).
– Business applications (i.e., individuals responsible for applications interfaced to the Honeywell Dolphin 70e Black
system).
– IT systems administration.
– IT network administration.
– IT security.
Executive sponsorship and the creation of a formal team structure is a recommendation for the security program. The remaining
tasks in the development of a security program are critical to the success of the program.

Identifying Assets to be Secured

The term "assets" implies anything of value to the company. Assets may include equipment, intellectual property (e.g., historical
data and algorithms), and infrastructure (e.g., network bandwidth and computing power).
When identifying assets at risk, you should consider:
• People, including your employees and the broader community to which they and your enterprise belong.
• Equipment
– Plant equipment including network equipment (e.g., routers, switches, firewalls, and ancillary items used to build the
system).
– Computer equipment (e.g., servers, cameras and streamers).
• Network configuration information (e.g., routing tables and access control lists).
• Information stored on computing equipment (e.g., databases, and other intellectual property).
• Intangible assets (e.g., bandwidth and speed).

Identifying and Evaluating Threats

You need to consider the potential within your system for unauthorized access to resources or information through the use of a
network, and the unauthorized manipulation and alteration of information on a network.
Potential threats to be considered include:
• People (e.g., malicious users inside or outside the company and uninformed employees).
• Inanimate threats
– natural disasters (e.g., fire or flood)
– malicious code (e.g., a virus or denial of service).

Identifying and Evaluating Vulnerabilities

Potential vulnerabilities that should be addressed in your security strategy include:
• The absence of security policies and procedures.
• Inadequate physical security.
• Gateways from the Internet to the corporation.
• Gateways between the business LAN and Dolphin 70e Black network.
• Improper management of modems.
• Out-of-date virus software.
• Out-of-date security patches or inadequate security configuration.
• Inadequate or infrequent backups.
Failure mode analysis can be used to assess the robustness of your network architecture.
3 - 1