Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: The Dreaded "D" Word of IT - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Dreaded "D" Word of IT

Weekends are usually a good time to catch up on the dreaded ‚??D‚?Ě word of IT professionals everywhere‚?¶. Documentation.  Security is a process, and as such requires good documentation to drive those processes.  All organizations have (or should have) documentation to support their efforts and guide their work, typically in the form of a Site Security Plan, Change Control processes, Roles and Responsibilities, etc., etc. These process are in place to support constantly changing systems.  Updating the documentation is often a painful process that is left for less mundane and intriguing tasks, thus it is relegated to weekend work.  

 

The landscape of technology, requirements, threats, and vulnerabilities is changing every day, so the processes we use to support these need to adapt as well.  One key to managing the documents is establishing an annual review process of the document library.  These reviews can be broken up over the calendar year, to spread out the work; the larger documents can be sectioned out to team members for draft input and review over a period of time.  The review process, if possible, should include an objective review from a peer or colleague to assist in providing objective feedback and analysis.

 

Any process works best when it is known, documented, and implemented, and Security processes require the same care and feeding as the systems they serve.  

tony d0t carothers --gmail

 

Tony

150 Posts
ISC Handler
When I read that post, my first thought is "you mean the dreaded 'W' words of IT - Weekend Work".

It's almost impossible for a (good) InfoSec person to avoid doing some kind of after-hours work, but it's best to keep it to research and learning. If you are always *working* on weekends, then you are effectively doing a 50-60+ hour work week whilst being paid for ~40. One day when this stresses you out and you ask for more personnel, the business will see no justification for doing so because they have felt no pain.

It's not easy to do, but if you have more work in a week than you can do, you need to fail (gracefully) so that the business sees that the task needs more people. If there's no budget for people, the only thing that can be altered is a reduction in the number and type of tasks performed by the resources available.


If I find myself catching up on work directly related to my job on weekends I consider it a failure on my part. Having said all that, I have three children and so over the years weekend work became an impossible option anyway. Now that they are older, even though I technically have time for weekend work, a good chunk of my brain just refuses to work even if I try to make it. Oddly enough this may mean I sometimes get behind but I'm actually less stressed as a result. It's nice to also be able to look my kids in the eyes and be *honest* when I say I'll be home to spend time with them.
Kaldek

12 Posts Posts
As a somewhat smaller (<50 people) company, I've been using Microsoft Operations Framework (MOF) with good success as a documentation framework. It's fairly comprehensive, but flexible enough so as to not be constricting or overly burdensome.

http://technet.microsoft.com/en-us/solutionaccelerators/dd320379.aspx

Any other recommendations for a documentation framework for IT docs for small companies? ITIL seems like a behemoth.
T

31 Posts Posts
Quoting Kaldek:When I read that post, my first thought is "you mean the dreaded 'W' words of IT - Weekend Work".

It's almost impossible for a (good) InfoSec person to avoid doing some kind of after-hours work, but it's best to keep it to research and learning. If you are always *working* on weekends, then you are effectively doing a 50-60+ hour work week whilst being paid for ~40. One day when this stresses you out and you ask for more personnel, the business will see no justification for doing so because they have felt no pain.

It's not easy to do, but if you have more work in a week than you can do, you need to fail (gracefully) so that the business sees that the task needs more people. If there's no budget for people, the only thing that can be altered is a reduction in the number and type of tasks performed by the resources available.


If I find myself catching up on work directly related to my job on weekends I consider it a failure on my part. Having said all that, I have three children and so over the years weekend work became an impossible option anyway. Now that they are older, even though I technically have time for weekend work, a good chunk of my brain just refuses to work even if I try to make it. Oddly enough this may mean I sometimes get behind but I'm actually less stressed as a result. It's nice to also be able to look my kids in the eyes and be *honest* when I say I'll be home to spend time with them.


I feel I have to reply to this (not to troll or argue but to play devils advocate)

Doing what has been suggested by this post will help you feel less stressed and I do agree that there needs to be downtime for everyone involved in information security as the work never really ends. But I would caution against failing at your work as a way to show you need more resources. It could be viewed as you not being able to handle the tasks required. Also sometimes there is no avoiding doing extra non-paid work. Who does not work through lunch or eats at their desk while reading the latest security news.

Find a line that works for you and your employer. There are plenty of younger people willing to work all kinds of crazy hours, just waiting for a foot in the door.
PW

62 Posts Posts
Quoting PW:There are plenty of younger people willing to work all kinds of crazy hours, just waiting for a foot in the door.


I am fortunate to work for a security team that values people who can work unsupervised and still produce quality work on time.

There may be younger people eager to work long hours for free to prove themselves, but those young folks require training and feedback.

That isn't free.
Jasey

93 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!