The UK government’s preparations for the Olympics 2012 security and safety are well progressed, with exercises taking place across the capital. But it is not just the government that needs to ensure its security
Organisations throughout the UK will need to update their contingency plans to factor in the additional risks caused by the Olympics.
There are 37 Olympic competition venues across the country, so any organisation that operates in or around London must be prepared. Organisations throughout the UK will need to update their contingency plans to factor in the additional cybersecurity risks that may be caused by the Olympics, which will run from July 27 through August 12.
Why is security contingency planning important on the eve of the Olympics? For one, clause A.5.1.2 of ISO 27001 requires, “The information security policy shall be reviewed… if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness." A major event like the Olympic Games changes the threat landscape and increases risk. Whether it adheres to ISO 27001 guidelines or not, every organisation should review its security policies and contingency plans before the Games begin.
However, in my experience, many organisations only pay lip service to contingency planning. Their plans either wouldn’t work in reality, or they are out of date. In this tip, I’ll discuss the areas organisations should focus on in their contingency plans for security during the Olympics, including human resources (HR), remote workers and suppliers.
Olympics 2012 security: Human resources
When considering which aspects of a business are critical and how the Olympics may disrupt them, HR concerns will need particular attention. Requests for annual leave may be concentrated in the period of the Olympics. The methods managers use to decide who can take time off during this period need to be consistent, fair and clearly explained; otherwise, an organisation may suffer increased levels of absenteeism among disgruntled staff, particularly during popular or high-profile Olympic events.
Key members of staff shouldn’t all be allowed to be absent at the same time. But where this is unavoidable, ensure those given temporary responsibility have been briefed and fully understand what is required of them. Consider screening popular events in the office for staff who are unable to attend the Olympics in order to avoid people disappearing to the nearest live showing.
Olympics 2012 security: Remote workers
Pressure on transport services during the Olympics may require employees to travel in to work at different times, via different and longer routes, or to work outside of normal hours. Access into and out of central London will be difficult, particularly from late morning until midnight.
One possible solution to the commuting problem is to increase the number of staff who work from home or from other offices. This will require a suitable remote working policy covering physical security, access control and backups.
Allow time to assess any new locations to be used for teleworking so the necessary physical security improvements can be made and network and connectivity infrastructure can be upgraded if necessary to cope with the additional loads.
While working at home may seem an obvious solution to commuting problems, bear in mind that Internet services may be slow at peak times during the Olympics. The most likely cybersecurity threat to occur during the Olympics will be some form of distributed denial-of-service (DDoS) attack. Internet service providers (ISPs) may introduce data caps during peak times in an attempt to spread the traffic load and give equal service to their customer bases. An organisation should check with its ISP to understand the service it will be able to offer in key locations during the Olympics, including any measures it may introduce to manage peak demand. Staff working from home should implement additional measures, such as broadband accelerators, to ensure they get the best possible Internet service.
More on security training
for remote workers
Security training for tablet users
Training employees on compliance requirements
Employees who will be working from home for the first time should complete security awareness training and sign a user agreement that sets out all their obligations and responsibilities as remote workers. Training must cover data handling and protection along with awareness of all relevant statutory and regularity requirements that affect the organisation, to ensure documents are worked on and stored securely. Also make sure they are given technical support contact details, a call-in procedure with their managers, and a procedure for reporting any accidents, incidents or loss of equipment or data. Such security events should be reported through appropriate management channels as quickly as possible.
Olympic 2012 security: Suppliers
Although some businesses may not be directly affected by the Olympics, many organisations' suppliers may be. For example, a data shredding service may not be making as many visits as usual. Overflowing bins of documents ready to be shredded can quickly lead to lost data.
Think about overall deliveries and servicing needs during the Olympics and plan ahead. If you’re going to be carrying more stock, be sure to amend the sums insured in any applicable insurance policies. Don’t forget to ensure insurance policies cover any new locations where equipment may be kept overnight.
If the organisation's offices will be accessed at different times than usual, intruder alarm and night watch services will need to be informed. Check with local police on any possible changes to police response times.
Finally, run contingency planning test exercises ahead of the Olympics. This will allow time to fine tune the plans. Make sure everyone in the organisation understands their roles and will be ready if it becomes necessary to activate contingency plans during the Olympics. By adapting contingency plans, the Olympics should have a minimal impact on an organisation's business.
About the author:
Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in May 2012