One thing sailors usually learn before they become “old sailors” is the value of keeping things neat. When you are at the mercy of wind and water - and with nobody around - a good sailor makes recovery from incidents look easy. They know exactly where the lines, tools and emergency equipment are stowed. They also explain the safety features to new crew members and passengers before they are needed.

If you see ropes strewn across the deck, you may not think of them as being dangerous; but imagine having a weather or mechanical crisis going on, and having to keep looking down to see what’s under your feet as you scurry about the deck to keep from tripping and falling overboard.

For crises bigger than one person can handle alone, you may even need to instruct others on where to find things; for this, labels make life much easier and safer.

The same idea holds for security in an organization. The last thing you need during an incident is piles of misfiled papers on your desk and a directory with hundreds of uncategorized documents on your computer screen.

While it true that it’s easier to keep a business system secure if it is simple, it’s not always easy to keep things simple. So, if the systems have to be complicated, try to keep the elements organized and documented in a concise way - ready for quick access.

Nothing is ever obvious, especially in an emergency.

Consider the situation that may exist the next time somebody needs to look at your organization’s security documentation - time may be of the essence. It could be an emergency incident investigation. If safeguards are not well documented you may end up wasting valuable time - time that an attacker may need to cover his tracks - or time a virus may use to infect critical systems on the network.

A well documented security system should have a top level plan that identifies the layout and attributes of subsystems such as physical, personnel, network, etc., with information such as:

  • The location of each subsystem’s controls and its detailed documentation
  • The location of log outputs
  • The configuration of relevant parameters
  • Named systems and safeguards that each system depends on and that depend on it
  • The primary and backup second-line support contacts in case of emergency

Of course, security documentation is as sensitive as the assets under
the system’s protection. The documentation itself must also be kept secure from unauthorized access and from accidental loss.

Keep information about your systems simple, neat, documented, and secure. Then everybody will have an easier time when you need to quickly examine what’s going on.