Originally posted here by SirDice
Do you consider backups to be part of your security?
Ah, good one. Yes I do...however implementation could vary. I personally consider backup policy definition a decision by the business (along with any regulations, etc) along with security providing input. Security office is then the 'custodian' of backups but may not actually DO the backups...that could be the IT operations function.

Some good comments everyone. You are reminding me of the best practice in security management that says an unexpected reboot is an EVENT but not necessarilly a security incident. That is to be determined upon initial assessment of the situation...and may actually change from being considered/classified as a security incident to a non-incident later in the investigation.

I personally consider availability as a security matter - to me that's a no brainer as it's part of what you're taught in security training and one of the triad (as noted by whatthe). But I do not feel that security is the actual implementer nor maintainer of the systems responsible for that. That's another no brainer. Just because security is responsible for availability doesnt mean they manage the networks, manage the backup systems, manage the systems....of course they dont...they coordinate with those responsible parties and also implement/maintain policies governing them. I digress a bit here.

Great comments...keep 'em coming.