Security Operations Management

There are several conceptual best practices for protecting the integrity of the business and of the information that makes it go. These best practices all have to do with how people - not technology - work to support the business.

An organization needs to put together its policies and procedures in order to facilitate the use and protection of information. This is collectively known as administrative management and control. For starters, before an employer hires a new security-related person, the hiring manager should document the job requirements and specifications to ensure that the hiring manager knows exactly what skills this position requires. Of course, this is only the tip of the iceberg. The essential activities to achieve this end are

• Job requirements and specifications: Before an employer hires a new security-related person, the hiring manager should document the job requirements and specifications. This ensures that the hiring manager knows exactly what skills this position requires.

• Background checking: Any organization should get background checks on all employees and contractors. This will help to expose any undesirable candidates based upon their pasts. Background checks can include verification of any of the following:

  • Criminal record

  • Citizenship

  • Credit check

  • Employment history

  • Education

  • Certifications

  • Union and association membership

• Separation of duties: This is the term used to describe the process of assigning parts of processes to different people. This makes it more difficult for a lone individual to defraud or steal from the organization.

  A great example of separation of duties is the way in which banks control safe combinations. Typically, a safe has a six-number combination. The bank assigns the first three numbers to one employee and the second three numbers to another employee. A single employee isn’t permitted to have all six numbers, so a lone employee is unable to enter the safe and steal its contents.

• Job rotation: Job rotation refers to the practice of moving people from job function to job function, with or without notice. Job rotation accomplishes two things:

  1. People hesitate to set up the means for periodically or routinely stealing corporate information because they know that they could be moved to another shift or task at almost any time.

  2. People don’t work with each other long enough to form collusive relationships that could damage the company.

  Job rotation can also include changing workers’ workstations and work locations, which are other means for keeping would-be saboteurs off-balance.

• Mandatory vacations: Requiring employees to take one or more weeks of their vacation in a single block of time gives the organization an opportunity to play Elliot Ness and see whether the employee is regularly committing any forbidden acts.

• Security Violations: All known security violations should be documented, and a root-cause analysis should be performed in order to determine whether any changes in processes or technology are needed.

  Security incident response is no longer a nice-to-have luxury. Security regulations often require a formal incident response capability. This entails setting up a response and communication plan, and training key individuals who will know what to do should a security incident occur.

  We discuss this topic further in Chapter 12.

• Terminations: Employees who violate security policy are subject to termination. Usually this is a last-resort solution, but termination is necessary if the employee has a history of security problems.

  It is vital that terminated employees’ access be locked down as soon as possible, especially in cases where the employee is being fired or laid off. The consequences associated with continued access by an angry employee are serious enough to warrant the creation of emergency procedures for immediate termination of access. We discuss some additional termination practices in Chapter 6.

• Configuration Management: Even small organizations have complex information systems: servers, workstations, network devices, databases; and application, mail and Web servers are just a few of the components that an organization uses to support its operations.

  Managing all this information infrastructure is a complex, time-consuming task that all too often is performed with too little (if any) recordkeeping on who did what. Larger organizations that have dozens or hundreds of servers have the daunting task of just keeping server configurations consistent, more or less.

 Instant Answer   Configuration management is the process (or processes) of actively managing the configuration of every system, device, and application, so that the details of every configuration change are recorded someplace.

• Patch and Vulnerability Management: On a daily basis, flaws are discovered in server and desktop operating systems (such as Windows and UNIX), database management systems, and applications. Many of these flaws are security vulnerabilities that, left unpatched, could permit a malicious outsider (or insider) to access data or functions that he or she should not be able to reach. The consequences of failing to patch security holes are left up to the reader. A brief outline of the entire patch management process follows:

  1. Receive security advisories from vendors and third-party organizations.

  2. Perform risk analysis on each advisory to determine its applicability and risk to your organization.

  3. Develop a plan to either install the security patch or to perform another workaround, if any is available. Your decision should be based on which solution will best eliminate the vulnerability.

  4. Test the security patch or workaround in a test environment. This process involves making sure that stated functions still work properly and that no unexpected side-effects arise as a result of installing the patch or workaround.

  5. Install the security patch in the production environment.

  6. Verify that the patch is properly installed and that systems still perform properly.

  Patch management is aligned closely with configuration management and change control processes, which are discussed in this chapter.

• High Availability: Highly critical applications and functions may need to be available 24/7 with no allowable downtime, even for maintenance or component failures. Consider the landline telephone system - can you recall ever picking up the handset and not hearing a dial tone? Well, maybe you can, but it’s rare. Our point is that many aspects of critical information systems (like the world telephone network) have high availability features in their architecture that ensure their continued operation despite failures.

Putting together a comprehensive data security plan can take considerable effort for any organization, regardless of the size of the organization. But you need not start from scratch; instead, get yourself a copy of ISO 27001 (previously known also as ISO 17799). This code contains guidance for every facet of organizational activity concerned with the protection of information assets. The only disadvantage of ISO 27001 is that it’s not free. You must purchase it online from www.iso.org.