Chapter 6: Security Operations and Administration
Onboarding
A process when setting up interoperability relationships that provides the opportunity to clearly communicate goals and expectations for all parties.
Standards
Are mandated requirements for hardware and software solutions used to address security risk throughout an organization. Standard might refer to a specific antivirus product or password-generation token.
Event logs
Are records of actions that your operating system or application software create. An event log record which user or system accessed data or a resource and when.
Procedures
Are step-by-step systematic actions to accomplish a security requirement, process, or objective. They are one of the most powerful tools available to you. - They reduce mistakes in a crisis. - They ensure you don't miss important steps. - They provide for places within the process to conduct assurance checks. - They are mandatory requirements, like policies and standards.
Offboarding
A process when terminating interoperability relationships that defines how to transfer control of data and other assets, terminate communications, and complete any open transactions.
Blanket purchase agreement (BPA)
A streamlined method of meeting recurring needs for supplies or services, a BPA creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services. BPAs can be very helpful in simplifying the process of recurring purchases.
Emergency operations group
This group is responsible for protecting sensitive data in the event of natural disasters and equipment failure, among other potential emergencies.
Internet Architecture Board (IAB)
A subcommittee of the IETF composed of independent researchers and professionals who have a technical interest in the overall well-being of the internet. List of unethical and unacceptable practices on the internet: - "Seeks to gain unauthorized access to the resources of the Internet" - "Disrupts the intended use of the Internet" - "Wastes resources (people, capacity, computer) through such actions" - "Destroys the integrity of computer-based information" - "Compromises the privacy of users" - "Involves negligence in the conduct of Internet-wide experiments" Key point: Access to the internet is a privilege, not a right.
Security outsourcing
Advantages: A security management firm has a high level of expertise because it focuses on security-and security only-every day. Simply, put, it will have expertise and experience that your own organization might not have. Disadvantages: Outsourcing has two primary disadvantages. First, the outsourcing firm might not know your organization well and might not possess internal knowledge. Second, by outsourcing, you won't develop in-house capability or talent and will therefore need to continue to pay for these services indefinitely.
Memorandum of understanding (MOU)
Also called a letter of intent, a MOU is an agreement between two or more parties that expresses areas of common interest that result in shared actions. MOUs are generally less enforceable than a formal agreement but still more formal than an oral agreement.
The change management process
Configuration control: Is the management of the baseline settings for a system device. The baseline settings meet security requirements. They require that you implement them carefully and only with prior approval. Change control: Is the management of changes to t he configuration. Unmanaged changes introduce risk, because they might affect security operations or controls. An improper change could even disable the system or equipment. Change control ensures that any changes to a production system are tested, documented, and approved. The change itself must follow a change control process that ensures that you make the change correctly and report it to management.
Functional policy
Declares an organization's management direction for security in such specific functional areas as email, remote access, and Internet surfing.
Controlling access
Identification: Assertions made by the users about who they are. Authentication: The proving of that assertion. Authorization: The permissions a legitimate user or process has on the system. Accountability: Tracking or logging what authenticated and unauthenticated users do while accession the system.
Social engineering
Intimidation: Using threats or harassment to bully another person for information. Name-dropping: Using the names of managers or superiors to convince another person that a higher authority has allowed access to information. Appeals for help: Tugging at a person's sense of compassion or understanding of a difficult, perhaps unreasonable, situation. The goal of the emotional appeal is to by pass normal procedures or gain special consideration. When combined with an incentive, such as a reward, this type of engineering is very effective. For example, consider the scam in which the scammer promises to send you money if you'll help him transfer money to a disadvantaged person. Unfortunately, this type of emotional appeal fools many people every year. Phishing: Technology works quite well in social engineering. Take, for example, phishing. In a phishing attack, scammers create a email or webpage that resembles the work of a reputable organization. The scammers wan you to believe it's a reputable organization so you'll share sensitive information to gain access to your financial information or to steal your identity. A phishing attack can also take the form of a survey that asks questions in an effort to capture sensitive information.
Remediation
Involves fixing something that is broken or defective. With computer systems, remediation refers to fixing security vulnerabilities.
Compliance liaison
Makes sure all personnel are aware of - and comply with- the organization's policies. Different departments within an organization might have different security ideas or needs. A compliance liaison works with each department to ensure it understands, implements, and monitors compliance.
Proactive change management
Management initiates that change to achieve a desired goal. In this case, the source of the change is internal, such as the adoption of new technology.
Reactive change management
Management responds to changes in the business environment. The source of the change is external. Some examples are changes in regulations, customer expectations, and the supply chain.
Job rotation
Minimizes risk by rotating employees among various systems or duties. This prevents collusion, where several employees conspire to commit fraud. It also gives managers a chance to track which users were authorized to take what actions and when.
Interconnection security agreement (ISA)
Often an extension of a MOU, the ISA serves as an agreement that documents the technical requirements of interconnected assets. This type of document is most often used to specify technical needs and security responsibilities of connected organizations.
Outsourcing considerations
Privacy: Does the third party agree to uphold your privacy policy? How do they plan to control how data re collected, stored, handled, and destroyed? Risk: What additional risks exist by transferring data over a trust boundary? How are any new risks addressed? Who is responsible for managing new outsourcing risks? Data security: What controls protect data confidentiality and integrity from unauthorized access? Are access controls consistent with internal controls? How is data availability protected? Are backups and redundancy measures in place to minimize downtime? How are backups and redundant data copies protected? Ownership: Who owns the data, the infrastructure, and the media? Who is responsible for each component? Adherence to policy: Does each third party commit to upholding your security policies and procedures?
Baselines
Security personnel often create such basic configurations, called baselines, to ensure that they enforce the security minimums.
Documentation, procedures, and guidelines
Sensitive assets list: What assets must the organization take measures to secure? The list can include computers, network components, databases, documents, and any other assets that could be vulnerable to attack. The organization's security process: How does it all work? The authority of the persons responsible for security: Which administrator is responsible or authorized for what assets and what actions? The policies, procedures, and guidelines adopted by the organization: What information needs to be communicated, how is it communicated, and when is it communicated? Regulatory compliance: The organization must comply with laws and government regulations. Organized compliance: The organization must comply with its own policies, audits, culture, and standards.
Professional Ethics
Set the example: Demonstrate strong ethical principles in your daily activities. Users will follow your lead. If you are serious about ethics, your users will be more serious about ethics. Encourage adopting ethical guidelines and standards: Security professionals must know their ethical boundaries and set an example by adhering to them. This often means making difficult decisions and setting a good example. You must push the organization to define its code of ethics. This helps the staff operate ethically and responsibly. Inform users through security awareness training: Make sure users are aware of and understand their ethical responsibilities.
Privacy policy
Specifies how your organization collects, uses, and disposes of information about individuals.
Clean desk/clean screen policy
States that users must never leave sensitive information in plain view on an unattended desk or workstation.
Change control committee
This committee oversees all proposed changes to systems and networks. The committee approves changes and the schedule for implementing the changes. In this manner, you cannot make changes to a system, application, or network without the proper review, funding, and documentation.
Service-level agreement (SLA)
This type of agreement is a formal contract between your organization and the outside firm that details the specific services the firm will provide. Some examples of security-related services detailed in an SLA can include: - How and when potential security breaches are communicated - How logs and events are reported - How confidential data are handled - What security system up-time requirements are (for example, you might require that all critical security systems have 99.99 percent reliability)
Guidelines
To help provide structure to a security program. They outline recommendations for the purchase and use of acceptable products and systems. Guidelines are simply actions that the organization recommends.
Data classification standards
Value: You can define the value of information by several different measures: the value to the organization, the value to competitors, the cost of replacement or loss, and the value to the organization's reputation. Sensitivity: Is the measure of the effect that a breach of the integrity or the disclosure of information would have on an organization. Organizations can measure sensitivity in many ways, including liability or fines, reputation, credibility, or loss of market share. Critically: Is the measure of the importance of the information to the mission of the organization. What would happen to the organization if the information were lost?
Security administration
Within an organization refers to the group of individuals responsible for planning, designing, implementing, and monitoring an organization's security plan.