Fundamentals of Information Systems Security Ch 6 - Security Operations and Administration
Memorandum of understanding (MOU)
AKA letter of intent, an agreement between two or more parties that expresses areas of common interest that result in shared actions. Less enforceable than a formal agreement but more formal than an oral agreement.
Three primary means to ensure compliance
Event logs Compliance liaison Remediation
Service-level agreement (SLA)
Formal contract between organization and the outside firm that details the specific services the firm will provide. Communicates the expectations on both the organization and outside firm and anticipates the needs of both parties.
Responsibilities of security administration
Handling events that affect computers and networks, including incidents, disasters, and other interruptions.
Advantages of outsourcing security
High level of expertise that your organization might not have because they only deal with security.
Four aspects of access control.
Identification Authentication Authorization Accountability
Regulatory compliance
Laws and government regulations
Organizational compliance
Organization policies, audits, and standards
Disadvantages of outsourcing security
Outsourcing firm might not know your organization well and your organization cannot develop in-house expertise or talent and will continue to pay for services.
Main concerns for outsourcing security
Privacy Risk Data security Ownership Adherence to policy
Offboarding
Process to follow when terminating a relationship with outsourced resources. Defines how to transfer control of data and other assets, terminate communications, and complete open transactions.
Most common documentation requirements:
Sensitive assets list Organization's security process Authority of people responsible for security Policies, procedures, and guidelines adopted by organization
Blanket purchase agreement (BPA)
Streamlined method of meeting recurring needs for supplies or services, creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services. Helpful in simplifying the process of recurring purchases.
Emergency operations group
Team managed by the security administration team. Responsible for protecting sensitive data in the event of natural disasters and equipment failure, among other potential emergencies.
Security administration
The group of individuals responsible for planning designing, implementing, and monitoring an organization's security plan.
Onboarding
The negotiation process and creation of agreements. Provides time before a problem occurs, as well as the opportunity to clearly communicate goals and expectations for all parties.
Interconnection security agreement (ISA)
Usually an extension of MOU, serves as an agreement that documents the technical requirements of interconnected assets. Most often used to specify technical needs and security responsibilities of connected organizations.