fundamentals of information systems security chapter 6

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Fundamentals of Information

Systems Security

Lesson 6

Security Operations and Administration

Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.Page 2Fundamentals of Information Systems Security


www.jblearning.com


Learning Objective(s)

Explain the role of IT operations,

administration, and security policies.


www.jblearning.com



www.jblearning.com


Key Concepts

Role of security administration within an

organization

Components of an IT security policy infrastructure

Data classification standards used by

organizations and the DoD

Change management and configuration

management

The system life cycle (SLC) and the system

development life cycle (SDLC)


www.jblearning.com



www.jblearning.com


Security Administration

The group of individuals responsible for

planning, designing, implementing, and

monitoring an organization’s security plan

Identify and document the assets, and then

assign responsibility of each one to a

person or position


www.jblearning.com



www.jblearning.com


Controlling Access

Identification

Authentication

Authorization

Accountability


www.jblearning.com



www.jblearning.com


Documentation, Procedures, and

Guidelines

The most common documentation requirements include:

• Sensitive assets list

• The organization’s security process

• The authority of the persons responsible for security

• The policies, procedures, and guidelines adopted by the organization

An organization must comply with rules on two levels:

• Regulatory compliance

• Organizational compliance


www.jblearning.com



www.jblearning.com


Disaster Assessment and Recovery

The security administration team handles

incidents, disasters, and other interruptions

The emergency operations group is

responsible for protecting sensitive data in

the event of:

• Natural disasters

• Equipment failure

• Other potential emergencies


www.jblearning.com



www.jblearning.com


Security Outsourcing

Advantages

• High level of expertise

Disadvantages

• The outsourcing firm might not possess

internal knowledge

• You won’t develop in-house capability or

talent and have to continue to pay for these

services indefinitely


www.jblearning.com



www.jblearning.com


Outsourcing Concerns

Privacy

Risk

Data security

Ownership

Adherence to policy


www.jblearning.com



www.jblearning.com


Common Agreements

Service-level agreement (SLA)

Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

Interconnection security agreement (ISA)


www.jblearning.com



www.jblearning.com


Compliance

Event logs

Compliance liaison

Remediation


www.jblearning.com



www.jblearning.com


Professional Ethics

Set the example

Encourage adopting ethical guidelines and

standards

Inform users through security awareness

training

A code of ethics helps ensure

professionalism


www.jblearning.com



www.jblearning.com


Personnel Security Principles

Limiting Access

Separation of duties

Job rotation

Mandatory vacations

Security training

Security awareness

Social engineering


www.jblearning.com



www.jblearning.com


The Infrastructure for an IT Security

Policy

Policies

Standards

Procedures

Baselines

Guidelines


www.jblearning.com



www.jblearning.com


The Security Policy Environment


www.jblearning.com



www.jblearning.com


The Security

Policy

Hierarchy


www.jblearning.com



www.jblearning.com


Data Classification Standards

Classification is the duty of the data owner

or someone the owner assigns

System owner is the person or group that

manages the infrastructure

Classifying information criteria:

• Value

• Sensitivity

• Criticality


www.jblearning.com



www.jblearning.com


Information Classification Objectives

To identify information protection requirements

To identify data value in accordance with organization

policy

To ensure that sensitive and/or critical information is

provided appropriate protection/controls

To lower costs by protecting only sensitive information

To standardize classification labeling throughout the

organization

To alert employees and other authorized personnel to

protection requirements

To comply with privacy law and regulations


www.jblearning.com



www.jblearning.com


Examples of Classification

• Unclassified

• Restricted

• Confidential

• Secret

• Top Secret

U.S. government (standardized)

• Public (low)

• Private (medium)

• Confidential (high)

Private sector (not standardized)


www.jblearning.com



www.jblearning.com


Configuration Management

The process of managing all changes to

computer and device configurations

Evaluates the impact a modification might

have on security

As a security professional, your job is to:

• Ensure that you adequately review all system

changes

• Ensure that configuration changes will not

cause unintended consequences for security


www.jblearning.com



www.jblearning.com


Hardware Inventory and

Configuration Chart

A decision to roll out a new patch, service

pack, or release will be complicated if you

can’t find, update, and test every affected

device

Have an up-to-date map or layout of the

configuration of the hardware components

Regularly check for any available vendor

upgrades and service packs


www.jblearning.com



www.jblearning.com


The Change Management Process

Configuration control

• The management of the baseline settings for a system device

Change control

• The management of changes to the configuration


www.jblearning.com



www.jblearning.com


Change Control Management

Communicate change management procedures

and standards effectively

Reactive or proactive

• Reactive: Management responds to changes in the

business environment

• Proactive: Management initiates the change to

achieve a desired goal

Occurs on a continuous, regularly scheduled,

release, or program-by-program basis


www.jblearning.com



www.jblearning.com


Change Control Committees

• Properly tested

• Authorized

• Scheduled

• Communicated

• Documented

Ensure changes are:


www.jblearning.com



www.jblearning.com


Change Control Procedures


www.jblearning.com



www.jblearning.com


Change Control Issues

• Ensure that a peer or another expert double-checks all changes before you put them into production

Peer reviews

• Ensure that if the change doesn’t work properly, a plan exists to restore the system to a known good condition

Back-out plans

• Keep documentation current to reflect the true system’s design Documentation


www.jblearning.com



www.jblearning.com


Application Software Security

Processes for software development:

• System Life Cycle (SLC)

• System Development Life Cycle (SDLC)

Steps are similar; a few key differences:

• SLC includes operations and disposal

• SDLC ends with the transition to production


www.jblearning.com



www.jblearning.com


The System Life Cycle

Project initiation and planning

Functional requirements and definition

System design specification

Build (develop) and document

Acceptance testing

Implementation (transition to production)

Operations and maintenance

Disposal


www.jblearning.com



www.jblearning.com


Testing Application Software

Test for all expected and unexpected actions

Handle errors correctly

Perform tests to test the maximum load on the

system, including:

• Transaction volume

• Memory allocation

• Network bandwidth

• Response times

Keep production or sensitive data secure during

testing


www.jblearning.com



www.jblearning.com


Catching Vulnerabilities

Thoroughly evaluate any change to your

environment

Formalize the process for procuring new

equipment

Follow the guidance in your data policies

Review a system throughout its life cycle to

ensure that it meets its specified security

(certification)

Make sure management officially accepts the

system (accreditation)


www.jblearning.com



www.jblearning.com


Software Development and Security

Checks user authentication to the application

Checks user authorization (privilege level)

Has procedures for recovering database integrity in the

event of system failure

Handles errors and exceptions consistently and does not

allow any error or exception to go unhandled

Validates all input

Defines secure configuration baselines

Provides guidance on hardening your application

Provides and applies frequent patches


www.jblearning.com



www.jblearning.com


Software Development Models

The two most widely accepted models for software development

The waterfall model

Agile development

method


www.jblearning.com



www.jblearning.com


The Waterfall Model


www.jblearning.com



www.jblearning.com


The Agile Software Development

Method


www.jblearning.com



www.jblearning.com


Summary

Role of security administration within an

organization

Components of an IT security policy

infrastructure

Data classification standards used by

organizations and the DoD

Change management and configuration

management

The system life cycle (SLC) and the system

development life cycle (SDLC)

fundamentals of information systems security chapter 6

Education