Operations Security

Operations security is used to identify the controls over software, hardware, media, and the operators and administrators who possess elevated access privileges to any of these resources. Operations security is primarily concerned with data center operations processes, personnel, and technology, and is needed to protect assets from threats during normal use. Audits and monitoring are the mechanisms that permit the identification of security events, define the key elements of these events, and serve as the source of pertinent event information given to the appropriate individual, group, or process.

  • Outline the types of controls needed for secure operations of a data center
    • Preventative controls reduce the frequency and impact of errors and prevent unauthorized intruders.
    • Detective controls discover errors after they’ve occurred.
    • Corrective or recovery controls help mitigate the impact of a loss.
    • Deterrent controls encourage compliance with external controls.
    • Application-level controls minimize and detect software operational irregularities.
    • Transaction-level controls provide control over various stages of a transaction.
  • Explain the principle of least privilege.
    • need to know. Min access rights or privileges for doing the job
  • Differentiate between the principle of least privilege and the principle of separation of duties

Separation of duties:

  • Employing competent, trustworthy people with clear lines of authority and responsibility
  • Having adequate separation of job and process duties
  • Having proper procedures for authorizing transactions or changes to information
  • Maintaining adequate documents and records
  • Maintaining appropriate physical controls over assets and records
  • Executing independent checks on performance

People can’t do complimentary check to themself for these reasons

  •  Motivation: Usually caused by some financial crisis that results from health problems, drugs, overspending, gambling, extortion, or relationship problems, for example
  • Justification: Justification: A sense that they have not been treated fairly, the employer owes them, or any other explanation that they use to give a good reason for their actions
  • Opportunity: Opportunity: Knowledge or belief that fraud can be committed and remain undetected (“I’ll never get caught”) either because internal controls are not in place or are inadequate, or because they believe no one is minding the store.
  • Define the control mechanisms commonly found in data center operations
    • Trusted recovery controls – When server crash, security not breached
    • Configuration and change management controls controls and tracking changes
    • Personnel security involves pre-employment screening and mandatory vacation time
    • Record retention processes refers to how long transactions and other types of computerized or process records should be retained
    • Resource protection is needed to protect company resources and assets
    • *Privileged entity controls are given to operators and system administrators as special access to computing resources
    • Media viability controls are needed for properly marking and handling assets. These include clearly marking media with contents, dates, classification (if needed), and other information to help operators locate and use the correct media more often.
    • Operations process controls are a necessary element in the overall security of a computer installation. Because operators tend to possess privilege beyond other users, it’s vital to impose controls to limit the damage they can cause and protect them from themselves.
  • Create a model of controls that incorporates people-, process-, and technology-based control mechanisms
    • Software support
      • limit what software to install 
      • Test before install and update
      • Licencing 
      • Check that user not modifying the software
    • Configuration and change management —  approves changes to the system
      • Assurance that user don’t make unwanted changes that risky
      • Changes well documented
    • Backups
      • Critical for businesses 
      • How often changes
      • Store securely
    • Media controls
      • Environment protection 
      • Prevent loss of integrity confidentiality and availability
      • Marking — physical labeling
      • Logging — accountability
      • Integrity Verification — Hash validation
      • Physical Access protection — media can be stolen
      • Enviormental protection — they might be sensetive to temrature, etc.
      • Transmittal — Media can be transforemed to other places
      • Disposition — Secure erasing, not formating, etc.
        • Overwriting — 0, 1 3 times
        • Degaussing — magnetic erase ( strong and electronic)
        • Destruction — shred or burn
    • Documentation
      • security plans, 
      • contingency plans, 
      • risk analyses,
      • security policies and procedures
    • Maintenance 
      • Access control
      • Background checking
      • Default password and reset factory
      • Encryption / decryption communication
    • Interdependencies ( Support and operation staff)
      • Personal — background check on the employee
      • Incident handling — respond to incident
      • Contingency planning — backup – update documentation, etc.
      • Security awareness, training and education
      • Physical and environmental — support and operation staff are control the physical area of computer systems
      • Technical control —  Install and update IT
      • Assurance — Change not make new vulnerability 
      •