About Me Richard Mosher Manager in Cincinnati (Ohio Valley) CISSP in November of 1994 CBCP in June of 1999 15 years in utility industry, 12 as security officer Responsible for mainframe, client server, internet, policies/procedures, disaster/recovery Joined E&Y in December of 1997 Contact info: Richard Mosher/SOhioKentuckyIndiana/AUDIT/EYLLP/US EYComm: 5176673 Office: 513-723-4379 Mobile: 606-466-4572 [email_address]

Richard Mosher

Manager in Cincinnati (Ohio Valley)

CISSP in November of 1994

CBCP in June of 1999

15 years in utility industry, 12 as security officer

Responsible for mainframe, client server, internet, policies/procedures, disaster/recovery

Joined E&Y in December of 1997

Contact info:

Richard Mosher/SOhioKentuckyIndiana/AUDIT/EYLLP/US

EYComm: 5176673

Office: 513-723-4379 Mobile: 606-466-4572

[email_address]

Introduction Topic: Operations Security Approach - General security principles The Problem The Control

Topic: Operations Security

Approach - General security principles

The Problem

The Control

General Security Principles Accountability Authorization Logging Separation of duties Least privilege Risk reduction Layered defense Redundancy

Accountability

Authorization

Logging

Separation of duties

Least privilege

Risk reduction

Layered defense

Redundancy

Critical Operational Controls Resource protection Privileged-entity control Hardware control

Resource protection

Privileged-entity control

Hardware control

The Problem Powerful system utilities Powerful system commands Superzapping - system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data Direct control over hardware and software Direct control over all files Direct control over printers and output queues Powerful Input/Output commands Direct access to servers Initial program load from console

Powerful system utilities

Powerful system commands

Superzapping - system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data

Direct control over hardware and software

Direct control over all files

Direct control over printers and output queues

Powerful Input/Output commands

Direct access to servers

Initial program load from console

The Problem Initial program load - IPL from tape Control over job schedule and execution Control over all storage media Bypass label processing Re-labeling resources Resetting date/time, passwords Control of access ports/lines Erroneous transactions (fraud) Altering proper transactions Adding improper transactions Denial of service/Delays in operation Personal use, Disclosure Audit trail/log corruption/modification

Initial program load - IPL from tape

Control over job schedule and execution

Control over all storage media

Bypass label processing

Re-labeling resources

Resetting date/time, passwords

Control of access ports/lines

Erroneous transactions (fraud)

Altering proper transactions

Adding improper transactions

Denial of service/Delays in operation

Personal use, Disclosure

Audit trail/log corruption/modification

Protected Resources Password files Application program libraries Source code Vendor software Operating System Libraries Utilities Directories Address Tables Proprietary packages Communications HW/SW Main storage Disk & tape storage

Password files

Application program libraries

Source code

Vendor software

Operating System

Libraries

Utilities

Directories

Address Tables

Proprietary packages

Communications HW/SW

Main storage

Disk & tape storage

Protected Resources (2) Processing equipment Stand-alone computers Printers Sensitive/Critical data Files Programs System utilities System logs/audit trails Violation reports Backup files Sensitive forms Printouts People

Processing equipment

Stand-alone computers

Printers

Sensitive/Critical data

Files

Programs

System utilities

System logs/audit trails

Violation reports

Backup files

Sensitive forms

Printouts

People

The Control Accountability - Personnel reviews - Background checks

Accountability -

Personnel reviews - Background checks

The Control Accountability - Personnel reviews - Background checks Password management Personal System Maintenance Trap door - system or application password included for ease of vendor maintenance

Accountability -

Personnel reviews - Background checks

Password management

Personal

System

Maintenance

Trap door - system or application password included for ease of vendor maintenance

The Control Accountability - Personnel reviews - Background checks Password management Logging of all activities Protected/duplicated log

Accountability -

Personnel reviews - Background checks

Password management

Logging of all activities

Protected/duplicated log

The Control Accountability - Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Reports, tracks, resolves problems affecting service Reduce failures Prevent recurrence Reduce impact Types - Performance/availability Hardware/software Environment Procedures/Operations Network Safety/security

Accountability -

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Reports, tracks, resolves problems affecting service

Reduce failures

Prevent recurrence

Reduce impact

Types - Performance/availability

Hardware/software

Environment

Procedures/Operations

Network

Safety/security

The Control Accountability - Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Violation analysis Repetitive mistakes Exceeding authority Unrestricted access Where? Patterns - hackers, disgruntled employees Clipping level - baseline violation count to establish normal violation levels

Accountability -

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Violation analysis

Repetitive mistakes

Exceeding authority

Unrestricted access

Where?

Patterns - hackers, disgruntled employees

Clipping level - baseline violation count to establish normal violation levels

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Least Privilege Granular access control over system commands Individual access permissions Hardware/Software elements & procedures to enable authorized access and prevent unauthorized access

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Least Privilege

Granular access control over system commands

Individual access permissions

Hardware/Software elements & procedures to enable authorized access and prevent unauthorized access

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Least Privilege Granular access control over system commands Individual access permissions Periodic review of access needed/granted

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Least Privilege

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted Separation of Duties All changes require approval

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

Separation of Duties

All changes require approval

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted Separation of Duties All changes require approval Operational staff should not code or approve changes Operating system OR Applications OR Job controls

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

Separation of Duties

All changes require approval

Operational staff should not code or approve changes

Operating system OR Applications OR Job controls

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted Separation of Duties All changes require approval Operational staff should not code or approve changes Operational staff should not perform security duties Security administration Network administration Application administration

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

Separation of Duties

All changes require approval

Operational staff should not code or approve changes

Operational staff should not perform security duties

Security administration

Network administration

Application administration

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted Separation of Duties All changes require approval Operational staff should not code or approve changes Operational staff should not perform security duties Operations staff should not do data entry Transaction logging with date/time/person Control counts

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

Separation of Duties

All changes require approval

Operational staff should not code or approve changes

Operational staff should not perform security duties

Operations staff should not do data entry

Transaction logging with date/time/person

Control counts

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted Separation of Duties All changes require approval Operational staff should not code or approve changes Operational staff should not perform security duties Operations staff should not do data entry Responsibilities in Operations should be divided Help desk Job rotation

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

Separation of Duties

All changes require approval

Operational staff should not code or approve changes

Operational staff should not perform security duties

Operations staff should not do data entry

Responsibilities in Operations should be divided

Help desk

Job rotation

Separation of Duties - Operator Installing system software Start up/Shut down Backup/recovery Mounting disks/tapes Handling hardware Adding/removing users (?)

Installing system software

Start up/Shut down

Backup/recovery

Mounting disks/tapes

Handling hardware

Adding/removing users (?)

Separation of Duties - Security User activities Adding/removing users (?) Setting clearances Setting passwords Setting other security characteristics Changing profiles Setting file sensitivity labels Setting security characteristics of devices, communications channels Reviewing audit data

User activities

Adding/removing users (?)

Setting clearances

Setting passwords

Setting other security characteristics

Changing profiles

Setting file sensitivity labels

Setting security characteristics of devices, communications channels

Reviewing audit data

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted All changes require approval Operational staff should not code or approve changes Operational staff should not perform security duties Operations staff should not do data entry Responsibilities in Operations should be divided Layered Defense Emergency procedures requiring approval

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

All changes require approval

Operational staff should not code or approve changes

Operational staff should not perform security duties

Operations staff should not do data entry

Responsibilities in Operations should be divided

Layered Defense

Emergency procedures requiring approval

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted All changes require approval Operational staff should not code or approve changes Operational staff should not perform security duties Operations staff should not do data entry Responsibilities in Operations should be divided Emergency procedures requiring approval Read vs Read/Write access

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

All changes require approval

Operational staff should not code or approve changes

Operational staff should not perform security duties

Operations staff should not do data entry

Responsibilities in Operations should be divided

Emergency procedures requiring approval

Read vs Read/Write access

The Control Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures Granular access control over system commands Individual access permissions Periodic review of access needed/granted All changes require approval Operational staff should not code or approve changes Operational staff should not perform security duties Operations staff should not do data entry Responsibilities in Operations should be divided Emergency procedures requiring approval Training - Equipment/system documentation, procedures

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

All changes require approval

Operational staff should not code or approve changes

Operational staff should not perform security duties

Operations staff should not do data entry

Responsibilities in Operations should be divided

Emergency procedures requiring approval

Training - Equipment/system documentation, procedures

The Problem Physical access to the computer room and devices there IS programmers Cleaning/maintenance Vendor support Contract/Temp staff Memory content modification Microcode changes Device shutdown Shoulder surfing over Operator’s shoulder Physical access to printouts - rerouting Access to print queues Access to printers

Physical access to the computer room and devices there

IS programmers

Cleaning/maintenance

Vendor support

Contract/Temp staff

Memory content modification

Microcode changes

Device shutdown

Shoulder surfing over Operator’s shoulder

Physical access to printouts - rerouting

Access to print queues

Access to printers

The Control Authentication & Least Privilege Authorization for access to the facility Closed shop - physical access controls limiting access to authorized personnel Operations security - controls over resources - HW, media & operators with access Operations terminals Servers/routers/modems/circuit rooms Sniffer - device that attaches to the network and captures network traffic Magnetic media

Authentication & Least Privilege

Authorization for access to the facility

Closed shop - physical access controls limiting access to authorized personnel

Operations security - controls over resources - HW, media & operators with access

Operations terminals

Servers/routers/modems/circuit rooms

Sniffer - device that attaches to the network and captures network traffic

Magnetic media

The Control Authentication & Least Privilege Authorization for access to the facility Enforced control of access to the facility Security perimeter - boundary where security controls protect assets System high security - system and all peripherals are protected at level of highest security classification of any information housed by the system Tempest - reception of electromagnetic emanations which can be analyzed to disclose sensitive or protected information

Authentication & Least Privilege

Authorization for access to the facility

Enforced control of access to the facility

Security perimeter - boundary where security controls protect assets

System high security - system and all peripherals are protected at level of highest security classification of any information housed by the system

Tempest - reception of electromagnetic emanations which can be analyzed to disclose sensitive or protected information

The Control Authentication & Least Privilege Authorization for access to the facility Enforced control of access to the facility Physical oversight of operator console Supervision of personnel - Realtime and Non-realtime Morale evaluation Operating logs Inventory Change control procedures Incident reporting System/audit logs Audits/security reviews Job rotation

Authentication & Least Privilege

Authorization for access to the facility

Enforced control of access to the facility

Physical oversight of operator console

Supervision of personnel - Realtime and Non-realtime

Morale evaluation

Operating logs

Inventory

Change control procedures

Incident reporting

System/audit logs

Audits/security reviews

Job rotation

The Control Authorization for access to the facility Enforced control of access to the facility Physical oversight of operator console Separation of Duties & Layered Defense Protection of printouts Heading/Trailing banners with recipient name and location Print “No Output” when report is empty

Authorization for access to the facility

Enforced control of access to the facility

Physical oversight of operator console

Separation of Duties & Layered Defense

Protection of printouts

Heading/Trailing banners with recipient name and location

Print “No Output” when report is empty

The Control Authorization for access to the facility Enforced control of access to the facility Physical oversight of operator console Separation of Duties & Layered Defense Protection of printouts Positive identification and logging of printouts Sign for receipt of sensitive printouts

Authorization for access to the facility

Enforced control of access to the facility

Physical oversight of operator console

Separation of Duties & Layered Defense

Protection of printouts

Positive identification and logging of printouts

Sign for receipt of sensitive printouts

The Control Authorization for access to the facility Enforced control of access to the facility Physical oversight of operator console Separation of Duties & Layered Defense Protection of printouts Positive identification and logging of printouts Protection of print queues

Authorization for access to the facility

Enforced control of access to the facility

Physical oversight of operator console

Separation of Duties & Layered Defense

Protection of printouts

Positive identification and logging of printouts

Protection of print queues

The Control Authorization for access to the facility Enforced control of access to the facility Physical oversight of operator console Separation of Duties & Layered Defense Protection of printouts Positive identification and logging of printouts Protection of print queues Audit of facility and processes audit logs logons operating system calls/utilities system connectivity

Authorization for access to the facility

Enforced control of access to the facility

Physical oversight of operator console

Separation of Duties & Layered Defense

Protection of printouts

Positive identification and logging of printouts

Protection of print queues

Audit of facility and processes

audit logs

logons

operating system calls/utilities

system connectivity

The Problem Inability to recover from failures Legal liabilities

Inability to recover from failures

Legal liabilities

The Control Redundancy Regular backups of all software and files

Redundancy

Regular backups of all software and files

The Control Regular backups of all software and files Hardware Asset Management Hardware configuration Hardware inventory Fault tolerant equipment - design reliability Configuration Secure disposal Cleaning/Sanitizing Overwriting Destructive delete Degaussing Destruction Environmental protection

Regular backups of all software and files

Hardware Asset Management

Hardware configuration

Hardware inventory

Fault tolerant equipment - design reliability

Configuration

Secure disposal

Cleaning/Sanitizing

Overwriting

Destructive delete

Degaussing

Destruction

Environmental protection

Environmental Contamination Buildup of conductive particles, contaminants Circuit boards, microswitches, sensors Spontaneous combustion National Fire Protection - US computer room fire every 10 min 80% unknown causes (HW) Causes equipment failure Mass storage devices Pass through disk drive filters Read/write errors, disk crashes Government/contractor installations Max 100K parts per million in cubic foot of air Data center particulates <= 0.5 microns (19.69 microinches)

Buildup of conductive particles, contaminants

Circuit boards, microswitches, sensors

Spontaneous combustion

National Fire Protection - US computer room fire every 10 min

80% unknown causes (HW)

Causes equipment failure

Mass storage devices

Pass through disk drive filters

Read/write errors, disk crashes

Government/contractor installations

Max 100K parts per million in cubic foot of air

Data center particulates <= 0.5 microns (19.69 microinches)

Environmental Contamination Contaminants - Max 20 m-inches Hair - 3,000 m-inches Dust - 1,500 m-inches Fingerprint - 600 m-inches Smoke - 250 m-inches 2314 head flying height - 100 m-inches 2300 head flying height - 50 m-inches Metallics (vacuum cleaner brushes, printers, floors) Carbonaceous (autos, tobacco, toner, paper, burn) Synthetic (clothing, carpet) Cement/crystalline (subfloor, cleaning fluids, air purifiers)

Contaminants - Max 20 m-inches

Hair - 3,000 m-inches

Dust - 1,500 m-inches

Fingerprint - 600 m-inches

Smoke - 250 m-inches

2314 head flying height - 100 m-inches

2300 head flying height - 50 m-inches

Metallics (vacuum cleaner brushes, printers, floors)

Carbonaceous (autos, tobacco, toner, paper, burn)

Synthetic (clothing, carpet)

Cement/crystalline (subfloor, cleaning fluids, air purifiers)

Environmental Detection White glove samples examined with microscope Identification, no concentrations Petri dish samples examined with microscope Identification, no concentrations Aspirating pump collection examined with microscope Identification, some concentration data Particulate counter and collection bag Contaminant typing, some concentration data Vicon detector with filtering media and micro exam Accurate typing and concentration with multiple samples

White glove samples examined with microscope

Identification, no concentrations

Petri dish samples examined with microscope

Identification, no concentrations

Aspirating pump collection examined with microscope

Identification, some concentration data

Particulate counter and collection bag

Contaminant typing, some concentration data

Vicon detector with filtering media and micro exam

Accurate typing and concentration with multiple samples

Environmental Controls Cost justification Analyze with Vicon & maintain error logs Control program Separate equipment Activity restrictions Brushless vacuums with micron ratings <= 1 micron or wall mounted vacuum outside No ion-generating purifiers, conditioners, heaters Tile quality of floors Top-line filtration Train maintenance staff

Cost justification

Analyze with Vicon & maintain error logs

Control program

Separate equipment

Activity restrictions

Brushless vacuums with micron ratings <= 1 micron or wall mounted vacuum outside

No ion-generating purifiers, conditioners, heaters

Tile quality of floors

Top-line filtration

Train maintenance staff

The Control Regular backups of all software and files Hardware configuration and inventory Fault tolerant equipment Secure disposal Software Asset Management Operating/Backup software inventory Backups Generations Off-site Environmental control Controlled & authorized access to backups COTS Computer Off-the-Shelf Products Maintenance accounts/passwords

Regular backups of all software and files

Hardware configuration and inventory

Fault tolerant equipment

Secure disposal

Software Asset Management

Operating/Backup software inventory

Backups

Generations

Off-site

Environmental control

Controlled & authorized access to backups

COTS Computer Off-the-Shelf Products

Maintenance accounts/passwords

The Control Regular backups of all software and files Hardware configuration and inventory Fault tolerant equipment Operating and backup software inventory Off-site storage of backups Environmental and access control of backup storage Trusted recovery procedures Ensure security not breached during system crash and recovery Requires backup Reboot (Crash or power failure) Recover file systems (Missing resource) Restore files and databases (Inconsistent database) Check security files (System compromise)

Regular backups of all software and files

Hardware configuration and inventory

Fault tolerant equipment

Operating and backup software inventory

Off-site storage of backups

Environmental and access control of backup storage

Trusted recovery procedures

Ensure security not breached during system crash and recovery

Requires backup

Reboot (Crash or power failure)

Recover file systems (Missing resource)

Restore files and databases (Inconsistent database)

Check security files (System compromise)

Trusted System Operations Trusted computer base - HW/FW/SW protected by appropriate mechanisms at appropriate level of sensitivity/security to enforce security policy Trusted facility management - supports separate operator and administrator roles (B2) Clearly identify security admin functions Definition - Integrity formal declaration or certification of a product

Trusted computer base - HW/FW/SW protected by appropriate mechanisms at appropriate level of sensitivity/security to enforce security policy

Trusted facility management - supports separate operator and administrator roles (B2)

Clearly identify security admin functions

Definition - Integrity

formal declaration or certification of a product

Definitions Acceptance Verification that performance & security requirements have been met Accreditation Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC) Certification Formal testing of security safeguards Operational assurance Verification that a system is operating according to its security requirements Design & Development reviews Formal modeling Security architecture ISO 9000 quality techniques Assurance Degree of confidence that the implemented security measures work as intended

Acceptance

Verification that performance & security requirements have been met

Accreditation

Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC)

Certification

Formal testing of security safeguards

Operational assurance

Verification that a system is operating according to its security requirements

Design & Development reviews

Formal modeling

Security architecture

ISO 9000 quality techniques

Assurance

Degree of confidence that the implemented security measures work as intended

The Control Regular backups of all software and files Hardware configuration and inventory Fault tolerant equipment Operating and backup software inventory Off-site storage of backups Environmental and access control of backup storage Trusted reboot procedures Contingency Management Tested procedures to be taken before, during and after a threatening incident Continuity of operations - maintenance of essential DP services after incident Recovery procedure - actions to restore DP capability after incident

Regular backups of all software and files

Hardware configuration and inventory

Fault tolerant equipment

Operating and backup software inventory

Off-site storage of backups

Environmental and access control of backup storage

Trusted reboot procedures

Contingency Management

Tested procedures to be taken before, during and after a threatening incident

Continuity of operations - maintenance of essential DP services after incident

Recovery procedure - actions to restore DP capability after incident

Emergency Procedures Communications channel for evacuation signal Procedures to secure tapes, programs, … Evacuation routes/wardens Transportation routes for transporting employees Medical assistance Requesting police/fire assistance Storing backup files off-site Activating backup

Communications channel for evacuation signal

Procedures to secure tapes, programs, …

Evacuation routes/wardens

Transportation routes for transporting employees

Medical assistance

Requesting police/fire assistance

Storing backup files off-site

Activating backup

Configuration Management Controlling modifications to system HW/FW/ SW/Documentation Ensure integrity and limiting non-approved changes Baseline controls policies standards procedures responsibilities requirements impact assessments software level maintenance

Controlling modifications to system HW/FW/ SW/Documentation

Ensure integrity and limiting non-approved changes

Baseline controls

policies

standards

procedures

responsibilities

requirements

impact assessments

software level maintenance

Configuration Management Organized and consistent plan covering description of physical/media controls electronic transfer of software communications software/protocols encryption methods/devices security features/limitations of software hardware requirements/settings/protocols system responsibilities/authorities security roles/responsibilities user needs (sensitivity, functionality) audit information and process risk assessment results

Organized and consistent plan covering

description of physical/media controls

electronic transfer of software

communications software/protocols

encryption methods/devices

security features/limitations of software

hardware requirements/settings/protocols

system responsibilities/authorities

security roles/responsibilities

user needs (sensitivity, functionality)

audit information and process

risk assessment results

Risk Assessment/Analysis Includes: Threat Vulnerability Asset Ease of Use principle A system that is easier to secure is more likely to be secure

Includes:

Threat

Vulnerability

Asset

Ease of Use principle

A system that is easier to secure is more likely to be secure

Vulnerabilities Summary Improper access to system utilities Improper access to information Improper update of information Improper destruction of information Improper change to job schedule Improper access to printed materials Physical access to the computer room Physical access to printouts Access to print queues Denial of service Inability to recover from failures Fraud

Improper access to system utilities

Improper access to information

Improper update of information

Improper destruction of information

Improper change to job schedule

Improper access to printed materials

Physical access to the computer room

Physical access to printouts

Access to print queues

Denial of service

Inability to recover from failures

Fraud

Summary of Controls Personnel reviews - Background checks Password management Logging of all activities Problem reporting and change procedures All changes require approval Granular access control over system commands Individual access permissions Periodic review of access needed/granted Operational staff should not code or approve changes Operational staff should not perform security duties Operations staff should not do data entry Responsibilities in Operations should be divided Password Management Emergency procedures requiring approval

Personnel reviews - Background checks

Password management

Logging of all activities

Problem reporting and change procedures

All changes require approval

Granular access control over system commands

Individual access permissions

Periodic review of access needed/granted

Operational staff should not code or approve changes

Operational staff should not perform security duties

Operations staff should not do data entry

Responsibilities in Operations should be divided

Password Management

Emergency procedures requiring approval

Summary of Controls (2) Read vs Read/Write access Authorization for access to the facility Enforced control of access to the facility Physical oversight of operator console Protection of printouts Positive identification and logging of printouts Protection of print queues Regular backups of all software and files Off-site storage of backups Environmental control of backup storage Controlled & authorized access to backups

Read vs Read/Write access

Authorization for access to the facility

Enforced control of access to the facility

Physical oversight of operator console

Protection of printouts

Positive identification and logging of printouts

Protection of print queues

Regular backups of all software and files

Off-site storage of backups

Environmental control of backup storage

Controlled & authorized access to backups

The Real World Operations Controls Organizations understaffed, wear too many hats Separation of duties seldom complete A single password is used by all operators System commands are unrestricted on the console OR are granted to all operations staff Commands are not logged OR logs are not reviewed Emergency procedures and approvals poorly defined Operations personnel may support system software OR perform security functions

Operations Controls

Organizations understaffed, wear too many hats

Separation of duties seldom complete

A single password is used by all operators

System commands are unrestricted on the console

OR are granted to all operations staff

Commands are not logged

OR logs are not reviewed

Emergency procedures and approvals poorly defined

Operations personnel may support system software

OR perform security functions

The Real World (2) Operations Controls Most of IS and many users have access to facility Printouts are laid out for pickup without oversight Print queues are openly available to on-line users Only some platforms are backed up Backups are often stored on site In computer room OR In an office No restrictions are placed on access to backups Communications closets open

Operations Controls

Most of IS and many users have access to facility

Printouts are laid out for pickup without oversight

Print queues are openly available to on-line users

Only some platforms are backed up

Backups are often stored on site

In computer room

OR In an office

No restrictions are placed on access to backups

Communications closets open

Secure System Operation Identification Authorization Alarm Surveillance Real-time/Non-real-time Integrity

Identification

Authorization

Alarm

Surveillance

Real-time/Non-real-time

Integrity

Media Controls Tapes, disks, diskettes, cards, paper, optical Volume labels required Human/machine readable Date created, created by Date to destroy/retention period Volume/file name, version Classification Audit trail Separation of responsibility - librarian Backup procedures

Tapes, disks, diskettes, cards, paper, optical

Volume labels required

Human/machine readable

Date created, created by

Date to destroy/retention period

Volume/file name, version

Classification

Audit trail

Separation of responsibility - librarian

Backup procedures

Final Considerations What system commands are available? To whom? With what authentication? How are changes made and approved? To system software? To applications? To access? How are responsibilities divided? How available are printouts/print queues? How accessible is operations facility? Proportionality - Cost vs Benefit

What system commands are available?

To whom? With what authentication?

How are changes made and approved?

To system software? To applications? To access?

How are responsibilities divided?

How available are printouts/print queues?

How accessible is operations facility?

Proportionality - Cost vs Benefit