2. Operations Security
Operations security involves planning and sustaining
the day-to-day processes that are critical for
maintaining the security of institutions’ information
environments
Members of the IT team with knowledge of and access to
networks, data centers and admin accounts, can cause
serious damage
Providing the direction, resources, support, and review
necessary to ensure that information assets are
appropriately protected within their area of
responsibility
3. Risks
Uninformed Employees – Not trained in security
best practices, week passwords, unattended systems,
visiting unauthorized websites
Solution: Train employees on cyber security best
practices and offer ongoing support, password
management system
Mobile Devices (BYOD) - Data theft is at high
vulnerability when employees are using mobile
devices [particularly their own] to share data, access
company information, or neglect to change mobile
passwords
4. Risks
Tailgating and Piggybacking Through an Access
Controlled Secure –
Tailgating is when another person, whether an employee or
not, passes through a secure door without the knowledge
of the person
Piggybacking is when another person follows through a door
WITH the permission of the person who has received
access.
Solution: 3-dimensional machine vision system that can
differentiate between humans and objects, CCTV, anti-
tailgating systems
5. Controllable Measures
Review documentation and evaluate guidance in regards to change
management, capacity management, and separation of
development, test, and production environment
Malware detection and prevention controls - Evaluate their level of
effectiveness
Data centre backup strategy - backup procedures and methods
(e.g., encryption) are effective both for on- and off-premises backup
management
Prepare in advance for IT controls audits to avoid service disruption
Provide intuitive, visual dashboards that reflect your current
security status An essential checklist for your security response
solution
Editor's Notes
The objective of ‘A.12.Operations Security’ domain is to help the organizations to put in place appropriate controls to ensure that day to day operations of an organization are carried out in a controlled and a secure manner, which includes documenting operating procedures, ensuring changes to information assets are carried out efficiently, the information assets are protected from malware and other threats & vulnerabilities, controls to ensure backup is performed effectively to ensure timely availability of information, logging and monitoring of user activities and ensuring continuous improvement through Information systems audit & mitigations.