The document discusses maintaining security of operations through establishing routine security processes, ensuring operational response to incidents, and aligning security purposes with practices. It outlines key elements of an operational security process including sensing threats, analyzing risks, responding to issues, and managing the overall process. The document provides guidance on implementing security of operations through configuration management, operational planning, response to incidents, and day-to-day operational housekeeping activities.

1. Chapter 5 Maintaining Security of Operations

2. Objectives Establish routine security of operation Create a dependable operational security process Ensure operational response to incidents

3. Security of Operations A critical part of information assurance lifecycle Ensures the integrity and performance Process involves actions such as: Ensuring that current operating procedures are properly aligned with organization’s security policies Monitoring performance of assigned security duties to confirm that they correspond to proper processes Defining and executing operational housekeeping processes to ensure that the security function continues to operate properly

4. Aims: Aligning Purpose with Practice Information assurance goals must be satisfied for the organization to be secure Factors that can affect this process include changes in: People who use the system or their motivations Types of systems interconnected with the organization’s systems Type or sensitivity of data Way the organization does business or type of business the organization conducts Rigor and extent of information assurance objectives Organizational risk model and risk tolerance approach

5. Aims: Aligning Purpose with Practice If information assurance goal is not being met The organization performs a risk assessment/risk mitigation process to decide how to meet it

6. Threat Response: Keeping the Organization on Its Toes Threat response is either proactive or reactive Proactive activities include Identification of threats and vulnerabilities Creation, assessment, and optimization of security solutions Implementation of controls to protect the software and the information Reactive activities include Detecting and reacting to external or internal intrusions or security violations in a timely manner

7. Staying Alert: Elements of the Operational Security Process Operational security process is composed of principles These principles represent the primary functions of the operational security process: Sensing Analyzing Responding Managing

8. Sensing: Understanding the Threat Operational sensing is proactive Must be performed continuously Implemented and run by defined policies, procedures, tools, and standards Monitors, tests, and assesses the environment, to detect vulnerabilities and security violations Identifies and resolves threats as they arise Reviews monitor and evaluate management and end-user behavior

9. Sensing: Understanding the Threat Security assurance requires documentary evidence of: Feasible information assurance and security perimeter Overall concept of standard operating procedure Generic operational testing and review plan Policies to ensure appropriate response to unexpected incidents Secure site plan Business Continuity and Disaster Recovery Plan (BCP/DRP) Assurance that all are adequately trained in secure operation Assurance that all are capable of utilizing security functionality relevant to their position in the organization

10. Analyzing: Making Smart Decisions A good decision about a given threat requires understanding the consequences and impacts Threat assessment – understanding the consequences Impact analysis – evaluating the strategy Reporting – understanding the alternatives Authorizing – getting the go-ahead

11. Responding: Ensuring a Disciplined Response This function implements the authorized corrective action Factors that might influence the decision are: Resource constraints Difficulty, or unfeasibility of the response required All threats and vulnerabilities should be tracked and the resulting responses overseen A defined process is required to ensure that this is done accurately

12. Managing: Maintaining an Effective Process All information assurance processes as a routine function have to be: Planned Designed Administered Maintained Ensure that effective leadership vision and expertise is exercised at all times It oversees and coordinates the alignment process to maintain the best response to threats and changes in a dynamically changing situation

13. Implementation: Setting Up the Security of Operations Process Security of operations is founded on organization-wide policies, procedures, and countermeasures Maintains the relevance and effectiveness of the infrastructure Specifies the approved methods and processes that will be followed to ensure security performance Should be embedded as part of day-to-day workplace functioning Operational assessment is critical Methods and metrics used to track performance must be specified Certifications must be used to judge proper execution

14. Operational Planning A formal security of operations plan is an important baseline document Acts as a point of reference in the evolution of events and day-to-day management Operationalizes and coordinates the elements of the security of operations function Organizes and focuses the effective deployment of resources Supports the budgeting process Makes the security objectives explicit Serves as a mechanism for assessing contractual and regulatory obligations Organizes technical and management response so that the right set of countermeasures is always in place

15. Operational Planning Operational security plan is built and maintained through eight stages

16. Steps for a Secure Operation Step 1: document the baseline Step 2: determine the benchmarks Step 3: establish a security architecture Step 4: build awareness Step 5: deploy supporting technology Step 6: assess performance Step 7: specify how corrective action will be taken Step 8: enforce accountability

17. Operational Response Security of operations should ensure that an effective operational response in in place It resolves problems as they appear Response is established and maintained by a plan Plan integrates the sensing, analyzing, and responding principles into a set of procedures that meet the security needs Pre-defined response ensures that an optimum solution is provided in a timely fashion Timeliness is underwritten by effective incident reporting

18. Operational Response Ensuring effective reporting and response Formal incident response team (IRT) or operational response team (ORT) Ensuring timely reports Provides a description of both the type and estimated impact of the incident Ensuring timely response Incident reports should go to a single central coordinator or facilitator for confirmation analysis and subsequent action

19. Anticipating Potential Incidents Potential incidents include: Pre-attack probes Unauthorized access attempts Denial of service attempts Vulnerabilities in the infrastructure Reports are generic and result from routine data-gathering activity and analysis Reports also result from analyses performed by the software Reports are generated by intrusion detection devices Operational event logging monitors events taking place within the system

20. Working with Active Incidents Always require an operational response Actions are dictated by circumstances requiring: Applying a technical patch Reconfiguration, or reinstallation of the system Change in policy and procedure Implementation of new enforcement mechanisms Operational response team: Contains the harm from an incident and prevents its reoccurrence Supervises the change to the target system through the configuration management process Performs the coordination and documentation activities needed

21. Ensuring Continuing Integrity: Configuration Management Formal procedure undertaken for change management Refers to the evolution of change to objects It is a critical component of security for two reasons: Predictable day-to-day functioning of systems Ability to detect unauthorized changes Maintains the integrity of the items under its control Allows for the evaluation and performance of management changes Establishes the integrity of the system

22. Human-based: Configuration Management Configuration manager role Processes all requests for change Manages the change authorization process Verifies that the change is complete Baseline manager role Identifies, accounts for, and maintains all configuration items with the identification scheme Establishes a baseline management ledger (BML) Records all changes and promotions to baselines in this ledger Maintains libraries associated with it

23. Human-based: Configuration Management Verification manager role Confirms that items in the change management ledger conform to the identification scheme Verifies that changes have been carried out Conducts milestone reviews and audits Status accounting – ensures the continuing correct status of each baseline Changes at any level in the structure must be maintained at all levels

24. Human-based: Configuration Management Configuration management plan Builds a plan that lists the activities in the configuration management function including: The procedures to be followed during the configuration management process The schedule for routine activities The procedures for performing configuration management activity involving other organizations

25. Operational Housekeeping Operational housekeeping – ensures that routine information processing activities are performed securely Responsible for ensuring that the organization’s information is protected from common threats Proactive measures such as periodic inspections and compliance audits Managerial concerns Ensuring that routine patches and repairs to equipment and facilities are performed

26. Preparing an Operational Procedure Manual Every organization has to compile, distribute, and update a procedure manual Details all required procedures to ensure continuous security of operations Should contain simple checklists providing clear directions for employees performing routine housekeeping Should ensure that the required steps are listed along with expected results, and a way to determine those results are accurate There should be a clear statement of the interrelationship between related procedures

27. Managing Security Patches Security patches should be in place so that: Software can be consistently updated and maintained to close vulnerabilities They are important safeguards and are a routine part of the security maintenance process Any operating system security update should be verified, tested, and installed immediately

28. Back Up Your Data, Back Up Your Job Backups are important housekeeping functions Support the recovery function Are essential prerequisites for business continuity Support the recovery point objective (RPO) in business continuity planning Other reasons could include: Hard drive failure Serious virus attack or other accidents Based on a schedule dictated by operational circumstances

29. Enforcing Personal Security Discipline Personal security discipline implies that the staff members routinely follow approved security procedures Steps need to be taken to ensure that routine activities are performed in a continuous and repeatable way Discipline is the key to ensuring that routine behaviors are performed Discipline hinges on people understanding the importance of routine security practices Education, training, and awareness function

30. Maintaining Your Software Software must be configured and operate without conflict Ensure safe and secure operation Provide essential automated security service Visible part of the process: Registry and file system utilities aligned correctly, interacting properly Running disk cleanups and performing hardware checks Security utilities Virus and spyware checkers and spam filters

31. Making Your Software Behave Software functionality is difficult to assure since software interactions occur within the computer Necessary to perform system integrity checks Assure that the registry files, applications, and system utilities are installed properly and working as designed Preventive maintenance should be routinely scheduled, coordinated, enforced, and reported through the information assurance function

32. Watching Your Back Have a set of operational procedures in place to secure application systems Procedures include system management responsibilities such as: Ensuring that security functions are enabled on both user and administrative accounts Conducting software engineering procedures such as routine operational testing Including simple processes such as regularly ensuring that passwords are changed Checking system event logs periodically

33. Disposing of Assets in a Secure Manner A critical part of the day-to-day integrity of information is the secure disposal of media There must be rules for the secure erasure or destruction of electronic storage media Routine clear out of temporary files and temporary Internet cache files Use of modern shredders to dispose of paper copies In the case of especially sensitive material, the use of contracted destruction services Magnetic storage media such as floppies routinely degaussed or shredded prior to disposal

34. Locking Down Electronic Office Systems Ensure that e-mail and office automation systems are tightly controlled There is a need to develop and formalize a statement of what is and is not acceptable use This is called an acceptable use policy Serves as the formal basis for subsequent control

35. Defining Good Security Practice for an E-Mail System Defining, communicating, and enforcing good security practice in the daily operation of the e-mail system can prevent most violations Monitoring of acceptable use is frequently used in larger organizations and can be embedded in a software utility