Information Systems Security

Operational Control for Information Security

Operational Control

The controls that due with the everyday operation of an organization to ensure that all objectives are achieved

This covered a wide spectrum of procedures associated with the users and how to get the work done

A continual effort and discipline to maintain the system in a high level of security

Aspects of operational control

Staffing Management Application control User management Change control Backup and restore Incident handling Awareness, training and education Physical and environmental security

Staffing

Defining the job Determine the sensitivity of the position Filling the post, which involves background

check, screening and selecting an individual Employee handbook Training Mandatory vacation Job rotation

Management

Make sure the policies, standards, guidelines and procedures are in place and being followed

Administrative management practice to prevent and eliminate the chance of fraud

Act with due care and due diligence

Management

Proper organization structure Clear duties and responsibilities Proper authorization procedure Check and balance Schedule of work Checking of result

Application of security principles

Separation of duties: to ensure a single individual cannot subvert a critical process (check and balance)

Least privilege: only granting those rights to perform their official duties

Application controls

It refers to the transactions and data relating to each computer-level and are therefore specific to each application

The objective is to ensure the completeness and accuracy of the records and the validity of the entries

Application controls

They are controls over input, processing and output functions. They include methods to ensure Only complete, accurate and valid data

are entered and updated Processing do the correct task Data are maintained

Input controls

Sequence check Limit check Range check Validity check Check digit Duplicate check Logical relationship check

Process controls

Manual re-calculation Run to run totals Programmed controls Exception reports

Output controls

Logging Storage of sensitive forms and reports in a

secure place Report distribution

Data files control

Source document retention Before and after imaging Version control Transaction log Labeling Authorization for access

Media control

Media library might be set up and procedure adopted to ensure the physical safety of the media and that the information security is ensured Date of creation Who created it Period of retention Classification Volume name and version

Disposal

Error handling

Transaction log Error correction procedure

Logging Timely correction Upstream resubmission Suspense file Error file

Cancellation of source document

User administration

User account management Detecting unauthorized/illegal activities Temporary assignment and transfers Termination: friendly and unfriendly Contractor access consideration Public access consideration

User account management

Process of requesting, establishing, issuing and closing of user accounts

Assign user access authorization and rights Tracking users and their respective access

authorizations Password policy and guidelines

Detecting unauthorized/illegal activities

Monitoring and keep log Audit and review log Set clipping level

Change management

Request for change Approval of change Documentation of the change Test and presentation

Test system Production system

Implementation Report to management

Backup and Restore

Loss of data due to: Hardware failure Software failure File system corruption Accidental deletion Virus infection Theft Sabotage Natural disaster

6 steps to backup and recovery

Preparation Identify assets and requirement Select backup strategy Develop data protection strategy Backup process and monitoring Recovery drill test

Refer IS Guide to SME

Comparison of backup media

Computer security incident handling

How to respond to malicious technical threats Closely related to support and operations and

contingency planning

Computer security incident handling

Reporting of the security accident How to contain the damage What technical expertise required Liaise with other organizations, e.g. CERT,

police How to respond to the public Awareness of staff important

Incident Response

Objectives Minimise business loss and subsequent

liability of company Minimise the impact of the accident in terms

of information leakage, corruption of system etc

Ensure the response is systematic and efficient

Incident Response Ensure the required resources are available

to deal with accidents Ensure all concerned parties have clear

understanding about the task they should perform

Ensure the response activities are coordinated

Prevent future attack and damages Deal with related legal issues

Incident Response

Preparation Detection Containment Eradication Recovery Follow up

Refer IS Guide to SME

Disaster recovery andBusiness Continuity Planning

Identify the mission critical functions Identify the resources that support the critical

functions Anticipating potential contingencies or

disasters Select and devise contingency plans Implement contingency plans Test and revise the plans

Awareness, training and education

People being a very important part of an information system

How to improve their behaviour Increase the ability to hold employees

accountable

Awareness

Stimulates and motivates employees to take security seriously and to remind them of security practices to be taken

Physical and environmental security

Measures to protect systems, buildings and related supporting infrastructure against threats associated with the physical environment

Natural threats Man-made threats

Physical and environmental security

Threats Physical damage Physical theft Interruption of computing services Unauthorized disclosure of information Loss of control over system integrity

Physical and environmental security

Controls Physical access control: biometrics Fire safety Supporting facilities Structural collapse Plumbing leaks Interception of data Mobile and portable systems