Operations Security Policy

INSPIRING BUSINESS INNOVATION

OPERATIONS SECURITY POLICY

Version 1.1

Policy Number:


/19

1. Table of Contents

1. Table of Contents ........................................................................................................................ 2

2. Property Information .................................................................................................................. 3

3. Document Control ...................................................................................................................... 4

3.1. Information ............................................................................................................ 4

3.2. Revision History ................................................................................................... 4

3.3. Review, Verification and Approval ...................................................................... 4

3.4. Distribution List .................................................................................................... 4

4. Policy Overview ........................................................................................................................... 5

4.1. Purpose ................................................................................................................. 5

4.2. Scope ..................................................................................................................... 5

4.3. Terms and Definitions .......................................................................................... 5

4.4. Change, Review and Update ............................................................................... 8

4.5. Enforcement / Compliance .................................................................................. 8

4.6. Waiver .................................................................................................................... 8

4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 9

4.8. Relevant Documents ............................................................................................ 9

4.9. Ownership ........................................................................................................... 10

5. Policy Statements ...................................................................................................................... 11

5.1. Documented Operating Procedures ................................................................. 11

5.2. Change Management ......................................................................................... 12

5.3. Capacity Management ........................................................................................ 12

5.4. Separation of Development, Testing and Operational Environments ........... 13

5.5. Controls against Malware .................................................................................. 13

5.6. Information Backup ............................................................................................ 15

5.7. Event Logging .................................................................................................... 16

5.8. Protection of Log Information ........................................................................... 16

5.9. Administrator and Operator Logs ..................................................................... 16

5.10. Clock Synchronization ..................................................................................... 17

5.11. Installation of Software on Operational Systems .......................................... 17

5.12. Management of Technical Vulnerabilities ...................................................... 18

5.13. Restrictions on Software Installation ............................................................. 19

5.14. Information Systems Audit Controls .............................................................. 19


/19

2. Property Information

This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The

content of this document is Confidential and intended only for the valid recipients. This document is not

to be distributed, disclosed, published or copied without ICT Deanship written permission.


/19

3. Document Control

3.1. Information

Title Classification Version Status

OPERATIONS SECURITY POLICY Confidential 1.1 validated

3.2. Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation

0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update

0.3 Osama Al Omari – Devoteam December 27, 2014 QA

1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 02 May 2017 Update

3.3. Review, Verification and Approval

Name Title Date

Lamia Abdullah Aljafari Quality Director

Dr. Saad Al-Amri Dean of ICT

3.4. Distribution List

Copy # Recipients Location


/19

4. Policy Overview

This section describes and details the purpose, scope, terms and definitions, change, review and update,

enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

4.1. Purpose

The main purpose of the Operations Security Policy is to:

Ensure proper and secure operations of information processing facilities, in addition to ensuring protection

against malware, viruses, trojans data loss.

Nevertheless, this policy ensures the integrity of operational systems; prevent exploitation of technical

vulnerabilities; and minimize the impact of audit activities on operational systems.

4.2. Scope

The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity,

including:

All full-time, part-time and temporary staff employed by, or working for or on behalf of UD.

Students studying at UD.

Contractors and consultants working for or on behalf of IAU.

All other individuals and groups who have been granted access to IAU’s ICT systems and

information.

This policy covers all information assets defined in Risk Assessment Scope Document and will be used as a

foundation for information security management.

4.3. Terms and Definitions

Table 1 provides definitions of the common terms used in this document.

Term Definition


/19

Accountability A security principle indicating that individuals shall be able to be

identified and to be held responsible for their actions.

Asset Information that has value to the organization such as forms,

media, networks, hardware, software and information system.

Availability The state of an asset or a service of being accessible and usable

upon demand by an authorized entity.

Capacity Management

The process of determining the system capacity needed to deliver

specific performance levels through quantification and analysis of

current and projected workload.

Confidentiality An asset or a service is not made available or disclosed to

unauthorized individuals, entities or processes.

Control

A means of managing risk, including policies, procedures, and

guidelines which can be of administrative, technical, management

or legal nature.

Guideline A description that clarifies what shall be done and how, to achieve

the objectives set out in policies.

Even

An event is an identified occurrence of a system, service or

network state indicating a possible breach of information security

policy or failure of safeguards or a previously unknown situation

that may be security relevant.

Information Security

The preservation of confidentiality, integrity, and availability of

information. Additionally, other properties such as authenticity,

accountability, non-repudiation and reliability can also be involved.

Integrity Maintaining and assuring the accuracy and consistency of asset

over its entire life-cycle.

Malware (Malicious)

Software designed to disrupt computer operation, gather sensitive

information, or gain access to private computer systems

(e.g., virus or Trojan horse).

Owner

A person or group of people who have been identified by

Management as having responsibility for the maintenance of the

confidentiality, availability and integrity of an asset. The Owner

may change during the lifecycle of the asset.

Penetration Testing

A method of evaluating the security of a computer system or

network by simulating an attack from malicious outsiders (who do

not have an authorized means of accessing the organization's


/19

systems) and malicious insiders (who have some level of

authorized access). The process involves an active analysis of the

system for any potential vulnerability that could result from poor

or improper system configuration, both known and unknown

hardware/software flaws or operational weaknesses in process or

technical countermeasures. This analysis is carried out from the

position of a potential attacker and can involve active exploitation

of security vulnerabilities.

Policy

A plan of action to guide decisions and actions. The policy process

includes the identification of different alternatives such as

programs or spending priorities, and choosing among them on the

basis of the impact they will have.

Risk A combination of the consequences of an event (including changes

in circumstances) and the associated likelihood of occurrence.

System

An equipment or interconnected system or subsystems of

equipment that is used in the acquisition, storage, manipulation,

management, control, display, switching, interchange, transmission

or reception of data and that includes computer software,

firmware and hardware.

Threat

A potential to cause an unwanted incident which may result in

harm to a system such as unauthorized disclosure, destruction,

removal, modification or interruption of sensitive information,

assets or services or injury to people. A threat may be deliberate,

accidental or of natural origin.

Vulnerability

A weakness in security procedures, processes or controls that

could be exploited by a threat to gain unauthorized access to

information or disrupt critical processing.

Vulnerability Assessment

A process of identifying, quantifying and prioritizing (or ranking)

the vulnerabilities in a system. Vulnerability from the perspective

of disaster management means assessing the threats from

potential hazards to the population and to infrastructure. Table 1: Terms and Definitions

http://en.wikipedia.org/wiki/Vulnerability

http://en.wikipedia.org/wiki/Disaster_management


/19

4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to

ensure that the policy remains current. Changes of this policy shall be exclusively performed by the

Information Security Officer and approved by Management. A change log shall be kept current and be updated

as soon as any change has been made.

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security

Officer. All IAU units (Deanship, Department, College, Section and Centre) shall ensure continuous

compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,

loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made

responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,

disciplinary action) must be ensured. For the treatment of policy violations, Management and Human

Resources Department should be informed and deal with the handling of policy violations.

4.6. Waiver

Information security shall consider exceptions on an individual basis. For an exception to be approved, a

business case outlining the logic behind the request shall accompany the request. Exceptions to the policy

compliance requirement shall be authorized by the Information Security Officer and approved by the ICT

Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if

necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three

consecutive terms.


/19

4.7. Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for

every task that needs to be performed.

There are a couple of roles involved in this policy respectively: ICT Deanship, Information Security Officer

(ISO), Project Management Office (PMO), Owner and User (Employee and Contract).

Roles

Responsibilities

ICT ISO PMO Owner User

Identify and maintain capacity requirements for all new and

ongoing activities of IT project. R,A C R,I

Determining the required access rights of users to assets. R,C C R,A I

Performing system/application/network security monitoring. R,A C

Administering critical security infrastructures (e.g., antivirus

infrastructure). R,A C I

Designing and implementing network and system security. R,A C I

Implementing appropriate controls to protect the

confidentiality, integrity, availability and authenticity of sensitive

information.

R,A C I

Coordinating a response to actual or suspected breaches in the

confidentiality, integrity or availability of critical IAU’s systems. R,A C I

Implementing changes and installing patching on

system/application/network according to Change Management

and Patch Management Procedures.

R,A C C,I

Adhering to information security policies and procedures

pertaining to the protection of information. C C R,A,I

Reporting actual or suspected security incidents to ICT

Deanship. A,C C I R

Table 2: Assigned Roles and Responsibilities based on RACI Matrix

4.8. Relevant Documents

The followings are all relevant policies and procedures to this policy:

Information Security Policy

Asset Management Policy

1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is

especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs

a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or

Consul) who provide opinions, and I stand for Informed who is kept up-to-date on task progress.


/19

Access Control Policy

Information Security Incident Management Policy

Compliance Policy

Risk Management Policy

Backup and Restoration Procedure

Change Management Procedure

Patch Management Procedure

Physical and Logical Access Management Procedure

System Acquisition, Development and Maintenance Procedure

4.9. Ownership

This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.


/19

5. Policy Statements

The following subsections present the policy statements in 14 main aspects:

Documented Operating Procedures

Change Management

Capacity Management

Separation of Development, Testing and Operational Environments

Controls against Malware

Information Backup

Event Logging

Protection of Log Information

Administrator and Operator Logs

Clock Synchronization

Installation of Software on Operational Systems

Management of Technical Vulnerabilities

Restrictions on Software Installation

Information Systems Audit Controls

5.1. Documented Operating Procedures

1. ICT Deanship and Information Security Officer shall initiate or direct the development of processes,

procedures, guidelines and standards, in accordance with IAU’s operational activities. The

documented operating procedures may include, but not be limited to:

a. System restart and recovery

b. System installation and configuration

c. Backup

d. Equipment maintenance


/19

e. Server room

f. Mail handling management

g. Monitoring

2. Implementing, transferring newly developed or updated software from a testing environment to a

production environment shall follow a proper documentation procedure.

[ISO/IEC 27001: A.12.1.1]

5.2. Change Management

1. ICT Deanship in cooperation with Information Security Officer shall develop a formal management

procedure that defines all roles and responsibilities to ensure satisfactory control of all changes.

2. Detailed change management procedures with appropriate controls shall include, but not be limited

to:

a. Acceptance criteria are established in coordination with Asset Owner.

b. Risk assessment is conducted by Information Security Officer for the proposed new major

changes.

c. Emergency changes to ICT facilities, systems or applications are only used in extreme

circumstances with Management approval.

d. Document control procedure is always applied.

e. Patches to resolve software bugs are only applied where verified as necessary and with

Technical Team, Management and vendor authorization.

f. Upgrades to software or systems are properly tested before they are deployed in IAU’s

production environment.

Reference: [ISO/IEC 27001: A.12.1.2]

5.3. Capacity Management

1. New systems performance and capacity requirements shall be considered in the planning and

designing phase. Examples of managing capacity demand include, but not be limited to:

a. Deletion of obsolete data (disk space).


/19

b. Decommissioning of applications, systems, databases or environments.

c. Optimization application logic or database queries.

d. Restricting bandwidth usage for non-critical business services that consume more resources

(e.g., video streaming).

2. ICT Deanship in cooperation with Project Management Office shall identify and maintain capacity

requirements for all new and ongoing activities.

[ISO/IEC 27001: A.12.1.3]

5.4. Separation of Development, Testing and Operational

Environments

1. Separation in the testing and production environments shall be implemented to reduce the

opportunities of negligent or deliberate systems misuse.

2. Where appropriate, no live data shall be used to perform testing to any assets, neither in a production

nor in a test environment.

3. ICT Deanship shall ensure that all changes are strictly applied and tested in a test environment prior

to authorizing the change for the production environment.

[ISO/IEC 27001: A.12.1.4]

5.5. Controls against Malware

1. ICT Deanship shall be responsible to ensure that malware detection infrastructure remains active

and is not / cannot be disabled at any potential entry point.

2. ICT Deanship shall implement appropriate controls to prevent the transmission of malware to users

connected to IAU’s network infrastructure.

3. To protect the integrity of software and information, an adequate level of controls shall be identified

and implemented. Such controls may include, but not be limited to:

a. Detection, prevention and recovery controls to protect against malware.

b. Appropriate user awareness procedures.


/19

4. Where appropriate, centralized antivirus software shall be implemented at various levels (e.g.,

servers, desktops, laptops and gateways in the perimeter network) in the network and systems

infrastructure as part of a layered approach to reduce malware entry into IAU’s environment. The

followings shall be considered:

a. Antivirus software signature files shall be kept current. These files shall be consistently

updated to be protected against new malware that regularly arise.

b. The centralized antivirus server shall be connected to the vendor’s virus definition update

server, at all times. The servers’ signature files shall be updated on a daily basis; as soon as

applicable vendor releases become available, and shall be pushed to all users of IAU’s

workstations.

c. Workstations, network enabled devices and servers shall be configured to obtain the latest

signature file as soon as they connect to IAU’s network, both physically or over VPN

connection.

d. All malware detected on IAU’s systems shall be immediately removed. The systems on which

malware is not removed/disabled shall not be allowed to connect to IAU’s network.

e. The antivirus software shall be configured to automatically remove all malware detected on

the system.

5. The installation of unauthorized or illegal software on any IAU’s systems shall be strictly prohibited.

The followings shall be considered:

a. All USB memory sticks, CD-Rooms, DVD’s or removable media shall not be used on any

IAU’s computer, unless it is authorized by ICT Deanship.

b. All IAU’s servers and workstations shall be configured to scan external removable media for

viruses once these devices are connected to the machines.

c. Virus infected media shall be cleaned before being mounted as data volumes on IAU’s servers

and workstations.

d. Prior to distributing any software or information in computerized form, users shall first have

subjected the software or information in question to appropriate screening, including

comprehensive scanning to identify any computer viruses.


/19

6. IAU’s employees shall understand their responsibility to report any issues related to suspected

presence of malicious code (if any) to ICT Deanship. Also, they shall report any abnormal or unusual

system behavior such as:

a. Slow processing of applications.

b. Continuous/prolonged hard disks or network activity.

[ISO/IEC 27001: A.12.2.1]

5.6. Information Backup

1. ICT Deanship in corporation with Asset Owners shall identify backup and restoration requirements

of all information, applications, operating systems, databases, user configurations and hardware

configurations in line with legal and regulatory implications, manufacturer’s recommendations,

criticality of the information and other relevant factors.

2. To meet and address the backup requirements; and manage a backup environment, the followings

shall be considered:

a. Minimize administration effort in handling information backup tapes.

b. Consolidate the backup and storage media into a central location.

c. Intuitive backup software which offers easy of backup and data recovery, so that even a

Backup Operator can be delegated to perform these tasks.

d. Install a central backup solution to manage backup policy, configuration and operation of

information backup requirements.

3. ICT Deanship shall maintain, review and keep the backup logs up to date (e.g., Symantec Net backup)

4. Wherever possible, backup that contain sensitive information shall be encrypted.

5. All backup storage media shall be kept in a secured location with access restricted to the authorized

IAU’s personnel only.

[ISO/IEC 27001: A.12.3.1]


/19

5.7. Event Logging

1. Based on the criticality of information, Information Security Officer shall ensure that specific and

adequate levels of event logs are implemented and enabled in IAU’s systems, applications and

databases.

2. Information Security Officer shall ensure that detailed event logs of user account creation, deletion

and revocation of access rights are recorded and kept for a minimum of 3 years.

3. A detailed procedure for monitoring use of ICT facilities shall be established. This procedure shall

include, but not be limited to:

a. Details of who is monitoring these activities and what is the management information

produced and for whom.

b. Frequency of monitoring.

c. Details of any triggered action performed in the event of any security breach is identified.

[ISO/IEC 27001: A.12.4.1]

5.8. Protection of Log Information

1. ICT Deanship shall ensure the existing controls are aimed to prevent logging facility from

unauthorized changes and operational problems. These controls shall include, but not be limited to:

a. Alterations to the message types that are recorded.

b. Log files being edited or deleted.

c. Storage capacity of the log file media being exceeded, resulting in either the failure to record

events or over-writing of past recorded events.

[ISO/IEC 27001: A.12.4.2]

5.9. Administrator and Operator Logs

1. ICT Deanship shall ensure that system administrator and operator logs are reviewed on a regular

basis.


/19

2. ICT Deanship shall ensure that all system administrators and operators do not have permission to

modify or de-activate logs of their own activities.

[ISO/IEC 27001: A.12.4.3]

5.10. Clock Synchronization

1. ICT Deanship shall ensure that the date and time stamp of the audit trails for all systems, servers and

network components are synchronized to facilitate the tracking of user's identity and activities.

2. To ensure accuracy of security log file data, all systems, servers and network devices clocks shall be

synchronized using the internationally accepted Network Time Protocol (NTP).

[ISO/IEC 27001: A.12.4.4]

5.11. Installation of Software on Operational Systems

1. Procedures shall be implemented to control the installation of software on IAU’s systems, and to

minimize the risk of interruptions in or corruption of services.

2. All systems shall be securely hardened through secure configuration in accordance with international

best practice standards.

3. End-point security controls shall be implemented to restrict the use of system devices and

peripherals.

4. ICT Administrators (e.g., system admin, application admin, database admin and network admin) shall:

a. Be only the authorized personnel to perform updates to the operational software,

applications and program libraries.

b. Ensure that formal configuration procedures are adequately documented and maintained.

5. Any decision to upgrade to a new release shall consider IAU’s business and security requirements.

6. Operation procedures for IAU’s systems shall be clearly documented and an activity log detailing all

types of activity shall be maintained. This activity log shall be monitored periodically in compliance

with IAU’s policies and procedures.

[ISO/IEC 27001: A.12.5.1]


/19

5.12. Management of Technical Vulnerabilities

1. ICT Deanship shall undertake an annual technical vulnerability assessment and or upon major change

to identify any weaknesses in the systems configuration or any missing patches.

2. Management shall review the technical vulnerability assessment reports, and Information Security

Officer shall develop a risk treatment plan to close the findings based on their priority.

3. The roles and responsibilities of technical vulnerabilities management shall be clearly defined and

established.

4. Information Security Officer and ICT Administrators shall:

a. Take proactive steps to identify and minimize the vulnerabilities in systems technology before

it could be exploited.

b. Identify the appropriate controls to mitigate the risks and threats after conducting

vulnerability assessment and penetration testing.

c. Take necessary steps to provide security of systems and network infrastructure.

5. Any new patches shall not be installed in a production environment unless they are properly tested

and evaluated in a test environment with vendor approval.

6. Personnel who are performing vulnerability management duties shall ensure the followings:

a. Security scanning tools shall be used on a prescribed basis to identify vulnerabilities that could

be exploited by persons performing unauthorized scanning with similar tools. Also, these

tools shall not affect the performance of IAU’s network;

b. Where appropriate, multiple tools with different technologies shall be used to identify as

much vulnerabilities as possible.

c. Asset Owner shall be notified and accepted of potential effects of the scanning activity on

the target environment before scanning is initiated.

d. Third party sources of technical vulnerability information (e.g., vendors’ website, security

alerts, system patches, workarounds and virus updates) shall be monitored for systems

relevance.

e. If a vendor releases a patch to repair a security related control, the patch release shall be

considered an implicit vulnerability notification and risk mitigation shall be taken.


/19

f. All approved devices attached IAU’s network, and running operating systems and application

with identified security vulnerabilities are patched to address known vulnerabilities as per

vendor recommendations.

g. If a device or system attached to IAU’s network or systems cannot be patched, the

vulnerability shall be mitigated with an acceptable alternate security control.

[ISO/IEC 27001: A.12.6.1]

5.13. Restrictions on Software Installation

1. ICT Deanship shall define and implement proper rules to govern the installation of software by users.

The followings shall be considered:

a. Type of permitted software installations (e.g., updated and security patches of approved

software).

b. Type of prohibited software installations (e.g., software that is used for personnel use only).

[ISO/IEC 27001: A.12.6.2]

5.14. Information Systems Audit Controls

1. ICT Deanship shall take measures to:

a. Prevent the possible misuse of systems audit tools (e.g., to extract confidential information

without appropriate authorization).

b. Ensure that the integrity of systems and associated data is maintained.

c. Avoid possible disruptions to systems as a result of the usage of such tools.

2. The usage of systems audit tools (e.g., monitoring software, data extraction and manipulation

software and utilities) shall be:

a. Subject to authorization, restrictions and controls in accordance with specific guidelines.

b. Separated from operational systems and not held in tape libraries or user areas, unless given

an appropriate level of additional protection.

3. Audit activities shall not be performed by persons responsible for implementing and maintaining

controls.


/19

4. Persons conducting audit activities shall have limited access (e.g., read-only access to software and

data). Access other than read-only shall be limited to isolated copies of system files and shall be

erased when the audit activities are completed.

5. All access during audit activities shall be monitored and logged to produce a reference trail. All

procedures, requirements and responsibilities shall be documented.

6. If third parties are involved in performing audit activities (i.e., there might be a risk of misuse of audit

tools by these third parties, and information being accessed by this third-party organization), risk

assessment and physical access restriction controls shall be considered to address this risk and any

consequences, such as immediately changing passwords disclosed to the auditors.

[ISO/IEC 27001: A.12.7.1]

-------------------------------------------------------- End of Document -------------------------------------------------------

Operations Security Policy

Documents

Transcript of Operations Security Policy