© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 6
Security Operations and Administration
Page 2Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 2Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective(s)
Explain the role of IT operations,
administration, and security policies.
Page 3Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 3Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Role of security administration within an
organization
Components of an IT security policy infrastructure
Data classification standards used by
organizations and the DoD
Change management and configuration
management
The system life cycle (SLC) and the system
development life cycle (SDLC)
Page 4Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 4Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Administration
The group of individuals responsible for
planning, designing, implementing, and
monitoring an organization’s security plan
Identify and document the assets, and then
assign responsibility of each one to a
person or position
Page 5Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 5Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Controlling Access
Identification
Authentication
Authorization
Accountability
Page 6Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 6Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Documentation, Procedures, and
Guidelines
The most common documentation requirements include:
• Sensitive assets list
• The organization’s security process
• The authority of the persons responsible for security
• The policies, procedures, and guidelines adopted by the organization
An organization must comply with rules on two levels:
• Regulatory compliance
• Organizational compliance
Page 7Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 7Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Disaster Assessment and Recovery
The security administration team handles
incidents, disasters, and other interruptions
The emergency operations group is
responsible for protecting sensitive data in
the event of:
• Natural disasters
• Equipment failure
• Other potential emergencies
Page 8Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 8Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Outsourcing
Advantages
• High level of expertise
Disadvantages
• The outsourcing firm might not possess
internal knowledge
• You won’t develop in-house capability or
talent and have to continue to pay for these
services indefinitely
Page 9Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 9Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Outsourcing Concerns
Privacy
Risk
Data security
Ownership
Adherence to policy
Page 10Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 10Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Agreements
Service-level agreement (SLA)
Blanket purchase agreement (BPA)
Memorandum of understanding (MOU)
Interconnection security agreement (ISA)
Page 11Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 11Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Compliance
Event logs
Compliance liaison
Remediation
Page 12Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 12Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Professional Ethics
Set the example
Encourage adopting ethical guidelines and
standards
Inform users through security awareness
training
A code of ethics helps ensure
professionalism
Page 13Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 13Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Personnel Security Principles
Limiting Access
Separation of duties
Job rotation
Mandatory vacations
Security training
Security awareness
Social engineering
Page 14Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 14Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Infrastructure for an IT Security
Policy
Policies
Standards
Procedures
Baselines
Guidelines
Page 15Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 15Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security Policy Environment
Page 16Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 16Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security
Policy
Hierarchy
Page 17Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 17Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Classification Standards
Classification is the duty of the data owner
or someone the owner assigns
System owner is the person or group that
manages the infrastructure
Classifying information criteria:
• Value
• Sensitivity
• Criticality
Page 18Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 18Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Information Classification Objectives
To identify information protection requirements
To identify data value in accordance with organization
policy
To ensure that sensitive and/or critical information is
provided appropriate protection/controls
To lower costs by protecting only sensitive information
To standardize classification labeling throughout the
organization
To alert employees and other authorized personnel to
protection requirements
To comply with privacy law and regulations
Page 19Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 19Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Classification
• Unclassified
• Restricted
• Confidential
• Secret
• Top Secret
U.S. government (standardized)
• Public (low)
• Private (medium)
• Confidential (high)
Private sector (not standardized)
Page 20Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 20Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Configuration Management
The process of managing all changes to
computer and device configurations
Evaluates the impact a modification might
have on security
As a security professional, your job is to:
• Ensure that you adequately review all system
changes
• Ensure that configuration changes will not
cause unintended consequences for security
Page 21Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 21Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Hardware Inventory and
Configuration Chart
A decision to roll out a new patch, service
pack, or release will be complicated if you
can’t find, update, and test every affected
device
Have an up-to-date map or layout of the
configuration of the hardware components
Regularly check for any available vendor
upgrades and service packs
Page 22Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 22Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Change Management Process
Configuration control
• The management of the baseline settings for a system device
Change control
• The management of changes to the configuration
Page 23Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 23Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Management
Communicate change management procedures
and standards effectively
Reactive or proactive
• Reactive: Management responds to changes in the
business environment
• Proactive: Management initiates the change to
achieve a desired goal
Occurs on a continuous, regularly scheduled,
release, or program-by-program basis
Page 24Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 24Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Committees
• Properly tested
• Authorized
• Scheduled
• Communicated
• Documented
Ensure changes are:
Page 25Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 25Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Procedures
Page 26Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 26Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Issues
• Ensure that a peer or another expert double-checks all changes before you put them into production
Peer reviews
• Ensure that if the change doesn’t work properly, a plan exists to restore the system to a known good condition
Back-out plans
• Keep documentation current to reflect the true system’s design Documentation
Page 27Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 27Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Application Software Security
Processes for software development:
• System Life Cycle (SLC)
• System Development Life Cycle (SDLC)
Steps are similar; a few key differences:
• SLC includes operations and disposal
• SDLC ends with the transition to production
Page 28Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 28Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The System Life Cycle
Project initiation and planning
Functional requirements and definition
System design specification
Build (develop) and document
Acceptance testing
Implementation (transition to production)
Operations and maintenance
Disposal
Page 29Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 29Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Testing Application Software
Test for all expected and unexpected actions
Handle errors correctly
Perform tests to test the maximum load on the
system, including:
• Transaction volume
• Memory allocation
• Network bandwidth
• Response times
Keep production or sensitive data secure during
testing
Page 30Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 30Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Catching Vulnerabilities
Thoroughly evaluate any change to your
environment
Formalize the process for procuring new
equipment
Follow the guidance in your data policies
Review a system throughout its life cycle to
ensure that it meets its specified security
(certification)
Make sure management officially accepts the
system (accreditation)
Page 31Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 31Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Software Development and Security
Checks user authentication to the application
Checks user authorization (privilege level)
Has procedures for recovering database integrity in the
event of system failure
Handles errors and exceptions consistently and does not
allow any error or exception to go unhandled
Validates all input
Defines secure configuration baselines
Provides guidance on hardening your application
Provides and applies frequent patches
Page 32Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 32Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Software Development Models
The two most widely accepted models for software development
The waterfall model
Agile development
method
Page 33Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 33Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Waterfall Model
Page 34Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 34Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Agile Software Development
Method
Page 35Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.Page 35Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Role of security administration within an
organization
Components of an IT security policy
infrastructure
Data classification standards used by
organizations and the DoD
Change management and configuration
management
The system life cycle (SLC) and the system
development life cycle (SDLC)
Top Related