Information Systems Security Operational Control for Information Security
Operational Control The controls that due with the everyday operation of an organization to ensure that all objectives are achieved This covered a wide spectrum of procedures associated with the users and how to get the work done A continual effort and discipline to maintain the system in a high level of security
Aspects of operational control Staffing Management Application control User management Change control Backup and restore Incident handling Awareness, training and education Physical and environmental security
Staffing Defining the job Determine the sensitivity of the position Filling the post, which involves background check, screening and selecting an individual Employee handbook Training Mandatory vacation Job rotation
Management Make sure the policies, standards, guidelines and procedures are in place and being followed Administrative management practice to prevent and eliminate the chance of fraud Act with due care and due diligence
Management Proper organization structure Clear duties and responsibilities Proper authorization procedure Check and balance Schedule of work Checking of result
Application of security principles Separation of duties: to ensure a single individual cannot subvert a critical process (check and balance) Least privilege: only granting those rights to perform their official duties
Application controls It refers to the transactions and data relating to each computer-level and are therefore specific to each application The objective is to ensure the completeness and accuracy of the records and the validity of the entries
Application controls They are controls over input, processing and output functions. They include methods to ensure Only complete, accurate and valid data are entered and updated Processing do the correct task Data are maintained
Input controls Sequence check Limit check Range check Validity check Check digit Duplicate check Logical relationship check
Process controls Manual re-calculation Run to run totals Programmed controls Exception reports
Output controls Logging Storage of sensitive forms and reports in a secure place Report distribution
Data files control Source document retention Before and after imaging Version control Transaction log Labeling Authorization for access
Media control Media library might be set up and procedure adopted to ensure the physical safety of the media and that the information security is ensured Date of creation Who created it Period of retention Classification Volume name and version Disposal
Error handling Transaction log Error correction procedure Logging Timely correction Upstream resubmission Suspense file Error file Cancellation of source document
User administration User account management Detecting unauthorized/illegal activities Temporary assignment and transfers Termination: friendly and unfriendly Contractor access consideration Public access consideration
User account management Process of requesting, establishing, issuing and closing of user accounts Assign user access authorization and rights Tracking users and their respective access authorizations Password policy and guidelines
Detecting unauthorized/illegal activities Monitoring and keep log Audit and review log Set clipping level
Change management Request for change Approval of change Documentation of the change Test and presentation Test system Production system Implementation Report to management
Backup and Restore Loss of data due to: Hardware failure Software failure File system corruption Accidental deletion Virus infection Theft Sabotage Natural disaster
6 steps to backup and recovery Preparation Identify assets and requirement Select backup strategy Develop data protection strategy Backup process and monitoring Recovery drill test Refer IS Guide to SME
Comparison of backup media
Computer security incident handling How to respond to malicious technical threats Closely related to support and operations and contingency planning
Computer security incident handling Reporting of the security accident How to contain the damage What technical expertise required Liaise with other organizations, e.g. CERT, police How to respond to the public Awareness of staff important
Incident Response Objectives Minimise business loss and subsequent liability of company Minimise the impact of the accident in terms of information leakage, corruption of system etc Ensure the response is systematic and efficient
Incident Response Ensure the required resources are available to deal with accidents Ensure all concerned parties have clear understanding about the task they should perform Ensure the response activities are coordinated Prevent future attack and damages Deal with related legal issues
Incident Response Preparation Detection Containment Eradication Recovery Follow up Refer IS Guide to SME
Disaster recovery and Business Continuity Planning Identify the mission critical functions Identify the resources that support the critical functions Anticipating potential contingencies or disasters Select and devise contingency plans Implement contingency plans Test and revise the plans
Awareness, training and education People being a very important part of an information system How to improve their behaviour Increase the ability to hold employees accountable
Awareness Stimulates and motivates employees to take security seriously and to remind them of security practices to be taken
Physical and environmental security Measures to protect systems, buildings and related supporting infrastructure against threats associated with the physical environment Natural threats Man-made threats
Physical and environmental security Threats Physical damage Physical theft Interruption of computing services Unauthorized disclosure of information Loss of control over system integrity
Physical and environmental security Controls Physical access control: biometrics Fire safety Supporting facilities Structural collapse Plumbing leaks Interception of data Mobile and portable systems