Skip to end of metadata
Go to start of metadata

Table of Contents

Overview

To be effective in reducing security risk and ensuring correct computing, a security program needs to include operational procedures, controls, and well-defined responsibilities. Additional formal policies, procedures, and controls are needed to protect exchange of data and information through any type of communication media or technology. Operational and communication exchange procedures and controls address:

  • Operating procedures including: proper documentation of all normal and emergency functions, management of audit logs and other security or system log information. Procedures for change management that include the planning and testing of changes, assessment of changes, formal approval, and fallback procedures. You will want to segregate duties and areas of responsibility to minimize the chance of accidental or unintended access or modification. You will also want to make sure you have separate development, test, and production (operational) environments with rules for development, testing to minimize risk and exposure of sensitive data.
  • System capacity and resource planning and acceptance including: management of projections of future capacity requirements and acceptance and test criteria for addition of new information systems, upgrades, or new versions.
  • System back-up procedures and policy and its timely restoration in case of a disaster or media failure.
  • Media handling, including handling of removable media and secure disposal of computer media such as tapes, disks, and documents.
  • Systems Monitoring, log management and auditing, confirming the effectiveness of controls in place and anomaly detection and follow-up activities.
  • Network security management and protection of supporting infrastructure including: careful consideration of the security of data in transit over public or wireless networks and management and control of connected systems and applications.
  • Protection against malicious and mobile code such as computer viruses, network worms, Trojan horses, and logic bombs. System managers are responsible for implementing controls to prevent, detect, and remove malicious code. Procedures need to be created to make aware of and train users on the dangers of malicious code.
  • Third party service delivery management including: monitoring of compliance with information security requirements and agreements.
  • Information exchange management such as compliance with information or data exchange agreements, policies, and relevant legislation. Security controls and procedures should also exist for physical media containing data in transit within an organization and with any external entity.
  • Electronic commerce services including security of on-line transactions and publicly available information.

Top of page

Standards

ISO NIST COBIT PCI DSS
27002: Information Security Management
Chapter 10: Communications and Operations Management
800-100: Information Security Handbook: A Guide for Managers
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems 
PO4
PO8
PO10
Requirement 6
Requirement 12

Top of page

Getting Started

Many of our universities have data processing facilities, network and/or security operations centers. This chapter offers discussion on key topics of interest, with emphasis on the need for formalized policies, procedures and controls which assist in data and system protection.

Top of page

Operating Procedures and Change Management (ISO 10.1)

Objective: To ensure the effective operation and security of information processing facilities such as data centers, network and/or security operations centers.

Operating Procedures

Developing documented operating procedures which are maintained, current, relevant and provided to all users who need them is very important. The scale of implementation should be commensurate with the size and complexity of your information processing environments. At any rate, sufficient documentation should be available to handle typical issues that may arise in the day-to-day working environment. Inadequate or incorrectly documented procedures can result in system or application failures, resulting in loss of availability, failure of data integrity, and breaches of confidentiality. Operating procedures should be treated as formal documents, maintained and managed with version and approval processes and controls in place. Additional areas of interest are segregation of duties and separation of development, test, and operational facilities. The objective in implementing guidelines and controls is to minimize the risk of errors, omissions, and unauthorized activity.

Change Management

Formal change management procedures which control changes to information processing facilities should be implemented. Uncontrolled changes to operational information processing facilities and systems can cause major interruptions. Typical changes that can cause problems are new software installations, changes to a key business/IT process or operational environment, or introducing third party arrangements.

Top of page

Third Party Service Delivery (ISO 10.2)

Objective: To ensure that third party service agreements are developed to effectively maintain the appropriate levels of information security and service delivery.

Once operations of service providers have started, ensuring that the services delivered conform to the specifications of third-party contracts is important. This can include everything from availability levels of the service to something more granular, such as examining the security controls the service provider agreed to in the contract. If there is a great level of dependency upon third-party service providers, checking into service capabilities, plans for handling information security incidents or service disruptions, and business continuity testing may be warranted. Systematic monitoring and reviews of services and controls is also recommended, including scrutinizing service reports provided by the third-party to ensure the information is sufficient and relevant. As business or information technology requirements are modified, this may also require a change in the provision of third-party services, and procedures should be in place to handle any new requirements. Additionally, modifications may also call for a review of existing information security controls to ensure they are adequate.

Top of page

Systems Planning and Acceptance (ISO 10.3)

Objective: To prevent systems failures and ensure systems meet defined levels of protection prior to placing them into production.

Capacity Management

Conduct system tuning, monitor the use of present resources and, with the support of user planning input, project future requirements. Controls in place to detect and respond to capacity problems can help lead to a timely reaction. This is especially important for communications networks where changes in load balancing can be sudden and result in poor performance and dissatisfied users. Monitoring of disk capacity, transmission throughput, service/application utilizations and other typical bottlenecks is recommended.

System Acceptance

Develop system acceptance criteria that can be validated by appropriate personnel and ensure testing is carried out before new systems are put into production, to ensure vulnerabilities are minimized. Any adverse impacts on existing systems should be identified and brought under control before acceptance into operational environments. Ensure that new systems are properly secured prior to providing internet connectivity.

Top of page

Malware Protection (ISO 10.4)

Objective: To protect the confidentiality, integrity, and availability of information technology resources and data.

While malware prevention efforts can only be as effective as the level of protection offered by current anti-malware solutions in place---proactive measures to assess the effectiveness of anti-malware controls in place are both appropriate and necessary, as well as user awareness training. The ability to maintain centrally-managed and current protection updates is important, as is ensuring that users understand the importance of properly installed and utilized anti-malware solutions that they are provided. Malicious mobile code that is obtained from remote servers, transferred across networks and downloaded to computers (active X controls, java script, flash animations) is a continuing area of concern as well. If identified as pertinent, technical provisions can be made to comply with guidelines and procedures that distinguish between authorized and unauthorized mobile code.

Enhancing Application Security With a Web Application Firewall - UC, Irvine (2011)

Top of page

System Backups (ISO 10.5)

Objective: To ensure the integrity and availability of information processed and stored within information processing facilities.

System backups are a critical issue and the integrity and availability of important information and software should be maintained by making regular copies to other media. Risk assessments should be used to identify the most critical data. Develop well-defined procedures. Establish well-defined long term storage requirements and testing/business continuity planning.

Top of page

Network Security Management (ISO 10.6)

Objective: To ensure the confidentiality, integrity and availability of information in networks, as well as the supporting infrastructure.

Effective management and information security controls, combined with sound procedures, can reduce risks associated with misuse, abuse, impairment or loss of availability. The confidentiality and integrity of information passing over public networks must be considered, as well as the appropriate implementation of controls to protect complex information technology infrastructures, as well as the interconnected networks, systems, and information contained therein. Constant monitoring of network activities and security status is essential, with appropriate records being maintained of faults, problems, and corrective actions. Use of third-party supplied network services may open up risks and vulnerabilities to unauthorized access attempts leading to breaches of confidentiality, if third-party services are not secure. Availability should also be given attention, to ensure the resilience of a supplier's fall-back in the event of equipment failures. Service level agreements and standards should be maintained with all providers.

Top of page

Media Handling (ISO 10.7)

Objective: To prevent business disruptions due to the unauthorized disclosure, modification, removal or destruction of information and information technology resources.

Management of Removable Media

Integrate necessary controls to manage media items, whether tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed media, to ensure the integrity and confidentiality of university data. Guidelines should be developed and implemented to ensure that media are used, maintained, and transported in a safe and controlled manner. Handling and storage should correspond with the sensitivity of the information on the media. Procedures to erase media if no longer needed, to ensure information is not leaked, are also important.

Disposal

Procedures for handling classified information should cover the appropriate means of its destruction and disposal. Serious breaches of confidentiality occur when apparently worthless disks, tapes, or paper files are dumped without proper regard to their destruction.

Information Handling Procedures

Procedures for handling and storage of sensitive information, together with audit trails and records, are important. Accountability should be introduced and data classification and risk assessments performed, to ensure that necessary controls are applied to protect sensitive data. Appropriate access controls should be implemented to protect information from unauthorized disclosure or usage. Systems are also vulnerable to the unauthorized use of system documentation; much of this type of information should be regarded and handled as confidential. Security procedures, operating manuals, and operations records all come into this category.

Top of page

Information Exchange (ISO 10.8)

Objective: To maintain the security of information and software in situations where exchanges occur with external entities.

Information Exchange Procedures and Agreements

Policies and guidelines regarding the rules to be applied when exchanging information is important, as communications increasingly occur across the spectrum of a number of different mediums---network, wireless, telecomm, email, faxes, file transfer protocols, web sites, etc. Make all users aware of the policies regarding the exchange of information, with particular focus on information classified as sensitive or confidential. When involved in exchange agreements with external parties, agreements and contracts should establish the levels of security expected to be applied by the other parties, including specific controls regarding the exchange of sensitive or confidential information. Security risks that must be addressed are also associated with electronic messaging, business information systems, and physical media in transit.

Electronic Messaging

A clear communications policy and approval processes in place regarding the use of email communications is important to ensure the information security and legal implications of both internal and external messaging are understood. Retention and storage are additional aspects that often require policy and guidelines. Electronic messaging has been a consistent vector for malware infections and spam issues and problems, and thus, is a relatively high risk service. Thus, information security controls such as anti-malware detection and handling, digital signatures and encryption should be considered.

Top of page

E-Commerce Transactions (ISO 10.9)

Objective: To ensure the security and appropriate use of electronic commerce services.

As electronic commerce and online transactions become more prevalent, controls should be implemented to protect the information involved in this activity from various threats associated with this way of doing business. A review of potential information security controls that can be implemented for risk reduction should be considered, such as encryption, authorization processes, segregation of duties, network security controls, checks and balances to verify transactions, non-repudiation, etc. Care should also be taken to verify the validity and integrity of publicly available information provided over the internet, and protect this information from unauthorized access and compromises.

Top of page

Systems Monitoring (ISO 10.10)

Objective: To detect unauthorized activities occurring that may have a detrimental effect upon information processing facilities.

For all systems processing information, audit logs are important to investigate events and anomalies. Audit trails assist in incident investigations as well as in determining accountability for situations that occur. Typical activities that can be detected are false access attempts, attempts to change restricted data items, excessive use of certain data, etc. Both automated and hand written logs of administrator and operator activities ensure the integrity of operations in information processing facilities, such as data and network centers. Systems fault monitoring may expose vulnerabilities due to loss of service integrity and availability. A policy around systems monitoring and logging will specify operational requirements, usage and authorization for data access requests, as well as retention of log and audit trail information. Monitoring activities also assist in measuring the effectiveness of controls applied to handle risks and vulnerabilities. The information contained in various audit trails and logs is only valuable if its integrity can be relied upon; therefore, commensurate levels of protection and controls should be applied to safeguard this information. Without proper timing and synchronization across all systems, audit and monitoring logs can become inaccurate and their integrity compromised. There should be a means of monitoring system time clocks and correction of inaccuracies.

Top of page

Resources

Campus Case Studies On This Page
Enhancing Application Security With a Web Application Firewall - UC, Irvine (2011)

EDUCAUSE Resources
EDUCAUSE Resources & Resource Center Pages

HEISC Toolkits/Guidelines

Templates/Sample Plans

Security Professionals Conference 2013

Enterprise IT Leadership Conference 2013

EDUCAUSE Annual Conference 2012

Security Professionals Conference 2012

Southeast Regional Conference 2012

Mid-Atlantic Regional Conference 2012

EDUCAUSE Annual Conference 2011

Security Professionals Conference 2011

EDUCAUSE Annual Conference 2010

Security Professionals Conference Archives 2008-2010

Management and Operations:

Policy and Compliance:

Corporate and Campus Solutions:

Strategic Security:

Technology Concepts:

Advanced Technology:

Initiatives, Collaborations, & Other Resources

  • ECAR Working Groups; Bring together higher education IT leaders to address core technology challenges.

Top of page


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Labels:
communications communications Delete
operations operations Delete
management management Delete
operational operational Delete
procedures procedures Delete
controls controls Delete
responsibilities responsibilities Delete
policies policies Delete
communication communication Delete
media media Delete
technology technology Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.