Chapter 9: Operations Security Flashcards
Types of controls
Preventative: reduce the frequency and impact of errors
Detective: discovers errors after they occur
Corrective: mitigates the impact of a loss
Deterrent: Encourage compliance with external controls
Application level: minimize and detect software irregularities
Transaction level: control over stages of a transaction
Strong security system elements
Employing competent people into a clear authority structure
Adequate separation of duties
Proper procedures for authorizing changes
Maintaining adequate documentation and records
Maintaining proper physical controls over assets and records
Executing independent checks on performance
The three factors in engagement in fraudulent or immoral behavior
Motivation: why do they need the result of their crime (usually money driven reasons here, but could be an ego or thrill factor, too)
Justification: why it isn’t as bad as others might say it is (the company “owes” them, or it is hurting a company, not people, etc)
Opportunity: the (either reasonable or unreasonable) idea that the person is not likely to get caught, usually because of a shortcoming at the company
Process controls
Ensures security principles inform all processes, both human and technological processes
Trusted recovery controls
Ensures that systems stay safe even when the system crashes or loses power; dictates “fail-secure” systems
Configuration and Change Management controls
Ensuring accountability for how changes in a system are approved and occur; a threat to this sort of accountability would be a “block upgrade” in which the request changes are too big to manage or track well
Record retention processes
Ensures that records are kept for an appropriate amount of time; could be both hard and soft records
Personnel security controls
Ensures quality people are at the company. Includes preemployment checks, criminal checks, and mandatory vacation time. Also could include rotating duties and proper disciplinary structures
Resource protection controls
Guards physical assets
Privileged entity controls
Special controls for system administrators; may involve eliminating default accounts or shared accounts to ensure nonrepudiability
Media viability controls
Marking media so that everyone knows classification levels, or owners, or dates, or whatever might matter to someone picking up the physical asset
Operation process controls
Permission constraints or accountabilities for operators
Sarbanes-Oxley Act (SOX)
Passed after Enron meltdown. Requires integrity of financial records. Section 404 pertains to the data centers in which financial records reside
Operation Security Controls in Action:
Software Support
Limiting which software can run on which system
Inspecting or testing software before distribution or usage
Auditing software licensing
Prohibiting unauthorized changes or modifications to existing software
Operation Security Controls in Action:
Config and Change Management
(Similar to Software Support in many cases)
Management of which connection or open to what on the network
Changes have proper documentation
Changes are audited to ensure security protocols still apply 100%