Operations
 This area examines the operational practices,
procedures, and guidelines followed by the organization to help enhance
Defense-in-Depth. The organization should examine policies and procedures that
govern system builds, network documentation, and the use of technology within
the environment. By establishing operational practices, procedures, and
guidelines that are understood and followed, an organization can potentially
enhance its Defense-in-Depth posture. An organization can mitigate operations
risk by focusing on the following areas of operations security:
·ew Roman"'> Environment — Firewall Rules & Filters, Administrative Users, Management Host, Disaster Recovery & Business RP, Third Party Relationships · Security Policy — Data Classification & Disposal, Protocols & Services, Acceptable Use, User Account Management, Governance, Security Policies · Patch & Update Management — Network Documentation, Application Data Flow, Patch & Change Management · Backup & Recovery — Log Files, Backup, and Restore |
|
Environment |
|
|
Subcategory |
Best Practices |
|
Management Host |
When management packages are
used, the administrative consoles should be hardened and physically secured. Use SSH or VPN connections to protect clear-text protocols. Management workstations should be dedicated to specific network and host administrators. Test all management systems that utilize SNMP to ensure that they are patched to the latest version and do not use default community strings. Shared systems do not store any management-specific data. Shared workstations are not used to administer network devices or hosts. |
|
Environment - Resources |
|
|
Windows Vista - User Account Controls
|
User Account Controls in Windows Vista improves the safety and security of your computer by preventing dangerous software form making changes to your computer without your explicit consent. This also helps in prohibiting users from installing rogue programs, changing system settings and performing other tasks that are the province administrators. http://www.microsoft.com/windows/products/windowsvista/features/details/useraccountcontrol.mspx |
|
Data Classification and Protection Whitepaper |
Data Classification and protection deals with how to apply security classifications levels to the data either on a system or in transmission. |
|
Security Policy |
|
|
Subcategory |
Best Practices |
|
Data Classification |
Define a corporate data classification scheme and provide all staff with appropriate training and guidance regarding data classification. Define useable handling and protection requirements corresponding to data classification levels. It is important to have a data classification scheme with corresponding data protection guidelines. Insufficient information “classification” and segregation can allow staff, business partners, or the public access to information that is sensitive or that they do not have a “need-to-know.” This could lead to loss of brand image or corporate embarrassment owing to unauthorized disclosure of sensitive information. Scarce resources used to secure information may also be misallocated without proper information classification. Without the staff knowing what company sensitive information is and how to protect this data, there is a high likelihood that this information may be exposed to unauthorized persons. |
|
Data Disposal |
Define and implement procedures for the management and disposal of information in both hard copy and electronic form, such as that contained on floppy disks and harddrives. Formal procedures should exist so that all users know the proper practices for disposing of electronic and hardcopy information. By not providing guidance and processes for securely destroying information, the confidentiality of information could be compromised. |
|
Protocols & Services |
Clearly document the standards and practices regarding which protocols and services are allowed by the organization. Access-control lists should be verified to ensure that all services allowed have a business need for the level of access granted. Identify specific IP addresses/ranges wherever possible. Servers should have their services limited to only those required by the business need. Specifics for protocol version and minimum encryption strength should also be stated in these guidelines. Enforce accepted protocol usage through the use of perimeter devices (routers, gateways, firewalls, etc.), strong authentication, and encrypted communications. |
|
Acceptable Use |
An Acceptable Use policy exists to govern the appropriate use of corporate networks, applications, data, and systems. The policy should also cover digital media, printed media, and other intellectual property. |
|
User Account Management |
Individual user accounts should be created for all persons needing access to IT resources. Accounts should not be shared among users. By default, accounts should be created with the minimum required privileges enabled. Network and server administrators should have privileged (administrator) as well unprivileged accounts. Password strength should be enforced and regularly audited and all account modifications should be logged. As an individual's role changes, all account privileges should be reviewed and modified as necessary. When employment is terminated, all accounts should be disabled or removed. |
|
Governance |
Third-party audits should be performed regularly to ensure compliance with all current legal and civil governance requirements (e.g., HIPAA for healthcare; Sarbanes-Oxley for SEC-regulated firms). |
|
Security Policies |
Security policies should be defined with input from management, IT, and HR; empowered by the corporate executives; and frequently updated to reflect current best practice (such as CoBIT). |
|
Patch & Update Management |
|
|
Subcategory |
Best Practices |
|
Network Documentation |
Current and accurate physical
and logical diagrams of the external and internal networks should always be
available. Access to the latest diagrams should be restricted to the IT operations team. |
|
Application Data Flow |
Application architecture diagrams should depict major components and data flows that map the flow of critical data through the environment, including the systems through which the data passes and how the data is manipulated. As changes are made to the application or the environment that hosts the application, the diagrams should be updated in a timely manner. |
|
Patch Management |
Security patches and configuration changes should be deployed in a timely fashion (defined by corporate security policy) from when they become available. Whether developed internally or supplied by a third-party, patches and updates should be thoroughly tested in a lab environment before being rolled into production. Additionally, each system
should be tested after the patch has been applied to identify conflicts which
are unique to that system and may require rollback of the patch. |
|
Change Management and Configuration |
Any changes to the production environment should first be tested for security and compatibility before being released into production, and full documentation should be kept of the configuration of all production systems. |
|
Patch & Update Management - Resources |
|
|
Microsoft Update
|
Microsoft provides an automatic way for you to get the latest product updates and security patchs on regular basis through our Microsoft Update service. References http://www.update.microsoft.com/microsoftupdate/v6/vistadefault.aspx?ln=en-us |
|
Microsoft Windows Server Update Services
|
Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. References |
|
Systems Center Configuration Manager
|
System Center Configuration Manager 2007 is the solution to comprehensively assess, deploy, and update your servers, clients, and devices across physical, virtual, distributed, and mobile environments. Optimized for Windows and extensible beyond, it is the best choice for gaining enhanced insight into and control over your IT systems. References http://www.microsoft.com/systemcenter/configurationmanager/en/us/default.aspx |
|
Backup and Recovery |
|
|
Subcategory |
Best Practices |
|
Log Files |
Log files are configured to allow for recording all planned activity without overwriting entries. An automated process should be set up to rotate log files on a daily basis and offload the logs to a secure server within the management network. Access to log files and configuration settings should be restricted to prevent modification and deletion. Log files should be reviewed regularly to ensure that suspicious or anomalous activity is identified. Review should include systems operation, maintenance, and security. Event correlation software and trend analysis should be used to enhance review capability. |
|
Disaster Recovery & Business Resumption Planning |
Require disaster recovery plans to be developed, documented, implemented, and subjected to periodic reviews, tests, and updates. Develop Business Continuity Plans that include staff, locations, as well as systems and other technology issues. Disaster Recovery and Business Resumption plans should be well documented and up-to-date, to ensure recovery in an acceptable timeframe. Plans (including restore from backup for applications) should be regularly tested to validate correctness and completeness. Business Continuity Plans should focus on the entire environment; physical, technological, and staff. |
|
Backup |
Full backups should be performed at regular intervals. If feasible, partial intermediary backups should be made between full backups. The backup strategy should address the worst-case scenario of a complete system and application restore. For critical applications, the restore process should result in a fully functioning application in minimal time. |
|
Backup Media |
Detailed policies should exist to govern the storage and handling of backup media. These policies should address issues such as: · Onsite/Offsite Storage · Media Rotation · Security Controls · Personnel Access Controls Removable backup media should be stored in locked, fire-proof cabinets and only authorized personnel should have access to these cabinets. Offsite storage locations should be used to offer greater recoverability in the event of disaster. |
|
Backup & Restore |
Backup and restore procedures
should be tested regularly to identify faulty media and improve the chance of
a successful restore in the event of an outage. Audit all the backup and restore documents to ensure all the critical systems necessary for business continuity are covered. |