Operations Security

12.1 Operational procedures and responsibilities12.2 Protection from malware

12.3 Backup

Arthur PaixãoFaculdade dos Guararapes

Operational procedures and responsibilities

• Objective: To ensure correct and secure operations of information

processing facilities.

Operational procedures and responsibilities

• Divided into subsections:o 12.1.1 - Documented operating procedureso 12.1.2 - Change managemento 12.1.3 - Capacity managemento 12.1.4 - Separation of development, testing and

operational environments

Operational procedures and responsibilities

12.1.1 - Documented operating procedures• The installation and configuration of systems;• Processing and handling of information both automated

and manual;• Instructions for handling errors or other exceptional

conditions, which might arise during job execution, including restrictions on the use of system utilities;

Operational procedures and responsibilities

12.1.2 - Change management• Identification and recording of significant changes;• Planning and testing of changes;• Assessment of the potential impacts, including

information security impacts, of such changes;

Operational procedures and responsibilities

12.1.3 - Capacity management• Deletion of obsolete data (disk space);• Decommissioning of applications, systems, databases or

environments;• Optimising batch processes and schedules;

Operational procedures and responsibilities

12.1.4 - Separation of development, testing and operational environments• Rules for the transfer of software from development to

operational status should be defined and documented;• Development and operational software should run on

different systems or computer processors and in different domains or directories;

• Changes to operational systems and applications should be tested in a testing or staging environment prior to being applied to operational systems;

Protection from malware• Objective:

To ensure that information and information processing facilities are protected against malware.

Protection from malware• Divided into unique subsection:

o 12.2.1 Controls against malware

Protection from malware12.2.1 Controls against malware• Establishing a formal policy prohibiting the use of

unauthorized software;• Implementing controls that prevent or detect the use of

unauthorized software (e.g. application whitelisting);• Implementing controls that prevent or detect the use of

known or suspected malicious websites (e.g. blacklisting);

Backup• Objective:

To protect against loss of data.

Backup• Divided into unique subsection:

o 12.3.1 Information backup

Backup12.3.1 Information backup• Accurate and complete records of the backup copies and

documented restoration procedures should be produced;• The backups should be stored in a remote location, at a

sufficient distance to escape any damage from a disaster at the main site;

• In situations where confidentiality is of importance, backups should be protected by means of encryption;

Arthur PaixãoFaculdade dos Guararapes