operations security
TRANSCRIPT
Operations Security
12.1 Operational procedures and responsibilities12.2 Protection from malware
12.3 Backup
Arthur PaixãoFaculdade dos Guararapes
Operational procedures and responsibilities
• Objective: To ensure correct and secure operations of information
processing facilities.
Operational procedures and responsibilities
• Divided into subsections:o 12.1.1 - Documented operating procedureso 12.1.2 - Change managemento 12.1.3 - Capacity managemento 12.1.4 - Separation of development, testing and
operational environments
Operational procedures and responsibilities
12.1.1 - Documented operating procedures• The installation and configuration of systems;• Processing and handling of information both automated
and manual;• Instructions for handling errors or other exceptional
conditions, which might arise during job execution, including restrictions on the use of system utilities;
Operational procedures and responsibilities
12.1.2 - Change management• Identification and recording of significant changes;• Planning and testing of changes;• Assessment of the potential impacts, including
information security impacts, of such changes;
Operational procedures and responsibilities
12.1.3 - Capacity management• Deletion of obsolete data (disk space);• Decommissioning of applications, systems, databases or
environments;• Optimising batch processes and schedules;
Operational procedures and responsibilities
12.1.4 - Separation of development, testing and operational environments• Rules for the transfer of software from development to
operational status should be defined and documented;• Development and operational software should run on
different systems or computer processors and in different domains or directories;
• Changes to operational systems and applications should be tested in a testing or staging environment prior to being applied to operational systems;
Protection from malware• Objective:
To ensure that information and information processing facilities are protected against malware.
Protection from malware• Divided into unique subsection:
o 12.2.1 Controls against malware
Protection from malware12.2.1 Controls against malware• Establishing a formal policy prohibiting the use of
unauthorized software;• Implementing controls that prevent or detect the use of
unauthorized software (e.g. application whitelisting);• Implementing controls that prevent or detect the use of
known or suspected malicious websites (e.g. blacklisting);
Backup• Objective:
To protect against loss of data.
Backup• Divided into unique subsection:
o 12.3.1 Information backup
Backup12.3.1 Information backup• Accurate and complete records of the backup copies and
documented restoration procedures should be produced;• The backups should be stored in a remote location, at a
sufficient distance to escape any damage from a disaster at the main site;
• In situations where confidentiality is of importance, backups should be protected by means of encryption;
Arthur PaixãoFaculdade dos Guararapes