Fundamentals of Information

Systems Security

Lesson 6
Security Operations and Administration

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective(s)
 Explain the role of IT operations,
administration, and security policies.

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 2
All rights reserved.
 Key Concepts
 Role of security administration within an
organization
 Components of an IT security policy infrastructure
 Data classification standards used by
organizations and the DoD
 Change management and configuration
management
 The system life cycle (SLC) and the system
development life cycle (SDLC)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 3
All rights reserved.
 Security Administration
 The group of individuals responsible for
planning, designing, implementing, and
monitoring an organization’s security plan
 Identify and document the assets, and then
assign responsibility of each one to a
person or position

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 4
All rights reserved.
 Controlling Access

Identification

Authentication

Authorization

Accountability

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 5
All rights reserved.
 Documentation, Procedures, and
Guidelines
The most common documentation requirements include:

• Sensitive assets list

• The organization’s security process
• The authority of the persons responsible for security
• The policies, procedures, and guidelines adopted by the
organization

An organization must comply with rules on two levels:

• Regulatory compliance
• Organizational compliance

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 6
All rights reserved.
 Disaster Assessment and Recovery
 The security administration team handles
incidents, disasters, and other interruptions
 The emergency operations group is
responsible for protecting sensitive data in
the event of:
• Natural disasters
• Equipment failure
• Other potential emergencies

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 7
All rights reserved.
 Security Outsourcing
 Advantages
• High level of expertise
 Disadvantages
• The outsourcing firm might not possess
internal knowledge
• You won’t develop in-house capability or
talent and have to continue to pay for these
services indefinitely

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 8
All rights reserved.
 Outsourcing Concerns
Privacy

Risk

Data security

Ownership

Adherence to policy

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 9
All rights reserved.
 Common Agreements
Service-level agreement (SLA)

Blanket purchase agreement (BPA)

Memorandum of understanding (MOU)

Interconnection security agreement (ISA)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 10
All rights reserved.
 Compliance

Event logs

Compliance liaison

Remediation

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 11
All rights reserved.
 Professional Ethics
 Set the example
 Encourage adopting ethical guidelines and
standards
 Inform users through security awareness
training
 A code of ethics helps ensure
professionalism

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 12
All rights reserved.
 Personnel Security Principles
Limiting Separation
Job rotation
Access of duties

Mandatory Security Security

vacations training awareness

Social
engineering

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 13
All rights reserved.
 The Infrastructure for an IT Security
Policy

Policies

Standards

Procedures

Baselines

Guidelines

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 14
All rights reserved.
 The Security Policy Environment

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 15
All rights reserved.
 The Security
Policy
Hierarchy

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 16
All rights reserved.
 Data Classification Standards
 Classification is the duty of the data owner
or someone the owner assigns
 System owner is the person or group that
manages the infrastructure
 Classifying information criteria:
• Value
• Sensitivity
• Criticality

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 17
All rights reserved.
 Information Classification Objectives
 To identify information protection requirements
 To identify data value in accordance with organization
policy
 To ensure that sensitive and/or critical information is
provided appropriate protection/controls
 To lower costs by protecting only sensitive information
 To standardize classification labeling throughout the
organization
 To alert employees and other authorized personnel to
protection requirements
 To comply with privacy law and regulations
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 18
All rights reserved.
 Examples of Classification

• Unclassified
• Restricted
U.S. government • Confidential
(standardized) • Secret
• Top Secret

• Public (low)
Private sector • Private (medium)
(not standardized) • Confidential (high)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 19
All rights reserved.
 Configuration Management
 The process of managing all changes to
computer and device configurations
 Evaluates the impact a modification might
have on security
 As a security professional, your job is to:
• Ensure that you adequately review all system
changes
• Ensure that configuration changes will not
cause unintended consequences for security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 20
All rights reserved.
 Hardware Inventory and
Configuration Chart
 A decision to roll out a new patch, service
pack, or release will be complicated if you
can’t find, update, and test every affected
device
 Have an up-to-date map or layout of the
configuration of the hardware components
 Regularly check for any available vendor
upgrades and service packs

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 21
All rights reserved.
 The Change Management Process

Configuration control
• The management of the baseline settings for
a system device

Change control
• The management of changes to the
configuration

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 22
All rights reserved.
 Change Control Management
 Communicate change management procedures
and standards effectively
 Reactive or proactive
• Reactive: Management responds to changes in the
business environment
• Proactive: Management initiates the change to
achieve a desired goal
 Occurs on a continuous, regularly scheduled,
release, or program-by-program basis

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 23
All rights reserved.
 Change Control Committees

Ensure changes are:

• Properly tested
• Authorized
• Scheduled
• Communicated
• Documented

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 24
All rights reserved.
 Change Control Procedures

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 25
All rights reserved.
 Change Control Issues

• Ensure that a peer or another expert

Peer reviews double-checks all changes before you
put them into production

• Ensure that if the change doesn’t work

Back-out plans properly, a plan exists to restore the
system to a known good condition

• Keep documentation current to reflect

Documentation the true system’s design

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 26
All rights reserved.
 Application Software Security
 Processes for software development:
• System Life Cycle (SLC)
• System Development Life Cycle (SDLC)
 Steps are similar; a few key differences:
• SLC includes operations and disposal
• SDLC ends with the transition to production

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 27
All rights reserved.
 The System Life Cycle
Functional
Project initiation System design
requirements
and planning specification
and definition

Implementation
Build (develop) Acceptance
(transition to
and document testing
production)

Operations and
Disposal
maintenance

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 28
All rights reserved.
 Testing Application Software
 Test for all expected and unexpected actions
 Handle errors correctly
 Perform tests to test the maximum load on the
system, including:
• Transaction volume
• Memory allocation
• Network bandwidth
• Response times
 Keep production or sensitive data secure during
testing
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 29
All rights reserved.
 Catching Vulnerabilities
 Thoroughly evaluate any change to your
environment
 Formalize the process for procuring new
equipment
 Follow the guidance in your data policies
 Review a system throughout its life cycle to
ensure that it meets its specified security
(certification)
 Make sure management officially accepts the
system (accreditation)
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Fundamentals of Information Systems Security www.jblearning.com Page 30
All rights reserved.
 Software Development and Security
 Checks user authentication to the application
 Checks user authorization (privilege level)
 Has procedures for recovering database integrity in the
event of system failure
 Handles errors and exceptions consistently and does not
allow any error or exception to go unhandled
 Validates all input
 Defines secure configuration baselines
 Provides guidance on hardening your application
 Provides and applies frequent patches

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 31
All rights reserved.
 Software Development Models

The two most widely accepted models

for software development

Agile
The waterfall
development
model
method

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 32
All rights reserved.
 The Waterfall Model

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 33
All rights reserved.
 The Agile Software Development
Method

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 34
All rights reserved.
 Summary
 Role of security administration within an
organization
 Components of an IT security policy
infrastructure
 Data classification standards used by
organizations and the DoD
 Change management and configuration
management
 The system life cycle (SLC) and the system
development life cycle (SDLC)

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Fundamentals of Information Systems Security www.jblearning.com Page 35
All rights reserved.