The primary
purpose of operations security is to safeguard information assets
that reside in a system on a day-to-day basis, to identify and safeguard any
vulnerabilities that might be present in the system, and to prevent any
exploitation of threats. Administrators often call the relationship between
assets, vulnerabilities, and threats an operations security triple.
The trick is how to tackle the operations security triple.
The
Operations Security domain is a broad collection of many
concepts that are both distinct and interrelated, including antivirus
management, operational assurance, backup maintenance, changes in location,
privileges, trusted recovery, configuration and change management control, due
care and due diligence, privacy, security, and operations
controls.
Personnel Controls
No matter
how much effort, expense, and expertise you put into physical access control
and logical/technical security mechanisms, you will always have to
deal with people. In fact, people are both your last line of defense and your
worse security management issue. People are
vulnerable to a wide range of technical and social attacks, plus they can
intentionally violate security policy and attempt to circumvent physical
and logical/technical security controls. Because of this, you must
endeavor to employ only those people who are the most trustworthy.
Security controls to manage personnel are
considered a type of administrative control. These controls and issues should
be clearly outlined in your security policy and be followed as closely as
possible. Failing to employ strong personnel controls may render all your other security efforts worthless.
No comments:
Post a Comment