You must clearly define personnel management practices in
your security policy and subsequent formalized security
structure documentation. Personnel management focuses on three main areas:
hiring practices, ongoing job performance, and termination procedures.
Understand antivirus management.
Antivirus management includes the design, deployment, and
maintenance of an antivirus solution for your IT environment.
Know how to prevent unrestricted installation of software.
To provide a virus-free environment, you should rigidly
control the installation of software. This includes allowing users to install
and execute only company-approved and company-distributed software as well as
thoroughly testing and scanning all new software before it is distributed on a
production network. Even commercial software has become an inadvertent carrier
of viruses.
Understand backup maintenance.
A key part of maintaining the availability and integrity of
data is a reliable backup of critical information. Having a reliable backup is
the only form of insurance that the data on a system that has failed or has
been damaged or corrupted is not permanently lost.
Know how changes in workstation or location promote a secure environment.
Changes in a user's workstation or their physical location
within an organization can be used as a means to improve or maintain security.
Having a policy of changing users' workstations prevents them from altering the
system or installing unapproved software and encourages them to keep all
material stored on network servers where it can be easily protected, overseen,
and audited.
Understand the need-to-know concept and the principle of
least privilege.
Need to know and the principle of least privilege are two
standard axioms of high-security environments. To gain access to data or
resources, a user must have a need to know. If users do not have a need to
know, they are denied access. The principle of least privilege means that users
should be granted the least amount of access to the secure environment
as possible for them to be able to complete their work tasks.
Understand privileged operations functions.
Privileged operations functions are activities that require
special access or privileges to perform within a secured IT
environment. For maximum security, such functions should be restricted to
administrators and system operators.
Know the standards of due care and due diligence.
Due care is using reasonable care to protect the interest of
an organization. Due diligence is practicing the activities that maintain the
due care effort. Senior management must show reasonable due care and due
diligence to reduce their culpability and liability when a loss occurs.
Understand how to maintain privacy.
Maintaining privacy means protecting personal information
from disclosure to any unauthorized individual or entity. In today's online
world, the line between public information and private information is often
blurry. The protection of privacy should be a core mission or goal set forth in
the security policy of an organization.
Know the legal requirements in your region and field of
expertise.
Every organization operates within a certain industry and
country, both of which impose legal requirements, restrictions, and regulations
on its practices. Legal requirements can involve licensed use of software,
hiring restrictions, handling of sensitive materials, and compliance with
safety regulations.
Understand what constitutes an illegal activity.
An illegal activity is an action that violates a legal
restriction, regulation, or requirement. A secure environment should
provide mechanisms to prevent illegal activities from being committed and the
means to track illegal activities and maintain accountability from the
individuals perpetrating the crimes.
Know the proper procedure for record retention.
Record retention is the organizational policy that defines
what information is maintained and for how long. In most cases, the records in
question are audit trails of user activity. This can include file and resource
access, logon patterns, email, and the use of privileges.
Understand the elements of securing sensitive
media.
Managing information and media properly, especially in a
high-security environment where sensitive, confidential, and proprietary
data is processed, is crucial to the security and stability of an
organization. In addition to media selection, there are several key areas of
information and media management: marking, handling, storage, life span, reuse,
and destruction.
Know and understand the security control types.
There are several methods used to classify security controls.
The classification can be based on the nature of the control (administrative,
technical/logical, or physical) or on the action or objective of the control
(directive, preventive, detective, corrective, and recovery).
Know the importance of control transparency.
When possible, operations controls should be invisible or
transparent to users to prevent users from thinking security is
hampering their productivity. Likewise, the fewer users know about the security of
the system, the less likely they will be able to circumvent it.
Understand how to protect resources.
The operations controls for resource protection are designed
to provide security for the IT environment's resources, including
hardware, software, and data assets. To maintain confidentiality, integrity,
and availability of the hosted assets, the resources themselves must be
protected.
Be able to explain change and configuration control
management.
Change in a secure environment can introduce loopholes,
overlaps, misplaced objects, and oversights that can lead to new
vulnerabilities. Therefore, you must systematically manage change by logging,
auditing, and monitoring activities related tosecurity controls and security mechanisms.
The resulting data is then used to identify agents of change, whether they are
objects, subjects, programs, communication pathways, or even the network
itself. The goal of change management is to ensure that any change does not
lead to reduced or compromised security.
Understand the trusted recovery process.
The trusted recovery process ensures that a system is not
breached during a crash, failure, or reboot and that every time one of these
occurs, the system returns to a secure state.
No comments:
Post a Comment