Page History

Operations security involves planning and sustaining the day-to-day “rubber meets the road” processes that are critical to maintaining the security of institutions’ information environments. The extent and complexity of security operations will vary between institutions based on institutional risk tolerances and resource levels. However, each of the control areas in this chapter must be addressed in some manner to help mitigate common ubiquitous risks. The most important aspect of operations security is that the operations themselves need to be repeatable, reliable, and consistently performed.

If you are just starting an information security program or looking to evaluate and improve operations security then the following approach can be very helpful:

1. Review the following areas to assess the confidentiality, integrity, and availability of operations center controls:
   1. Operational procedures and responsibilities
      1. Review documentation and evaluate guidance in regards to change management, capacity management, and separation of development, test, and production environments
   2. Malware detection and prevention controls
      1. Evaluate their level of effectiveness
   3. Data center backup strategy
      1. Evaluate whether backup procedures and methods (e.g., encryption) are effective both for on- and off-premises backup management
   4. Audit trails and logging
      1. Review whether they are implemented effectively so that security reviews can be conducted to detect tampering, unauthorized access, and record user activities
   5. Installation of software on operational systems
      1. Ensure licensing requirements are met

2. Implement a formal vulnerability management program to proactively test IT infrastructure for vulnerabilities that can be exploited and ensure that there is an effective process in place to manage corrective actions in collaboration with stakeholders.

3. Prepare in advance for IT controls audits to avoid service disruptions.

Objective: To ensure the effective operation and security of information processing facilities.

Objective: To protect the confidentiality, integrity, and availability (CIA) of information technology resources and data.

Objective: To ensure the integrity and availability of information processed and stored within information processing facilities.

Objective: To detect unauthorized activities occurring that may have a detrimental effect upon information processing facilities.

Objective: To ensure the integrity of operating systems.

Objective: To prevent exploitation of technical vulnerabilities.

Objective: Minimize the impact of audit activities on operational systems.

Campus Case Studies On This Page
Enhancing Application Security with a Web Application Firewall - UC, Irvine (2011)

EDUCAUSE Resources
EDUCAUSE Resources & Resource Center Pages

• 7 Things You Should Know About Cloud Security
• Cloud Computing Security
• Dropbox Security & Privacy Considerations

HEISC Toolkits/Guidelines

• E-Discovery Toolkit
• Electronic Records Management Toolkit
• Guidelines for Data De-Identification or Anonymization
• Guidelines for Information Media Sanitization
• Managing Malware
• Two-Factor Authentication

Templates/Sample Plans

• East Carolina University SYSTEM Server Disaster Recovery Plan
• University of Houston Information Security Resources and Operations Manual
• Indiana University UITS Change Management
• Northwestern University Information Technology Information and Systems Security/Compliance
• University of Missouri Systems Electronic Records Administration

Security Professionals Conference 2014

• Splunk: Quick Start and Lessons Learned from OSU

Security Professionals Conference 2013

• How Advanced Log Management Can Trump SIEM: Tales of Woe and Glory
• Bring Your Own Cloud: Data Management Challenges in a Click-Through World

Enterprise IT Leadership Conference 2013

• Providing Private Cloud Services To Support HIPAA Compliance

EDUCAUSE Annual Conference 2012

• Reaching a Higher Elevation: Supporting High-Value, High-Risk Cloud Services
• Disaster Recovery Planning: How to Build It, How to Test It
• Raising the Bar in Cloud Security for Higher Education
• Business Continuity Management Discussion
• Preparing for Big Data: Strategic Storage Planning at Lehigh University
• Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
• Achieving Virtualization: The Holy Grail of IT
• Community and the Cloud: Shaping the Future of Technology Services for Higher Education

Security Professionals Conference 2012

• Tools and Methods for Managing SNORT Sensors in Distributed Environments
• DNS Sinkholing to Reduce Network Compromises

Southeast Regional Conference 2012

• The EITS Analysis Committee: A Grassroots Effort at Standardized Documentation and Diagramming Templates
• Inform, Engage, and Educate: How to Communicate Major Service and System Updates and Changes to the Campus
• Personal Storage in the Cloud

Mid-Atlantic Regional Conference 2012

• Leverage the Cloud + Leverage In-House + Improve Security = Save Money

EDUCAUSE Annual Conference 2011

• Building a Business Case for the Cloud
• The Titan Cloud: CSU Fullerton's Virtual Computing Infrastructure Implementation

Security Professionals Conference 2011

• Information Technology Standards at the University of Illinois: Common Challenges and Solutions
• Network Segmentation: Virtual Routing Implementation
• Seminar 02P - Malware Detection and Mitigation with Passive DNS and Blackhole DNS
• A Gentle Introduction to Bro

Initiatives, Collaborations, & Other Resources

• ECAR Working Groups; Bring together higher education IT leaders to address core technology challenges.