Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Operational procedures and responsibilities (ISO 12.1)
- Protection from malware (ISO 12.2)
- Backup (ISO 12.3)
- Logging and monitoring (ISO 12.4)
- Control of operational software (ISO 12.5)
- Technical vulnerability management (ISO 12.6)
- Information systems audit considerations (ISO 12.7)
Overview
To be effective in reducing security risk and ensuring correct computing, a security program needs to include operational procedures, controls, and well-defined responsibilities. Additional formal policies, procedures, and controls are needed to protect exchange of data and information through any type of communication media or technology. Operational and communication exchange procedures and controls address:
- Operating procedures including: proper documentation of all normal and emergency functions, management of audit logs and other security or system log information. Procedures for change management that include the planning and testing of changes, assessment of changes, formal approval, and fallback procedures. You will want to segregate duties and areas of responsibility to minimize the chance of accidental or unintended access or modification. You will also want to make sure you have separate development, test, and production (operational) environments with rules for development, testing to minimize risk and exposure of sensitive data. System capacity and resource planning and acceptance including: management of projections of future capacity requirements and acceptance and test criteria for addition of new information systems, upgrades, or new versions.
- Protection from malware should be in place for information and information processing facilities.
- System back-up procedures and policy and its timely restoration in case of a disaster or media failure.
- Systems Logging and Monitoring, log management and auditing, confirming the effectiveness of controls in place and anomaly detection and follow-up activities.
- Control of operational software
- Vulnerability management
- Information systems audit
#Top of page
Standards
27002:2013 Information Security Management |
800-100: Information Security Handbook: A Guide for Managers |
APO12.01 |
Req 2 |
ID.BE-4 |
45 CFR 164.308(a)(5)(ii)(B) |
#Top of page
Getting Started
Many of our universities have data processing facilities, network and/or security operations centers. This chapter offers discussion on key topics of interest, with emphasis on the need for formalized policies, procedures and controls which assist in data and system protection.
#Top of page
Operational procedures and responsibilities (ISO 12.1)
Objective: To ensure the effective operation and security of information processing facilities such as data centers, network and/or security operations centers.
Operating Procedures
Developing documented operating procedures which are maintained, current, relevant and provided to all users who need them is very important. The scale of implementation should be commensurate with the size and complexity of your information processing environments. At any rate, sufficient documentation should be available to handle typical issues that may arise in the day-to-day working environment. Inadequate or incorrectly documented procedures can result in system or application failures, resulting in loss of availability, failure of data integrity, and breaches of confidentiality. Operating procedures should be treated as formal documents, maintained and managed with version and approval processes and controls in place. Additional areas of interest are segregation of duties and separation of development, test, and operational facilities. The objective in implementing guidelines and controls is to minimize the risk of errors, omissions, and unauthorized activity.
- Greening the Campus: From the Data Center to the Classroom
- Shared Data Centers: Something Old and Something New
- University of Houston Information Security Resources and Operations Manual
- The EITS Analysis Committee: A Grassroots Effort at Standardized Documentation and Diagramming Templates
- Business Continuity Management Discussion
Change Management
Formal change management procedures which control changes to information processing facilities should be implemented. Uncontrolled changes to operational information processing facilities and systems can cause major interruptions. Typical changes that can cause problems are new software installations, changes to a key business/IT process or operational environment, or introducing third party arrangements.
- Indiana University UITS Change Management
- Indiana University Data Center
- Inform, Engage, and Educate: How to Communicate Major Service and System Updates and Changes to the Campus
Capacity Management
Conduct system tuning, monitor the use of present resources and, with the support of user planning input, project future requirements. Controls in place to detect and respond to capacity problems can help lead to a timely reaction. This is especially important for communications networks where changes in load balancing can be sudden and result in poor performance and dissatisfied users. Monitoring of disk capacity, transmission throughput, service/application utilizations and other typical bottlenecks is recommended.
- IBM partnership with North Carolina Central University (NCCU) and NC State University to create the "greenest" cloud computing Data Center (Capacity Management emphasis)
System Acceptance
Develop system acceptance criteria that can be validated by appropriate personnel and ensure testing is carried out before new systems are put into production, to ensure vulnerabilities are minimized. Any adverse impacts on existing systems should be identified and brought under control before acceptance into operational environments. Ensure that new systems are properly secured prior to providing internet connectivity.
../../../../../../../../../../../
#Top of page
Protection from malware (ISO 12.2)
Objective: To protect the confidentiality, integrity, and availability of information technology resources and data.
While malware prevention efforts can only be as effective as the level of protection offered by current anti-malware solutions in place---proactive measures to assess the effectiveness of anti-malware controls in place are both appropriate and necessary, as well as user awareness training. The ability to maintain centrally-managed and current protection updates is important, as is ensuring that users understand the importance of properly installed and utilized anti-malware solutions that they are provided. Malicious mobile code that is obtained from remote servers, transferred across networks and downloaded to computers (active X controls, java script, flash animations) is a continuing area of concern as well. If identified as pertinent, technical provisions can be made to comply with guidelines and procedures that distinguish between authorized and unauthorized mobile code.
- Effective IPS/IDS Network Security in a Dynamic World
- Tools and Methods for Managing SNORT Sensors in Distributed Environments
- DNS Sinkholing to Reduce Network Compromises
- Symantec Corporation and Temple University - Securing a Free and Open University Environment
- McAfee and Georgia State University - Taking Aim at Network Intruders with Intrushield's Intrusion Prevention System
- FireEye, Inc. and University of California, Berkeley - Combating Stealth Malware and Botnets in Higher Education
- Using OSSEC Open-Source, Host-Based Intrusion Detection
- Web Application Firewalls at SCSU: Why and How
- UAlbany's IP Blocker: Elevating IDS to IPS
- Malware Detection and Mitigation with Passive DNS and Blackhole DNS (seminar)
- A Gentle Introduction to Bro
Top of page
Backups (ISO 12.3)
Objective: To ensure the integrity and availability of information processed and stored within information processing facilities.
Backups are a critical issue and the integrity and availability of important information and software should be maintained by making regular copies to other media. Risk assessments should be used to identify the most critical data. Develop well-defined procedures. Establish well-defined long term storage requirements and testing/business continuity planning.
- East Carolina University SYSTEM Server Disaster Recovery Plan
- Disaster Recovery Planning: How to Build It, How to Test It
- Preparing for Big Data: Strategic Storage Planning at Lehigh University
- Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
Top of page
Logging and monitoring (ISO 12.4)
Objective: To detect unauthorized activities occurring that may have a detrimental effect upon information processing facilities.
For all systems processing information, audit logs are important to investigate events and anomalies. Audit trails assist in incident investigations as well as in determining accountability for situations that occur. Typical activities that can be detected are false access attempts, attempts to change restricted data items, excessive use of certain data, etc. Both automated and hand written logs of administrator and operator activities ensure the integrity of operations in information processing facilities, such as data and network centers. Systems fault monitoring may expose vulnerabilities due to loss of service integrity and availability. A policy around systems monitoring and logging will specify operational requirements, usage and authorization for data access requests, as well as retention of log and audit trail information. Monitoring activities also assist in measuring the effectiveness of controls applied to handle risks and vulnerabilities. The information contained in various audit trails and logs is only valuable if its integrity can be relied upon; therefore, commensurate levels of protection and controls should be applied to safeguard this information. Without proper timing and synchronization across all systems, audit and monitoring logs can become inaccurate and their integrity compromised. There should be a means of monitoring system time clocks and correction of inaccuracies.
- How to Use NetFlow to Gain Internal Visibility and Security
- Network Monitoring with Argus, NetFlow, and Other Tools
- Improving Security Event Correlation and Analysis Using Intelligent Agents
- REN-ISAC and CSI2---The Security Event System
- E-Discovery Toolkit\
Top of page
Control of operational software (ISO 12.5)
Objective: To prevent systems failures and ensure systems meet defined levels of protection prior to placing them into production.
#Top of page
Technical Vulnerability Management (ISO 12.6)
Objective: To ensure that procedures are implemented to mitigate and/or patch technical vulnerabilities in systems and applications.
Three approaches to managing technical vulnerabilities in application software are described in the Application Security and Software Development Life Cycle presentation from the 2010 Security Professionals Conference.
Campus Case Study: Enhancing Application Security with a Web Application Firewall\ - UC, Irvine
Top\ of page
Vulnerabilities should be monitored, and one way to do that is with a web application scanner. ;An article from the August, 2011, Security Tools Benchmarking blog lists web application scanners, both open source and commercial, and enumerates their features. Windows system vulnerabilities allow hackers to gather information from applications. Rapid Windows Analysis, presented at the 2013 Security Professionals Conference, describes tools for detecting Windows vulnerabilities.
Information systems audit considerations (ISO 12.7)
Objective: To ensure the integrity and availability of information processed and stored within information processing facilities.
- East Carolina University SYSTEM Server Disaster Recovery Plan
- Disaster Recovery Planning: How to Build It, How to Test It
- Preparing for Big Data: Strategic Storage Planning at Lehigh University
- Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
#Top of page
Resources
Campus Case Studies On This Page
Enhancing Application Security With a Web Application Firewall - UC, Irvine (2011)
EDUCAUSE Resources
EDUCAUSE Resources & Resource Center Pages
- IT Communications
- Network Security and Applications
- Security Management
- 7 Things You Should Know About Cloud Security
- Cloud Computing Security
- Dropbox Security & Privacy Considerations
HEISC Toolkits/Guidelines
- E-Discovery Toolkit
- Electronic Records Management Toolkit
- Guidelines for Data De-Identification or Anonymization
- Guidelines for Information Media Sanitization
- PCI DSS (Payment Card Industry Data Security Standard) Resource Page
- Two-Factor Authentication
Templates/Sample Plans
- East Carolina University SYSTEM Server Disaster Recovery Plan
- University of Houston Information Security Resources and Operations Manual
- Indiana University UITS Change Management
- Indiana University Data Center
- IBM partnership with North Carolina Central University (NCCU) and NC State University to create the "greenest" cloud computing Data Center (Capacity Management emphasis)
- Northwestern University Information Technology Information and Systems Security/Compliance
- University of Missouri Systems Electronic Records Administration
Security Professionals Conference 2013
- How Advanced Log Management Can Trump SIEM: Tales of Woe and Glory
- Bring Your Own Cloud: Data Management Challenges in a Click-Through World
Enterprise IT Leadership Conference 2013
EDUCAUSE Annual Conference 2012
- Reaching a Higher Elevation: Supporting High-Value, High-Risk Cloud Services
- Disaster Recovery Planning: How to Build It, How to Test It
- Raising the Bar in Cloud Security for Higher Education
- Business Continuity Management Discussion
- Preparing for Big Data: Strategic Storage Planning at Lehigh University
- Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
- Achieving Virtualization: The Holy Grail of IT
- Community and the Cloud: Shaping the Future of Technology Services for Higher Education
Security Professionals Conference 2012
- Leading the Way to PCI Compliance: It's All About Planning and Collaboration
- Tools and Methods for Managing SNORT Sensors in Distributed Environments
- DNS Sinkholing to Reduce Network Compromises
Southeast Regional Conference 2012
- The EITS Analysis Committee: A Grassroots Effort at Standardized Documentation and Diagramming Templates
- Inform, Engage, and Educate: How to Communicate Major Service and System Updates and Changes to the Campus
- Personal Storage in the Cloud
Mid-Atlantic Regional Conference 2012
EDUCAUSE Annual Conference 2011
- Building a Business Case for the Cloud
- The Titan Cloud: CSU Fullerton's Virtual Computing Infrastructure Implementation
Security Professionals Conference 2011
- Information Technology Standards at the University of Illinois: Common Challenges and Solutions
- Network Segmentation: Virtual Routing Implementation
- Seminar 02P - Malware Detection and Mitigation with Passive DNS and Blackhole DNS
- A Gentle Introduction to Bro
- Do They Measure Up? Assessing the Security Posture of Third-Party Service Providers
EDUCAUSE Annual Conference 2010
- How University Data Backup Is Moving Online
- Seminar 04P - Create Your IT Disaster Recovery Plan
- Cloud Computing Security: An Oxymoron?
- Deploying an Internal Cloud: Offering Infrastructure as a Service to the Campus Community
- IT Incident Communications: Keeping Customers in the Loop During an IT Meltdown
- Greening the Campus: From the Data Center to the Classroom
- Building a Network Control Strategy for Your Campus
- Cloud Computing Contract Issues
- Steps to a Cloud-Ready Data Center
- Shared Data Centers: Something Old and Something New
Security Professionals Conference Archives 2008-2010
Management and Operations:
Policy and Compliance:
- Conducting Internal PCI DSS Assessments
- The Data Center Within a Data Center: Building a Secure Environment for Compliance
Corporate and Campus Solutions:
- Effective IPS/IDS Network Security in a Dynamic World
- How to Use NetFlow to Gain Internal Visibility and Security
- Realizing the Promise of Faster, More Secure Campus Communications
- Symantec Corporation and Temple University - Securing a Free and Open University Environment
- McAfee and Georgia State University - Taking Aim at Network Intruders with Intrushield's Intrusion Prevention System
- FireEye, Inc. and University of California, Berkeley - Combating Stealth Malware and Botnets in Higher Education
Strategic Security:
Technology Concepts:
- Using OSSEC Open-Source, Host-Based Intrusion Detection
- Filelocker: Simplifying Secure File Transfers
- Web Application Firewalls at SCSU: Why and How
- Virtualization and Security Architecture
- Securing and Leveraging the Power of Virtual Servers and Desktops
Advanced Technology:
- Mastering Puppet: Using Puppet to Centrally Manage IT Security Infrastructure
- Starting Over from the Top: Campus IPv6 Deployment and Security
- Linking Remote Sites with OpenVPN
- UAlbany's IP Blocker: Elevating IDS to IPS
- Network Monitoring with Argus, NetFlow, and Other Tools
- Improving Security Event Correlation and Analysis Using Intelligent Agents
- REN-ISAC and CSI2---The Security Event System
Initiatives, Collaborations, & Other Resources
- ECAR Working Groups; Bring together higher education IT leaders to address core technology challenges.
#Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).