Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Operational Procedures and Responsibilities (ISO 12.1)
- Protection from Malware (ISO 12.2)
- Backups (ISO 12.3)
- Logging and Monitoring (ISO 12.4)
- Control of Operational Software (ISO 12.5)
- Technical Vulnerability Management (ISO 12.6)
- Information Systems Audit Considerations (ISO 12.7)
Overview
To be effective in reducing security risk and ensuring correct computing, a security program needs to include operational procedures, controls, and well-defined responsibilities. Additional formal policies, procedures, and controls are needed to protect exchange of data and information through any type of communication media or technology. Operational and communication exchange procedures and controls address:
- Operating procedures including: proper documentation of all normal and emergency functions, management of audit logs and other security or system log information. Procedures for change management that include the planning and testing of changes, assessment of changes, formal approval, and fallback procedures. System capacity and resource planning and acceptance including: management of projections of future capacity requirements and acceptance and test criteria for addition of new information systems, upgrades, or new versions. You will also want to make sure you have separate development, test, and production (operational) environments with rules for development, testing to minimize risk and exposure of sensitive data.
- Protection from malware should be in place for information and information processing facilities.
- System back-up procedures and policy with tested restoration processes in case of a disaster or media failure.
- System logging and monitoring allow for evaluating the effectiveness of controls, anomaly detection and the collection of system log data for use evidence.
- Procedures should be written and enforced to control the installation of software on any operational systems.
- Technical vulnerability management relies on having a detailed asset inventory to identify and patch known vulnerabilities in your asset groups. Also, it is critical to have control over how your end users are allowed to install software.
- Information systems audit functions and activities should be well documented and communicated in order to avoid impact to the operational systems.
#Top of page
Standards
27002:2013 Information Security Management |
800-100: Information Security Handbook: A Guide for Managers |
APO12.01 |
Req 2 |
ID.BE-4 |
45 CFR 164.308(a)(5)(ii)(B) |
#Top of page
Getting Started
Many of our universities have data processing facilities, network and/or security operations centers. This chapter offers discussion on key topics of interest, with emphasis on the need for formalized policies, procedures and controls which assist in data and system protection.
How do I assess the confidentiality, integrity, and availability of my institution's data center controls?
Section 12.1 - Operational procedures and responsibilities offers guidance in regards to documentation, change management, capacity management, and separation of development, test and production environments.
Section 12.2 - What malware detection and prevention controls are In place and are they effective?
Section 12.3 - What is your data center's backup strategy and is there a well-documented procedure that is effective both for on and off-premises backup management?
Section 12.4 - Are audit trails and logging implemented effectively to allow you to conduct security reviews to detect tampering, unauthorized access, record user activities, and are clocks within your data center synchronized to a single time source?
Section 12.5 - Are procedures implemented to control installation of software on operational systems?
Section 12.6 - Is your vulnerability management program ensuring that you can detect and mitigate vulnerabilities and do you obtain information about new vulnerabilities and provide that to key stakeholders in an ongoing and effective manner?
Section 12.7 - When IT controls audits take place at your institution, are they planned to avoid disruptions to critical systems?
#Top of page
Operational Procedures and Responsibilities (ISO 12.1)
Objective: To ensure the effective operation and security of information processing facilities such as data centers, network and/or security operations centers.
Developing documented operating procedures which are maintained, current, relevant and provided to all users who need them is very important. The scale of implementation should be commensurate with the size and complexity of your information processing environments. At any rate, sufficient documentation should be available to handle typical issues that may arise in the day-to-day working environment. Inadequate or incorrectly documented procedures can result in system or application failures, resulting in loss of availability, failure of data integrity, and breaches of confidentiality. Operating procedures should be treated as formal documents, maintained and managed with version and approval processes and controls in place. Additional areas of interest are segregation of duties and separation of development, test, and operational facilities. The objective in implementing guidelines and controls is to minimize the risk of errors, omissions, and unauthorized activity.
- Shared Data Centers: Something Old and Something New
- University of Houston Information Security Resources and Operations Manual
- The EITS Analysis Committee: A Grassroots Effort at Standardized Documentation and Diagramming Templates
- Business Continuity Management Discussion
Formal change management procedures which control changes to information processing facilities should be implemented. Uncontrolled changes to operational information processing facilities and systems can cause major interruptions. Typical changes that can cause problems are new software installations, changes to a key business/IT process or operational environment, or introducing third party arrangements.
- Indiana University UITS Change Management
- Inform, Engage, and Educate: How to Communicate Major Service and System Updates and Changes to the Campus
Formalize capacity management by conducting system tuning, monitor the use of present resources and, with the support of user planning input, project future requirements. Controls in place to detect and respond to capacity problems can help lead to a timely reaction. This is especially important for communications networks where changes in load balancing can be sudden and result in poor performance and dissatisfied users. Monitoring of disk capacity, transmission throughput, service/application utilization and other typical bottlenecks is recommended.
- IBM partnership with North Carolina Central University (NCCU) and NC State University to create the "greenest" cloud computing Data Center (Capacity Management emphasis)
Maintain separate platforms for development, testing and operational environments. Levels of separation should be maintained to reduce the risk of unauthorized access and eliminate unintentional changes to the operational environment.
#Top of page
Protection from Malware (ISO 12.2)
Objective: To protect the confidentiality, integrity, and availability of information technology resources and data.
While malware prevention efforts can only be as effective as the level of protection offered by current anti-malware solutions in place---proactive measures to assess the effectiveness of anti-malware controls in place are both appropriate and necessary, as well as user awareness training. The ability to maintain centrally-managed and current protection updates is important, as is ensuring that users understand the importance of properly installed and utilized anti-malware solutions that they are provided. Malicious mobile code that is obtained from remote servers, transferred across networks and downloaded to computers (active X controls, java script, flash animations) is a continuing area of concern as well. If identified as pertinent, technical provisions can be made to comply with guidelines and procedures that distinguish between authorized and unauthorized mobile code.
Enhancing Application Security with a Web Application Firewall - UC, Irvine (2011)
- Tools and Methods for Managing SNORT Sensors in Distributed Environments
- DNS Sinkholing to Reduce Network Compromises
- Symantec Corporation and Temple University - Securing a Free and Open University Environment
- FireEye, Inc. and University of California, Berkeley - Combating Stealth Malware and Botnets in Higher Education
- Using OSSEC Open-Source, Host-Based Intrusion Detection
- Web Application Firewalls at SCSU: Why and How
- UAlbany's IP Blocker: Elevating IDS to IPS
- Malware Detection and Mitigation with Passive DNS and Blackhole DNS (seminar)
- A Gentle Introduction to Bro
#Top of page
Backups (ISO 12.3)
Objective: To ensure the integrity and availability of information processed and stored within information processing facilities.
System backups are a critical issue and the integrity and availability of important information and software should be maintained by making regular copies to other media. Risk assessments should be used to identify the most critical data. Develop well-defined procedures. Establish well-defined long term storage requirements and testing/business continuity planning.
- East Carolina University SYSTEM Server Disaster Recovery Plan
- Disaster Recovery Planning: How to Build It, How to Test It
- Preparing for Big Data: Strategic Storage Planning at Lehigh University
- Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
#Top of page
Logging and Monitoring (ISO 12.4)
Objective: To detect unauthorized activities occurring that may have a detrimental effect upon information processing facilities.
For all systems processing information, audit logs are important to investigate events and anomalies. Audit trails assist in incident investigations as well as in determining accountability for situations that occur. Typical activities that can be detected are false access attempts, attempts to change restricted data items, excessive use of certain data, etc. Both automated and hand written logs of administrator and operator activities ensure the integrity of operations in information processing facilities, such as data and network centers. Systems fault monitoring may expose vulnerabilities due to loss of service integrity and availability. A policy around systems monitoring and logging will specify operational requirements, usage and authorization for data access requests, as well as retention of log and audit trail information. Monitoring activities also assist in measuring the effectiveness of controls applied to handle risks and vulnerabilities. The information contained in various audit trails and logs is only valuable if its integrity can be relied upon; therefore, commensurate levels of protection and controls should be applied to safeguard this information. Without proper timing and synchronization across all systems, audit and monitoring logs can become inaccurate and their integrity compromised. There should be a means of monitoring system time clocks and correction of inaccuracies.
- Improving Security Event Correlation and Analysis Using Intelligent Agents
- REN-ISAC and CSI2---The Security Event System
- E-Discovery Toolkit
#Top of page
Control of Operational Software (ISO 12.5)
Objective: To ensure the integrity of operating systems.
Make sure to establish and maintain documented procedures to manage the installation of software on operational systems. Operational system software installations should only be preformed by qualified, trained administrators. Updates to operational system software should utilize only approved and tested executable code. It is ideal to utilize a configuration control system and have a rollback strategy prior to any updates. Audit logs of updates and previous versions of updated software should be maintained. Third parties that require access to preform software updates should be monitored and access removed once updates are installed and tested.
#Top of page
Technical Vulnerability Management (ISO 12.6)
Objective: To prevent exploitation of technical vulnerabilities.
Technical vulnerabilities need to be understood and managed appropriately. It is important to keep up-to-date with industry notices about technical vulnerabilities and evaluate risk and mitigation strategies. There needs to be a reporting mechanism in place to allow timely review of any information on such technical vulnerabilities. It is imperative to have an up-to-date, and full inventory of your asset groups to allow for action to be taken once a technical vulnerability if reviewed and a mitigation strategy agreed on. Technical vulnerability management should be incorporated to work with existing change management and incident management processes. Also, it is critical to have control over how your end users are allowed to install software.
Three approaches to managing technical vulnerabilities in application software are described in the Application Security and Software Development Life Cycle presentation from the 2010 Security Professionals Conference.
Campus Case Study: Enhancing Application Security with a Web Application Firewall - UC, Irvine
Vulnerabilities should be monitored, and one way to do that is with a web application scanner. ;An article from the August, 2011, Security Tools Benchmarking blog lists web application scanners, both open source and commercial, and enumerates their features. Windows system vulnerabilities allow hackers to gather information from applications. Rapid Windows Analysis, presented at the 2013 Security Professionals Conference, describes tools for detecting Windows vulnerabilities.
#Top of page
Information Systems Audit Considerations (ISO 12.7)
Objective: Minimize the impact of audit activities on operational systems.
Auditing of operational systems needs to be managed and communicated so as not effect the system in an adverse manner. The up-time and availability of operational systems is critical to support business requirements. Any and all audit activity, to assess an operational system, should always be managed to minimize any impact on the system during required hours of operation. Any testing of operational systems that could pose an adverse effect to the system should be conducted during off hours.
#Top of page
Resources
Campus Case Studies On This Page
Enhancing Application Security With a Web Application Firewall - UC, Irvine (2011)
EDUCAUSE Resources
EDUCAUSE Resources & Resource Center Pages
- 7 Things You Should Know About Cloud Security
- Cloud Computing Security
- Dropbox Security & Privacy Considerations
HEISC Toolkits/Guidelines
- E-Discovery Toolkit
- Electronic Records Management Toolkit
- Guidelines for Data De-Identification or Anonymization
- Guidelines for Information Media Sanitization
- Two-Factor Authentication
Templates/Sample Plans
- East Carolina University SYSTEM Server Disaster Recovery Plan
- University of Houston Information Security Resources and Operations Manual
- Indiana University UITS Change Management
- Northwestern University Information Technology Information and Systems Security/Compliance
- University of Missouri Systems Electronic Records Administration
Security Professionals Conference 2013
- How Advanced Log Management Can Trump SIEM: Tales of Woe and Glory
- Bring Your Own Cloud: Data Management Challenges in a Click-Through World
Enterprise IT Leadership Conference 2013
EDUCAUSE Annual Conference 2012
- Reaching a Higher Elevation: Supporting High-Value, High-Risk Cloud Services
- Disaster Recovery Planning: How to Build It, How to Test It
- Raising the Bar in Cloud Security for Higher Education
- Business Continuity Management Discussion
- Preparing for Big Data: Strategic Storage Planning at Lehigh University
- Next-Generation Backup: Simpler and Cheaper, with Disaster Recovery Capability
- Achieving Virtualization: The Holy Grail of IT
- Community and the Cloud: Shaping the Future of Technology Services for Higher Education
Security Professionals Conference 2012
- Tools and Methods for Managing SNORT Sensors in Distributed Environments
- DNS Sinkholing to Reduce Network Compromises
Southeast Regional Conference 2012
- The EITS Analysis Committee: A Grassroots Effort at Standardized Documentation and Diagramming Templates
- Inform, Engage, and Educate: How to Communicate Major Service and System Updates and Changes to the Campus
- Personal Storage in the Cloud
Mid-Atlantic Regional Conference 2012
EDUCAUSE Annual Conference 2011
- Building a Business Case for the Cloud
- The Titan Cloud: CSU Fullerton's Virtual Computing Infrastructure Implementation
Security Professionals Conference 2011
- Information Technology Standards at the University of Illinois: Common Challenges and Solutions
- Network Segmentation: Virtual Routing Implementation
- Seminar 02P - Malware Detection and Mitigation with Passive DNS and Blackhole DNS
- A Gentle Introduction to Bro
EDUCAUSE Annual Conference 2010
- How University Data Backup Is Moving Online
- Seminar 04P - Create Your IT Disaster Recovery Plan
- Cloud Computing Security: An Oxymoron?
- Deploying an Internal Cloud: Offering Infrastructure as a Service to the Campus Community
- IT Incident Communications: Keeping Customers in the Loop During an IT Meltdown
- Building a Network Control Strategy for Your Campus
- Cloud Computing Contract Issues
- Steps to a Cloud-Ready Data Center
- Shared Data Centers: Something Old and Something New
Security Professionals Conference Archives 2008-2010
Management and Operations:
Policy and Compliance:
- Conducting Internal PCI DSS Assessments
- The Data Center Within a Data Center: Building a Secure Environment for Compliance
Corporate and Campus Solutions:
- Realizing the Promise of Faster, More Secure Campus Communications
- Symantec Corporation and Temple University - Securing a Free and Open University Environment
- McAfee and Georgia State University - Taking Aim at Network Intruders with Intrushield's Intrusion Prevention System
- FireEye, Inc. and University of California, Berkeley - Combating Stealth Malware and Botnets in Higher Education
Strategic Security:
Technology Concepts:
- Using OSSEC Open-Source, Host-Based Intrusion Detection
- Filelocker: Simplifying Secure File Transfers
- Web Application Firewalls at SCSU: Why and How
- Virtualization and Security Architecture
- Securing and Leveraging the Power of Virtual Servers and Desktops
Advanced Technology:
- Mastering Puppet: Using Puppet to Centrally Manage IT Security Infrastructure
- Starting Over from the Top: Campus IPv6 Deployment and Security
- Linking Remote Sites with OpenVPN
- UAlbany's IP Blocker: Elevating IDS to IPS
- Improving Security Event Correlation and Analysis Using Intelligent Agents
- REN-ISAC and CSI2---The Security Event System
Initiatives, Collaborations, & Other Resources
- ECAR Working Groups; Bring together higher education IT leaders to address core technology challenges.
#Top of page
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).