The operations security deals with the daily activities that are required to preserve the confidentiality, integrity and availability (CIA) of the system after it has been developed and executed. This involves using hardware controls, media controls, and subject controls that are designed to be safeguards against asset threats, as well as daily activities such as the handling of attacks and violations, appropriate administrative management and control, and establishing a threshold to determine notable violations.
Given the importance of operational security, it’s important to screen and verify new employees in terms of background experience, level of education and skill set. An employee can impact operational security. Some organizations perform background checks as part of the vetting process. When going through the hiring process, a probationary period can be instated where the individual is informed whether they have to obtain special qualifications or security clearances for the job, as well as signing a non-compete, nondisclosure, and possibly a non-solicitation agreement.
Once the candidate has been hired, there are additional operational security controls that can be implemented such as an orientation, separation of duties, job rotation, least privilege, mandatory vacations, audit controls, and effective termination practices.
New-Hire Orientation: A new-hire orientation training program can be instituted to make certain new employees aware of and become familiar with the organization’s policies to perform. The objective should be to educate new employees on the established security policies and processes of the organization, and acceptable use of those policies. Going forward, security awareness can be perpetuated by sending the occasional security-awareness email or newsletter that reinforces the practices of good security. Policy reviews can also be conducted so employees can go over current policies and obtain a signed copy they’ve agreed to.
Separation of Duties: The separation of duties is the process of dividing a given task into smaller components so that more than one person has a role in completing the task. This correlates to the principle of least privilege and denies authorized subjects from making unauthorized modifications to objects, further protecting the integrity of the object.
Job Rotation: This allows an organization to detect fraudulent behavior more readily. It also provides job redundancy and backup.
Least Privilege: The rule of least privilege mandates that employees have access only to the resources needed to complete their job tasks. This inhibits resource misuse. Over a certain duration, least privilege can lead to privilege creep, where employees jump from job to job, acquiring more rights and access. The rights and access they no longer need should be removed.
Mandatory Vacations: Employees that don’t take vacation time aren’t always honorable workers. They may have skipped vacation because they’re engaged in fraudulent activities. Remaining on the job gives them the opportunity to execute their scheme by appearing to be dedicated to work. This type of activity could be exposed when an employee is required to take vacation time. A week should be ample time for illicit activities to be discovered.
Termination: Employee termination is sometimes a required action. Standardized termination procedures should be executed to protect the organization and its resources. These protocols ensure equal treatment of employees and prevent any opportunity for a former employee to destroy or damage company property. Steps that should be incorporated include:
- Revoking computer access at the time of notification
- Monitoring the employee while they gather personal effects
- Making certain at no time the employee is left alone after the termination process
- Verifying that the employee returns company identification and any company property
- Escorting the employee from the building