Operations controls are the methods used to preserve operational security. These include resource protection, hardware controls, software controls, privileged-entity controls, media controls, and physical access controls.
Resource Protection: Resource protection is a safeguard from both loss and compromise of an organization’s computing resources, such as hardware, software, and data that is owned and used by the organization. Resource protection is designed to decrease the level of impact that can result from the unauthorized access and/or alteration of data by limiting the opportunities for its misuse.
Hardware resources that require protection include communications devices such as routers, firewalls, gateways, switches, modems, and access servers; storage devices such as floppy disks, removable drives, external hard drives, tapes, and cartridges; processing systems such as file servers, mail servers, Internet servers, backup servers, and tape drives; standalone computers; and printers and fax machines.
Software resources that require protection include program libraries and source code; software application packages; and operating system software and systems utilities. Data resources that require protection include backup data; user data files; password files; operating data directories; and system logs and audit trails.
Hardware Controls: Hardware controls entail controls over hardware maintenance, hardware accounts, diagnostic ports and physical hardware. Hardware maintenance usually requires support and operations staff, vendors, or service providers that have physical or logical access to a system.
Security controls are essential during this access and can background investigations of the service personnel and supervising and escorting the maintenance personnel. Most computer systems have built-in maintenance mechanisms that are usually supervisor-level accounts created at the factory with default passwords that are widely known. These passwords, and if possible, the account name, should be changed.
As an alternate option, the account can be disabled until it is needed. If an account is used remotely, authentication of the maintenance provider can be performed by using callback or encryption. Most systems have diagnostic ports through which troubleshooting can be done. This usually offers direct access to the hardware. These ports should be used only by authorized personnel and should provide internal or external unauthorized access.
Physical controls, including locks and alarms are used for data processing hardware components, including operator terminals and keyboards, media storage cabinets, server equipment, data centers, modem pools, and telecommunication circuit rooms.
Software Controls: Software controls entails software support, and administering the software that is and can be used in a system. Components of software controls include anti-virus management, software testing, software utilities, software storage, and backup controls.
Anti-virus management involves managing which applications and utilities can be implemented or executed on a system to limit the potential for viruses, unexpected software interactions, and the subversion of security controls.
Vigorous software testing is required to ascertain compatibility of custom software applications with the system and to discover any problematic or unforeseen software interactions. Software testing should also be done with software upgrades.
System utilities and software utilities can impact the integrity of system operations as well as logical access controls. So it’s important that system utilities as well as software utilities be controlled by a security policy.
Secure software storage requires the implementation of both logical and physical access controls to ensure that software and copies of backups have not been modified without proper authorization.
Backup controls are used to ensure that backup data is stored securely and to test the restore accuracy of a backup system.
