A12 Operations Security

00:01

Listen 11.8

00:03

8 12 Operations security

00:10

In this lesson, we will cover an understanding of control Sit A 12

00:15

as well

00:16

as well as its control areas,

00:18

the controls that contains,

00:21

as well as the evidence that you can use during audits.

00:30

This control set is made up of seven control areas.

00:35

The first control area

00:37

is a 12.1

00:40

operational procedures and responsibilities.

00:44

This is made up of four controls.

00:48

These controls are

00:50

a 12.1 point one documented operating procedures,

00:56

a 12.1 point two

00:59

change management,

01:02

a 12.1 point three

01:04

capacity management,

01:07

a 12.1 point four

01:10

separation off development, testing and operational environments.

01:18

The next control area

01:19

is a 12.2 protection from malware.

01:23

There is one control

01:26

in this control area

01:30

and this is controls against malware.

01:38

The next control area

01:40

is a 12.3

01:42

back up.

01:46

This also consists of one control

01:49

A 12.3 point one. Information back up

01:57

a 12.4. Logging and monitoring

02:00

is the next control area,

02:02

and this consists of four controls.

02:07

These controls are

02:08

a 12.4 point one

02:12

event, logging

02:14

a 12.4 point two.

02:17

Protection of log information.

02:21

A 12.4 point three

02:24

administrator and operator logs

02:28

a 12.4 point four clock synchronization.

02:36

The Knicks control area is a 12.5

02:39

control of operational software.

02:43

There is one control in this area.

02:46

This control is a 12.5 point one

02:52

installation of software on operational systems.

02:57

The next control area is a 12.6

03:00

technical vulnerability management.

03:04

This area consists of two controls.

03:07

These controls are

03:10

a 12.6 point one

03:13

management of technical vulnerabilities,

03:16

a 12.6 point two

03:20

restrictions on software installations.

03:29

The last control area

03:31

is a 12.7

03:34

information systems ordered considerations.

03:38

This consists of one control,

03:40

which is a 12.7 point one

03:44

information systems ordered controls.

03:53

Let's run through these controls

03:55

and specifically focus on types of evidence that your auditors may ask you either during your ice mess audit or any other I T. General controls. Audit

04:06

A 12.1 point one documented operating procedures

04:11

is pretty straightforward.

04:14

For this control, you would need to have

04:16

documented operating procedures

04:19

for the various processes, controls and procedures that happen within your information security space.

04:28

It is important that these air detailed enough

04:30

so that any transfer of skills

04:33

or new people being on boarded

04:36

can pick up and run with the necessary procedures.

04:42

A 12.1 point two

04:45

is the control change management.

04:48

I think we'll all be familiar with this. Control

04:51

Change management involves a lot of details in itself.

04:57

Evidence for this Virginia Lee involve your change management policy as well as any procedure documents

05:03

evidence of change management meetings

05:08

generally held by change advisory boards, also known a scab.

05:15

You will also have change

05:17

request forms

05:20

and acceptance thereof

05:23

On these change of chris forms.

05:25

The impact of the change should be noted

05:28

as well as any risk pertaining to the change.

05:31

Adequate testing of the change should also be conducted,

05:35

an evidence thereof

05:36

maintained,

05:41

and changes should only be pushed through

05:44

as per your change management policy and procedure,

05:48

which is generally during defined windows

05:51

or through an emergency change process.

05:58

A 12.1 point three

06:00

pertains to capacity management.

06:03

Evidence for this control would involve

06:06

policy statements,

06:09

procedure documents

06:11

and evidence that there is active monitoring and forecasting

06:15

off capacity management.

06:17

This includes ensuring that service have sufficient space

06:23

and monitoring the growth rate off systems such as databases

06:29

in certain environments. Databases can Philip exceptionally fast

06:32

and without monitoring this consistently,

06:35

it is quite easy to run out of space.

06:40

When you run out of space,

06:42

you know the system won't work as it should.

06:45

This can cause an availability issue,

06:48

and generally business departments will get quite unhappy with this.

06:55

A 12.1 point four

06:57

separation off development, testing and operational environments.

07:03

Again, you would have some sort of policy statement pertaining to this,

07:09

as well as the procedures to manage the separation off development, testing and operational environments.

07:15

Your order to will want to see that this is implemented

07:19

and husbands throughout the period under review.

07:24

This control is pretty straightforward

07:26

and that it basically means your developers should not have access to your production environment

07:31

and vice versa.

07:34

The ideal set up is to have a dedicated development environment,

07:39

a dedicated testing environment

07:42

and a dedicated production or operational environment.

07:47

A 12.1 point two

07:49

controls against Milwee

07:53

once again a policy and procedure for this control is applicable.

07:57

Your order to all also want to determine that

08:00

anti malware software is installed

08:01

and is being deployed to all in point and other devices on the network

08:07

and that signatures are being updated on a regular basis.

08:13

A 12.3 point one

08:15

Information back up

08:18

the usual here policies, procedures

08:20

as well as evidence that your information is being backed up.

08:28

Another element to consider here is tasting the restore off the information that you have backed up.

08:33

Backups are useless if they cannot be successfully restored to your production environments.

08:39

A 12.4 point one

08:43

event. Logging

08:45

in security environments, especially

08:48

it is important to log the events on critical systems

08:54

were possible.

08:54

All events that happen can be logged and fed into something such as a security incident and event management or Siem Tool.

09:05

A 12.4 point two

09:07

pertains to the protection of log information.

09:11

Ideally, you want your log information to be essentially stored

09:15

and restrictions placed on this information.

09:18

You don't want anyone to be able to access this information

09:24

and be able to make changes to this information.

09:28

A 12.4 point three

09:31

pertains to administrator and operator logs.

09:33

These are logs specific to your administrator and privileged users.

09:39

You would want someone to be monitoring the activities that these users perform on your systems.

09:46

Whether it is a manual review, which is often inefficient or an automated review,

09:52

a 12.4 point four pertains to clock synchronization

09:58

here your order to well, just ensure

10:00

that all your service are thinking off a centralized

10:03

clock service

10:05

so that clocks cannot be modified

10:09

and change information

10:11

around When events happened.

10:15

A 12.5 point one installation off software on operational systems

10:22

here you would need policies and procedures

10:26

as well as controls to restrict white software can be installed on operational systems.

10:31

This can include a white list of software

10:35

and foreign Jews. The devices Taking away rights to install unapproved software.

10:41

A 12.6 point one pertains to management of technical vulnerabilities

10:48

here. Your order to would want to see that you have some sort of define vulnerability management program in place

10:54

that you are checking up on your vulnerabilities on a periodic basis,

10:58

either through your own in house vulnerability, scanning software and teams,

11:03

or during outsource service provider

11:07

A 12.6 point two

11:09

restrictions on software installations.

11:16

This is a similar control to a 58 12.5 point one.

11:20

However, the scope here would be specific to end user devices and servers.

11:28

A 12.7 point one information systems ordered controls.

11:33

This control

11:35

specifies that you need to have a defined ordered plan in place

11:39

and that you are undergoing regular orders of your information security

11:43

controls.

11:50

To summarize,

11:52

we looked at the seven control areas that make up controls it a 12 operation security.

11:58

We also discussed the different controls within each of these control areas and looked at some examples of evidence