A12 Operations Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen 11.8
00:03
8 12 Operations security
00:10
In this lesson, we will cover an understanding of control Sit A 12
00:15
as well
00:16
as well as its control areas,
00:18
the controls that contains,
00:21
as well as the evidence that you can use during audits.
00:30
This control set is made up of seven control areas.
00:35
The first control area
00:37
is a 12.1
00:40
operational procedures and responsibilities.
00:44
This is made up of four controls.
00:48
These controls are
00:50
a 12.1 point one documented operating procedures,
00:56
a 12.1 point two
00:59
change management,
01:02
a 12.1 point three
01:04
capacity management,
01:07
a 12.1 point four
01:10
separation off development, testing and operational environments.
01:18
The next control area
01:19
is a 12.2 protection from malware.
01:23
There is one control
01:26
in this control area
01:30
and this is controls against malware.
01:38
The next control area
01:40
is a 12.3
01:42
back up.
01:46
This also consists of one control
01:49
A 12.3 point one. Information back up
01:57
a 12.4. Logging and monitoring
02:00
is the next control area,
02:02
and this consists of four controls.
02:07
These controls are
02:08
a 12.4 point one
02:12
event, logging
02:14
a 12.4 point two.
02:17
Protection of log information.
02:21
A 12.4 point three
02:24
administrator and operator logs
02:28
a 12.4 point four clock synchronization.
02:36
The Knicks control area is a 12.5
02:39
control of operational software.
02:43
There is one control in this area.
02:46
This control is a 12.5 point one
02:52
installation of software on operational systems.
02:57
The next control area is a 12.6
03:00
technical vulnerability management.
03:04
This area consists of two controls.
03:07
These controls are
03:10
a 12.6 point one
03:13
management of technical vulnerabilities,
03:16
a 12.6 point two
03:20
restrictions on software installations.
03:29
The last control area
03:31
is a 12.7
03:34
information systems ordered considerations.
03:38
This consists of one control,
03:40
which is a 12.7 point one
03:44
information systems ordered controls.
03:53
Let's run through these controls
03:55
and specifically focus on types of evidence that your auditors may ask you either during your ice mess audit or any other I T. General controls. Audit
04:06
A 12.1 point one documented operating procedures
04:11
is pretty straightforward.
04:14
For this control, you would need to have
04:16
documented operating procedures
04:19
for the various processes, controls and procedures that happen within your information security space.
04:28
It is important that these air detailed enough
04:30
so that any transfer of skills
04:33
or new people being on boarded
04:36
can pick up and run with the necessary procedures.
04:42
A 12.1 point two
04:45
is the control change management.
04:48
I think we'll all be familiar with this. Control
04:51
Change management involves a lot of details in itself.
04:57
Evidence for this Virginia Lee involve your change management policy as well as any procedure documents
05:03
evidence of change management meetings
05:08
generally held by change advisory boards, also known a scab.
05:15
You will also have change
05:17
request forms
05:20
and acceptance thereof
05:23
On these change of chris forms.
05:25
The impact of the change should be noted
05:28
as well as any risk pertaining to the change.
05:31
Adequate testing of the change should also be conducted,
05:35
an evidence thereof
05:36
maintained,
05:41
and changes should only be pushed through
05:44
as per your change management policy and procedure,
05:48
which is generally during defined windows
05:51
or through an emergency change process.
05:58
A 12.1 point three
06:00
pertains to capacity management.
06:03
Evidence for this control would involve
06:06
policy statements,
06:09
procedure documents
06:11
and evidence that there is active monitoring and forecasting
06:15
off capacity management.
06:17
This includes ensuring that service have sufficient space
06:23
and monitoring the growth rate off systems such as databases
06:29
in certain environments. Databases can Philip exceptionally fast
06:32
and without monitoring this consistently,
06:35
it is quite easy to run out of space.
06:40
When you run out of space,
06:42
you know the system won't work as it should.
06:45
This can cause an availability issue,
06:48
and generally business departments will get quite unhappy with this.
06:55
A 12.1 point four
06:57
separation off development, testing and operational environments.
07:03
Again, you would have some sort of policy statement pertaining to this,
07:09
as well as the procedures to manage the separation off development, testing and operational environments.
07:15
Your order to will want to see that this is implemented
07:19
and husbands throughout the period under review.
07:24
This control is pretty straightforward
07:26
and that it basically means your developers should not have access to your production environment
07:31
and vice versa.
07:34
The ideal set up is to have a dedicated development environment,
07:39
a dedicated testing environment
07:42
and a dedicated production or operational environment.
07:47
A 12.1 point two
07:49
controls against Milwee
07:53
once again a policy and procedure for this control is applicable.
07:57
Your order to all also want to determine that
08:00
anti malware software is installed
08:01
and is being deployed to all in point and other devices on the network
08:07
and that signatures are being updated on a regular basis.
08:13
A 12.3 point one
08:15
Information back up
08:18
the usual here policies, procedures
08:20
as well as evidence that your information is being backed up.
08:28
Another element to consider here is tasting the restore off the information that you have backed up.
08:33
Backups are useless if they cannot be successfully restored to your production environments.
08:39
A 12.4 point one
08:43
event. Logging
08:45
in security environments, especially
08:48
it is important to log the events on critical systems
08:54
were possible.
08:54
All events that happen can be logged and fed into something such as a security incident and event management or Siem Tool.
09:05
A 12.4 point two
09:07
pertains to the protection of log information.
09:11
Ideally, you want your log information to be essentially stored
09:15
and restrictions placed on this information.
09:18
You don't want anyone to be able to access this information
09:24
and be able to make changes to this information.
09:28
A 12.4 point three
09:31
pertains to administrator and operator logs.
09:33
These are logs specific to your administrator and privileged users.
09:39
You would want someone to be monitoring the activities that these users perform on your systems.
09:46
Whether it is a manual review, which is often inefficient or an automated review,
09:52
a 12.4 point four pertains to clock synchronization
09:58
here your order to well, just ensure
10:00
that all your service are thinking off a centralized
10:03
clock service
10:05
so that clocks cannot be modified
10:09
and change information
10:11
around When events happened.
10:15
A 12.5 point one installation off software on operational systems
10:22
here you would need policies and procedures
10:26
as well as controls to restrict white software can be installed on operational systems.
10:31
This can include a white list of software
10:35
and foreign Jews. The devices Taking away rights to install unapproved software.
10:41
A 12.6 point one pertains to management of technical vulnerabilities
10:48
here. Your order to would want to see that you have some sort of define vulnerability management program in place
10:54
that you are checking up on your vulnerabilities on a periodic basis,
10:58
either through your own in house vulnerability, scanning software and teams,
11:03
or during outsource service provider
11:07
A 12.6 point two
11:09
restrictions on software installations.
11:16
This is a similar control to a 58 12.5 point one.
11:20
However, the scope here would be specific to end user devices and servers.
11:28
A 12.7 point one information systems ordered controls.
11:33
This control
11:35
specifies that you need to have a defined ordered plan in place
11:39
and that you are undergoing regular orders of your information security
11:43
controls.
11:50
To summarize,
11:52
we looked at the seven control areas that make up controls it a 12 operation security.
11:58
We also discussed the different controls within each of these control areas and looked at some examples of evidence
12:05
that your order to may ask for during your orders.
Up Next