T3 Operations Management

Operational procedures and responsibilities shall be developed, to ensure an adequate level of information security. In addition, backup, media handling, e-services security and monitoring shall be addressed to ensure protection against malicious code and spyware.

OBJECTIVE

To maintain an operations management policy and to provide guidance regarding the operational requirements of information assets.

PERFORMANCE INDICATOR

Extent of operations management security policy deployment and adoption across the entity.

AUTOMATION GUIDANCE

Not applicable.

RELEVANT THREATS AND VULNERABILITIES

1. Unsuitable operations management policy
2. Unawareness of operations management policy among staff

APPLICABLE CONTROLS

Followings are controls applicable for this control

family.

• T3.1.1 - P4 - OPERATIONS MANAGEMENT POLICY

OBJECTIVE

To ensure the correct and secure operation of information systems

PERFORMANCE INDICATOR

Percentage of information systems that meet all operational information security requirements

AUTOMATION GUIDANCE

Entities can implement control T3.2.1 by developing a series of images and secure storage servers for hosting these standard images. Commercial and/or free configuration management tools can then be employed to measure the settings operating system and applications of managed machines to look for deviations from these Standards image configurations used by the entity. Some configuration management tools require that an agent be installed on each managed system, while others remotely log in to each managed machine using administrator credentials. Either approach or a combination of the two approaches can provide the information needed for this control.

RELEVANT THREATS AND VULNERABILITIES

1. Illegal processing of data
2. Abuse of system access/privileges
3. Equipment malfunction

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T3.2.1 - P2 - COMMON SYSTEMS CONFIGURATION GUIDELINES
• T3.2.2 - P3 - DOCUMENTED OPERATING PROCEDURES
• T3.2.3 - P4 - CHANGE MANAGEMENT
• T3.2.4 - P2 - SEGREGATION OF DUTIES
• T3.2.5 - P2 - SEPARATION OF DEVELOPMENT, TEST AND OPERATIONAL FACILITIES

OBJECTIVE

To ensure security requirements are properly considered during the development lifecycle of information systems.

PERFORMANCE INDICATOR

Percentage of information systems that successfully integrated all system development lifecycle security requirements.

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Equipment failure
2. Illegal processing of data
3. Use of counterfeit or copied software

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T3.3.1- P4 - CAPACITY MANAGEMENT
• T3.3.2 - P3 - SYSTEM ACCEPTANCE AND TESTING

OBJECTIVE

To ensure that information and information systems are protected against malware

PERFORMANCE INDICATOR

Percentage of information systems with appropriate and up-to-date protection as defined in information security requirements

AUTOMATION GUIDANCE

Relying on policy and user action to keep anti-malware tools up to date has been widely discredited, as many users have not proven capable of consistently handling this task. To ensure anti-virus signatures are up to date, entities use automation. They use the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based IDS features are active on every managed system. They run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections, as well as systems that do not have the latest malware definitions.

Some entities deploy free or commercial honeypot and tarpit tools to identify attackers in their environment. Security personnel should continuously monitor honeypots and tarpits to determine whether traffic is directed to them and account logins are attempted. When they identify such events, these personnel should gather the source address from which this traffic originates and other details associated with the attack for

follow-on investigation.

RELEVANT THREATS AND VULNERABILITIES

1. Spyware
2. Backdoor or command and control
3. SQL injection

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T3.4.1 - P1 - CONTROLS AGAINST MALWARE

OBJECTIVE

To maintain the integrity and availability of information and information systems

PERFORMANCE INDICATOR

Percentage of successful attempts to restore backup information, whether in test or real-world environments

AUTOMATION GUIDANCE

Commercial backup solutions are available to automatically perform information backup for designated systems. Entities deploying such solutions should carefully consider the following as examples:

• What information should be covered during backup

• When and at which frequency the backups should be conducted

• Where the backup data will be stored

• What is the required total size of the medium to store the backups

RELEVANT THREATS AND VULNERABILITIES

1. Loss of information
2. Software malfunction
3. Destruction of equipment or media

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T3.5.1 - P1 - INFORMATION BACKUP

OBJECTIVE

To detect, prevent and correct the use of systems and information based on audit logs of events that could impact the security of an entity.

PERFORMANCE INDICATOR

Percentage of incidents within the entity where sufficient and accurate information was available to detect and manage the incident.

AUTOMATION GUIDANCE

Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, with logs sent to centralized logging servers. Firewalls, proxies, and remote access systems (VPN, dial-up, etc.) should all be configured for verbose logging, storing all the information available for logging in the event a follow-up investigation is required. Furthermore, operating systems, especially those of servers, should be configured to create access control logs when a user attempts to access resources without the appropriate privileges. To evaluate whether such logging is in place, an entity should periodically scan through its logs and compare them with the asset inventory in order to ensure that each managed item actively connected to the network is periodically generating logs.

Analytical programs such as SIM/SEM solutions for reviewing logs can provide value, but the capabilities employed to analyze audit logs are quite extensive, including, importantly, even just a cursory examination by a person. Actual correlation tools can make audit logs far more useful for subsequent manual inspection. Such tools can be quite helpful in identifying subtle attacks. However, these tools are neither a panacea nor a replacement for skilled information security personnel and system administrators. Even with automated log analysis tools, human expertise and intuition are often required to identify and understand attacks.

RELEVANT THREATS AND VULNERABILITIES

1. Unauthorized access
2. Tempering with information systems
3. Backdoor or command and control

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T3.6.1 - P3 - MONITORING POLICY AND PROCEDURES
• T3.6.2 - P2 - AUDIT LOGGING
• T3.6.4 - P2 - PROTECTION OF LOG INFORMATION
• T3.6.5 - P2 - ADMINISTRATOR AND OPERATOR LOGS
• T3.6.6 - P3 - FAULT LOGGING
• T3.6.7 - P4 - CLOCK SYNCHRONIZATION