Sunday, 6 November 2011

The Concepts of Organizational OPSEC (Operation Security)

There are a number of specialist topics in organizational OPSEC and concepts that need to be defined before going into detail. These include:

  • Trusted Computer Base (TCB). The totality of protection mechanisms within a computer system including hardware, firmware, and software. The combination is responsible for enforcing a security policy.
  • Malware Management. Malware management is more than an Anti-Virus system. Any system that gives administrative control to a user allowing the loading or execution of any software has an increased vulnerability to malware (such as worms, viruses and trojans) and risk from unexpected software interactions. This can lead to the subversion of security controls.
  • Principle of Least Privilege. Never grant users more than the least level of access to a system that is needed for them to be able to complete their roles or jobs. That is, if a user needs Read only access to a file, set their permissions to only allow read access blocking write permissions such that they cannot modify the data.
  • Privileged operations. This type of operation includes the use of:
  1. operations system control commands,
  2. The ability to configure interfaces,
  3. Rights to access audit logs,
  4. The ability to manage user accounts,
  5. The ability to configure security mechanisms and controls,
  6. The privileges to back up and restore data, etc.
  • Privacy. The privacy of data involves the protection of personal information from disclosure to an unauthorized party (either being an individual or organization). This involves the maintenance of confidentiality.
  • Legal requirements. Adherence to the law and regulatory controls is the foundation or baseline upon which a security infrastructure can be built. At a minimum, it is necessary to adhere to the requirements imposed by law on the organization.
  • Illegal activities. This involves being able to identify both the criminal and tortuous (see the “Information Systems Legislation” chapter) An organization needs to be able to facilitate attribution. Attribution is the discovery of who is responsible and proving it through the use of evidence. The organization should also be able to support non-repudiation of transactions.
  • Record retention. The organization’s policy needs to define what information is collected, maintained and how long it is to be kept. This aspect of OPSEC is commonly driven by regulatory and legal requirements such as consent to monitoring, and financial controls (eg SEC filing or Tax rules).
  • Marking. Marking is the process of setting a classification on the data stored on media.
  • Handling. The transportation of media from one point or place to another securely is the realm of handling. This involves media control from purchase through to storage and lastly destruction.
  • Storage. Data needs to be stored in secured facilities. These should maintain the temperature and humidity within a controlled range.
  • MFFT. All media has a MTTF (mean time to failure). This is dictated by the number of times it can be re-used or a time based life.
  • Destruction. Any media that has reached or exceeded its MFFT needs to be replaced. When destroying the old media, it should first be purged before being destroyed. This process is commonly referred to as sanitation. This involves any number of processes that prepares the media for destruction. This could include wiping hard drives and other magnetic media or degaussing. The idea is to either return the media to its original pristine, unused state or render it permanently unusable and unrecoverable.
  • · PII. Personally Identifying Information (PII) is any information that may be used to identify an individual. This includes information such as a Social Security number (USA), TFN or Tax File Number (Australia), Credit Card and Banking details and other forms of ID.

In addition, there are a number of legal terms associated with operations security. Good corporate governance (and as an offshoot, good IT governance) require that due care and due diligence

  • Due Care. This involved the use of a reasonable level of care in order to guard the interests of the organization from risk and consequently damage.
  • Due diligence. This is the practice of activities that are designed to maintain due care within the organization.

Together due care and due diligence make the foundations of governance. Effective governance is often the only way to disprove negligence if an incident ends up as an action in a court of law.

2 comments:

AR said...

Dear Sir,

How do we measure or see for present level of TCB??
Have heard a load, but how to see for it? TCB is more oftentimes spoken as an object rather then a concept.

Please guide.
Awesome brief post..

Dr Craig S Wright GSE said...

I will try and write some more detail on Trusted computing base concepts and issues and answer your question this week.