Information Security Management has overall responsibility for setting policies, standards and procedures to ensure the protection of the organization’s assets, data, information and IT services. Service Operation teams play a role in executing these policies, standards, and procedures and will work closely with the teams or departments responsible for Information Security Management.
Service Operations teams cannot take ownership of Information Security Management, as this would represent a conflict. There needs to be segregation of roles between the groups defining and managing the process and the groups executing specific activities as part of the ongoing operation. This will help protect against breaches of security measures, as no single individual should have control over two or more phases of a transaction or operation. Information Security Management should assign responsibilities to ensure a cross-check of duties
Policing and Reporting
This will involve Operation staff performing specific policing activities such as the checking of systems journals, log, event/monitoring alerts etc, intrusion detection and/or reporting of actual or potential security breaches. This is done in conjunction with Information Security Management to provide a check and balance system to ensure effective detection and management of security issues.
Service Operation staff are often first to detect security events and are in the best position to be able to shut down and/or remove access to compromised systems. Particular attention will be needed in the case of third-party organizations that require physical access to the organization that requires physical access to the organization. Service Operation staff may be required to escort visitors into sensitive areas and/or control their access. They may also have a role to play in controlling network access to third parties, such as hardware maintainers dialing in for diagnostic purposes, etc.
Some technical support may need to be provided to IT Security staff to assist in investigating security incidents and assist in the production of reports or in gathering forensic evidence for use in disciplinary action or criminal prosecutions. Technical advice and assistance may also be needed regarding potential security improvements (e.g setting up appropriate firewalls or access/password controls). The use of events, incidents, problems, and configuration management information can be relied on to provide accurate chronologies of security-related investigations.
Operational Security Control
For operational reasons, technical staff will often need to have privileged access to key technical areas (e.g. root system passwords, physical access to Data Centres or communications rooms etc.). It is therefore essential that adequate controls and audit trails are kept of all such privileged activities so as to deter and detect any security events. Physical controls need to be in place for all secure areas with logging in-out of all staff. Where third-party staff or visitors need access, it may be Service Operation staff that are responsible for escorting and managing the movement of such personnel. In the case of privileged systems access, this needs to be restricted to only those people whose need to access the system has been verified and withdrawn immediately whet that need no longer exists. An audit trail must be maintained of who has had access and when, and of all activities performed using those access levels. All service operation staff should be screened and vetted to a security level appropriate to the organization in question. Suppliers and third-party contractors should also be screened and vetted both the organizations and the specific personnel involved. Many organizations have started using police or government agency background checks, especially where contractors will be working with classified systems. Where necessary, appropriate non-classified systems. Where necessary, appropriate non-disclosure and confidentially agreements must be agreed.
Training and Awareness
All service operation staff should be given regular and ongoing training and awareness of the organization’s security policy and procedures. This should include details of disciplinary measures in place. In addition, any security requirements should be specified in the employee’s contract of employment.
Documented policies and procedures
Service Operation documented procedures must include all relevant information relating to security issues extracted from the organization’s overall security policy documents. Consideration should be given to the use of handbooks to assist in getting the security messages out to all relevant staff.