‫السعودية االلكترونية‬

College of‫الجامعة‬
Computing and
‫الجامعة السعودية االلكترونية‬
Informatics

IT Security and Policies

26/12/2021
 Security Program and Policies
Principles and Practices

by Sari Stern Greene

Updated 02/2018

Chapter 8: Communications and Operations

Security
Objectives
 Author useful standard operating procedures
 Implement change control processes
 Understand the importance of patch management
 Protect information systems against malware
 Consider data backup and replication strategies
 Recognize the security requirements of email and email systems
 Appreciate the value of log data and analysis
 Evaluate service provider relationships
 Write policies and procedures to support operational and
communications security
Introduction
 Communication and operations security focuses on Information technology (IT)
and Security functions including:
1. Standard operating procedures
2. Change management
3. Malware protection
4. Data replication
5. Secure management
6. Activity monitoring
 These functions are carried out by IT and information security data custodians
(e.g., network administrations security engineers)
Standard Operating Procedures (SOPs)
 SOPs are detailed explanations of how to perform a task
 *SOPs provide; standardized direction, improved communication,
reduced training time and improved work consistency
 Effective SOPs include:
1. Who performs the task
2. What materials are necessary
3. Where the task takes place
4. When the task will be performed
5. How the person will execute the task
SOPs Documentation
 SOPs should be properly documented to protect the company
 A critical task/business process is only known by one employee and is not
documented, if that employee becomes unavailable, the organization could be
seriously injured
 Documented SOPs standardize the target process and provide
sufficient information
 Someone with limited experience can successfully perform the procedure
unsupervised
 SOPs should be written in detail by someone with sufficient
experience of the targeted process.
Authorizing SOP Documentation
 Documented procedure must be:
 Reviewed
 The reviewer should check the SOP for clarity and reliability
 Verified
 The verifier should test the procedure and ensure they are correct
and not missing any steps
 Authorized (before publication)
 The process owner is responsible for authorization, publication and
distribution of the document
Protecting SOP Documentation
The integrity of the SOP document should be protected through:
 Access controls
 Should be applied to protect the procedure document from any
tampering/altering
 Version controls
 Employees should use the latest revision of the procedure
Developing SOPs
 SOPs should be:
 Concise & clear
 Logical step-by-step order
 Plain language format
 Exceptions are noted and explained
 Warnings are clear and standout
 Choosing the format of a SOP is based on:
 How many decisions the user will make
 How many steps are in the procedure
Developing SOPs Methods

 There are four common SOP formats:

Developing SOPs
1. Simple step
 Procedure contains less than 10 steps
 Does not involve many decisions
Developing SOPs
 There are four common SOP formats:
2. Hierarchical / 3. Graphic
 Procedure contains more than 10 steps
 Does not involve many decisions
Developing SOPs
 There are four common SOP formats:
4. Flowchart
 Procedure can contain any number of steps
 Involves many decisions
SOPs Documentation Policy Example
Operational Change Control
 Change control:
 An internal procedure in which authorized changes are made to software,
hardware, network access privileges, or business processes.
 Managing change allows organizations to be productive and spend less
time in crisis mode.
 Example: An operating system fails to be updated completely to the new version nor
is it still original version, this results in an unstable platform hindering the productivity
of the entire company.
 The change control process:
1. Submitting a Request For Change (RFC)
2. Developing a change control plan
3. Communicating change
4. Implementing & monitoring change
Submitting a Request for Change (RFC)
 The first phase of the change control process is an RFC submission
 The RFC should include:
1. Description of the proposed change
2. Justification why the change should be implemented
3. Impact of not implementing the change
4. Alternatives
5. Cost
6. Resource requirements and timeframe
 The change is then evaluated and if approved, it will be implemented
Developing a Change Control Plan
 Once the change is approved, the next step is to develop a change
control plan
 The change control plan should include:
1. Security reviews to ensure no new vulnerabilities are introduced
2. Implementation instructions
3. Rollback and/or recovery options
4. Post implementation monitoring
 *The complexity of the change and its risk to the organization will
influence the level of detail within the change control plan.
Communicating Change
 Change must be communicated to all relevant parties (employees,
managers)
 There are two main categories of messages that are communicated:
1.Messages about the change, which should include:
 Current situation
 The need for change
 What the change is, how it will change and when
2.Messages how the change will impact employees
 Impact on day-to-day activities of the employees
 Implication on job security
Implementing & Monitoring Change
 Change can be unpredictable
 If possible, change should be applied to a test environment to check and
monitor its impact.
 A plan must be in place to roll back or recover from failed implementation
 All actions and steps taken to implement the change should be
recorded and documented
 Change should be continuously monitored for any flaws and
unexpected impacts
Patching
 Patch is software or code designed to fix a problem
 Applying security patches is the primary method of fixing security vulnerabilities in
software
 Patches need to be applied quickly to prevent attackers from exploiting code and
information
 Patch Management
 The process of scheduling, testing, approving, and applying security patches
 Patching can be unpredictable and disruptive
 User should be notified of potential downtime due to patch installation
Malware Protection
 Malware (malicious software) is designed to:
1. Disrupt computer operation
2. Gather sensitive information
3. Gain unauthorized access to computer systems and mobile devices
 Malware can infect system by being bundled with other programs
or self-replicated
 Most malware typically requires user interaction such as:
1. Clicking an email attachment
2. Downloading a file from the Internet
Different Types of Malware
 Malware can be categorized as:
 Viruses: malicious code that attaches to become part of another program
 Worm: a piece of code that spreads from one computer to another without
requiring a host file
 Trojans: malicious code that masks itself as a legitimate kind application
Bots: Snippets of code designed to automate tasks and respond to
instructions
 Ransomware: a type of malware that take computer or its data as hostage
 Rootkits: a set of software tools that hides its presence on the computer,
using some of the lower layers of the operating system or the device basic
input/output system (BIOS) with privileged access permissions.
 Spyware/adware: general term describing software that tracks Internet
activity and searches without user knowledge
How is Malware Controlled?
 Prevention controls
 Stop an attack before it occurs
 Disable remote desktop connection
 Configure the firewall to restrict access
 Disallow users to install software on company device
 Detection controls
 Identify the presence of malware, alert the user, and prevent the
malware from carrying out its mission
 Detection controls include the following:
 Real-time firewall detection of suspicious file downloads.
 Real-time firewall detection of suspicious network connections.
What Is Antivirus Software?
 Antivirus software is used to detect, contain, and in some cases
eliminate malicious software
 Most AV software employs two techniques
1. Signature-based recognition (virus code)
2. Behavior-based (heuristic) recognition (Disabling security controls, registering for autostart)
 AV software is not 100% effective due to three factors
1. The volume of new malware
2. Single-instance malware (never been seen before)
3. Blended threats (malware put together)
Malicious Software Policy Example
Data Replication
 The impact of malware, hardware failure, accidental deletion is
reduced by effective:
 Data Replication
 Is the process of copying data to a second location that is available for
immediate use (Moving data between a company’s sites)
 Data backup
 is the process of copying/storing data that can be restored to its original
location in case the original is lost or damaged.
 Replicating and backing up data protects data’s integrity and
availability
Recommended Backup/Replication Strategy?
 Decision to backup/replicate and how often should be based on the impact of not
being able to access the data
 Several factors should be considered when the strategy is designed:
 Reliability is vital
 Speed and efficiency
 Simplicity and ease of use
 Cost
 Backed-up or replicated data should be stored in a off-site location, secure from
theft, the elements, and natural disasters.
The Importance of Testing
 The value of the backup or replication is the assurance that running a restore
operation will yield success and that the data will once again be available for
production and business-critical application systems.

 The accessibility or restore strategy must be:

 Carefully designed
 Tested before being approved
 Documented
Securing Messaging
 Emails take complex routes with processing and sorting at several locations before
arriving at its destination
 It’s hard to tell if someone has read or manipulated your message in transit
*making it an insecure way to transmit information
 Email is an effective way to spread malware and attack/penetrate organizations
 Malware is spread in emails through:
 Attachments
 Hyperlinks
 Email hoax: Email containing false information (such as virus warnings) asking
user to perform actions that can be damaging
 Email users and employees should:
 Be careful of attachments, hyperlinks and spam emails
 Not access personal email accounts from corporate networks
Securing Messaging
The three most common user errors/mistakes that impact the
confidentiality of email are:
1.Hitting the wrong button
 Using “reply all” as instead of “reply” or “forward” instead of “reply”
2.Sending an e-mail to the wrong e-mail address
 Sending to the wrong address because it is close to the intended
recipient’s address (especially with the use of autocomplete addresses)
3.Forwarding an email with the entire string
 Leaving a third person with information discussed in earlier e-mails that
should have been private.
Are E-Mail Servers at Risk?
 Email servers are hosts that deliver, forward, store emails
 Compromising the e-mail server can happen by:
 Relay abuse: using mail servers to distribute spam/malware
 DDoS attack: an attack against the availability of the email service
 In a response to the deluge/flood of spam and email malware
distribution, blacklisting has become a standard practice.
 Blacklisting is used to deny emails coming from a specified IP
address, domain name or email address that is known for
spam/malware.
Activity Monitoring and Log Analysis
 Logs are used to record events occurring within an
organization’s systems and networks
 Log management activities include:
1. Configure log sources, log generations, storage & security
2. Perform analysis of log data
3. Initiate appropriate responses to identified events
4. Manage the long-term storage of log data
 Data logs should be selected based on their ability to:
1. Identify suspicious activity and attacks
2. Help understand normal activity
3. Provide operational oversight/mistake
4. Provide a record of activity
Analyzing Logs
 Data log analysis can be a reliable way to discover, potential
threats, malicious activity and provide operational oversight
 Log analysis techniques include:
 Correlation: ties individual log entries together based on related
information
 Sequencing: examines activity based on patterns
 Signature: compares log data to “known bad” activity
 Trend analysis: identifies activity overtime that alone might seem normal
Summary
 Day-to-day activities can have a huge impact on the security of the network and the
data it contains. SOPs are important in providing a consistent framework across the
company.
 Change must be managed. Two mandatory components of a change management
process are RFC documents and a change control plan.
 Malware is becoming the tool of choice for criminals to exploit devices, operating
systems, applications, and user vulnerabilities. Many types of malware exist, and
companies should protect against them.
 Sound backup strategies should be developed, tested, authorized and implemented.
E-mail, while being a fantastic business tool, is also a double-edge sword because
of its inherent lack of built-in security and must be treated as such.
 Operational security extends to service providers. Service provider controls should
meet or exceed those of the company.
Thank
You