Categories
Computer Science

Information Technology Security Policy Framework

Operations security entails administrative, procedural and hierarchical engagement to design, implement and conduct sustainment activities to secure the vital business data assets, information and infrastructure.  The overall operations security system encapsulates the proper skills sets, tools and techniques to effectively and efficiently monitor and control the risks associated with information technology and the information passed through those systems.  There are multiple intricacies between the balancing security, functionality and the overall ease of use by the end users.  This includes telecommunication tools as well as networking aspects of the infrastructure.

The hardware of the security system is easy to identify and the tools to protect the data are somewhat tangible in regard to implementation and execution but there is also another factor for implementing a strong and reliable operational security system and that is the culture of the company and the support of leadership throughout the organization.  These policies and procedures ensure the implementation and sustainment operation security program and drive the system toward a higher success rate of mitigating potential risks.  System operations security is the measures and actions taken to provide a safeguard for the critical information from risks and attacks.  This includes maintaining the data’s integrity, confidentiality and access or availability to the appropriate users.  This includes the access control, hardware or infrastructure control, software control, processing control and media control (SANS Institute 2003).  All of these play critical roles in the development and enforcement of the corporate policies and procedures.

Telecommunications and networking infrastructure play a key role in the analysis of an operation security system.  These two areas cross into multiple areas of needed controls which include hardware, software, access, processing and potentially media controls.  Network and telecommunications devices require security measures at differing levels to ensure the integrity, confidentiality and access of the data is maintained.  These two areas are of particular importance because these are the areas in which the transmission of data occurs.  There are five major areas to address when adopting an operation security system analysis.  These areas of focus are management, design, implementation and evaluation (Kizza, J. 2010).  Each area of focus factors into how the analysis of the telecommunication and network systems are developed and sustained regarding operation security.  The CNSS Policy No. 1 dated September 2004, outlines the safeguarding and control of Communications Security (COMSEC).  The basic foundation outlines the assured safeguard of the communicated data across all forms of communication methods.  The security and control follows the basic principle of data integrity, prevention of access to unauthorized entities and control of data flow.

The management of these systems requires alignment of enterprise-wide goals and objectives for security, appropriate resources assigned to manage and maintain the systems as well as documented compliance of laws, regulations, policies and statutes as well as an enforced escalation process.  All of these policies and procedures should be standardized among the business’s goals and objectives as well as full backing from leadership to enforce the standards.  Designing and implementing the systems will incorporate the implementation of the appropriate security measures to thwart risks to the data traversing the network and telecommunication infrastructure.  Following the implementation of the telecommunication systems and the network infrastructure with the appropriate level of security measures there is still one more area of concern to ensure the system is providing the level of protection that is planned.  The analysis of the system is dependent upon the evaluation of the system.  This evaluation provides an insider’s view into the security systems and their potential areas of weakness.

Evaluation provides the core set of information to make informed business decisions on where to allocate resources or where to mitigate certain risks.  Evaluation includes performing a network/telecommunication security analysis, identifying risks, stratifying those risks, and providing the necessary actions and/or recommendations to mitigate those risks.  This analysis also plays a role in the decision making process for leadership so that they can understand the potential risks they are assuming when making critical business decisions.  This controllership of data is becoming more critical in the age of mobile devices, smart phones, tablets and cloud computing in which the free flow of data and information has increased exponentially over the past decade or so.  Analyzing and capturing the data will allow greater insight into the trending of risks as well as the documented solutions to those risks for future reference.

Building a secure system, hiring the right people, listing every risk and the mitigation to risks as well as building out an entire role-based access to every system on the network and locking down the telecommunications will not be worth the purchase order they were bought on if the culture and leadership of the company does not support the operation security systems that safeguard the information technology assets and the data that travels through it.  The policies and procedures of the company can play an even greater role in the protection of corporate assets than the physical networks, software or other safeguards implemented by the company.  Within this policy there are seven areas regarding core security principles that will be incorporated into the policy.  These are identification and compliance, asset management, asset protection, acceptable use, vulnerability management, threat assessment, continuity, physical security and awareness (SANS Institute 2005).

The culture of security must be ingrained into each employee and supported by leadership in such a way that makes it a corporate way of life.  The security of the business’s systems is based on the tools implemented, how they are utilized and the policies supporting those tools and systems.  In order to garner a better understanding of the security systems and the policies promoting and supporting those systems a concept of operations or CONOPS can be implemented.  A CONOPS is an overview of a particular system, such as the operations security system, which shows a specific set of capabilities and how those capabilities can be fully utilized to reach certain goals and objectives.  These goals and objectives then roll up to fit into the overall strategic intent of the company to ensure full alignment among organizations.  This CONOPS can show how the operation security system protects the infrastructure, hardware, software, employees, etc., and how it aligns with the mission of the business.  This is a critical linkage due to the relationship between the systems being implemented and the policies drafted and supported by leadership.  The policies of the company directly impact the operation security systems by driving the utilization of these systems and the policies also impact the CONOPS by directing how, when, and why specific functionality of the security system will be implemented.

Adoption of the practice to certify and accredit the implementation of a security IT system is both a blessing and a hindrance.  While on one side the certification of a system shows that all necessary technical and non-technical features have been met with the minimum security requirements (Kizza, J. 2010).  This means that everything that an outside entity deems necessary to have a secure operations model has been met.  The other side is that the entities that are trying to present risks or put the safeguarded assets at risk also understand what the requirements are and can build and adapt their strategy to exceed those requirements.  Although this is a great starting point and accreditation should be sought it is not the answer to all security questions.  Implementing a system to meet the business requirements, assign the appropriate resources and build in a level of accountability both up the chain of command as well as horizontally across the organization will greatly increase the possibility of safeguarding the IT operations systems.  In alignment with certification and accreditation there are policies that help govern at a national and international level that could facilitate the creation and implementation of policies at the corporate level.  The CNSS Policy No. 1 dated September 2004, outlines the safeguarding and control of Communications Security (COMSEC).  The basic foundation outlines the assured safeguard of the communicated data across all forms of communication methods.  The security and control follows the basic principle of data integrity, prevention of access to unauthorized entities and control of data flow.

References

CabinetOffice. (2008). HMG security policy framework. Retrieved: http://webarchive.nationalarchives.gov.uk/+/http://www.cabinetoffice.gov.uk/media/111428/spf.pdf

Kizza, J. (2010). Computer network security. New York, NY: Springer Science Business Media.

SANS Institute. (2003). Applying the OSI seven layer network model to information security.  Retrieved: http://www.sans.org/reading_room/whitepapers/protocols/applying-osi-layer-network-model-information-security_1309

SANS Institute. (2005). Building a security policy framework for a large, multi-national company. Retrieve: http://www.sans.org/reading_room/whitepapers/awareness/building-security-policy-framework-large-multi-national-company_1564