1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Operations management

Objective • Operational procedures and assignments of responsibilities should ensure the correct and secure operation of information processing facilities, including central (datacenter hosted) resources such as servers, local and remote network infrastructure and client devices (desktop computers and portable devices that connect to the network).

Documented operating procedures • Operating procedures should be documented, maintained and made available to all users who need them. This could include:

documentation of/for all significant system activities including start-up, close-down, back-up and maintenance;
treatment of such documentation as a formal organizational record, subject to appropriate change authorization, change tracking and archiving; and
provision of appropriate security for such documentation, including distribution control (see Security of system documentation).

Segregation of duties • Duties and areas of responsibility should be segregated to the degree practicable, to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.

Separation of development, test and operational facilities • Development, test and operational facilities should be separated, to the degree practicable, to reduce risks of unauthorized access or disruptive changes to operational systems.

Controls for centralized resources • Central information processing facilities, such as application servers and data storage devices in “datacenters,” should be appropriately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using those facilities. This could include:

separation of operational responsibilities for centralized computer systems and operations from those for the network, where appropriate;
implementation of appropriate controls to assure the availability of centralized resources and information services using them; and
establishment of responsibilities and procedures for management of equipment housed in centralized facilities.

Security of centralized resources • Security features, service levels and management requirements for all centralized resources and services should be identified in reasonable detail, and included in a services agreement, whether those services are provided in-house or outsourced. This could include:

specification of technologies for security of centralized services, such as authentication, encryption and connection controls;
rules for secure access to the centralized resources; and
procedures and processes to control/restrict access to the centralized resources in accordance with those rules.

Network controls • Networks should be appropriately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. This could include:

separation of operational responsibilities for networks from those for computer systems and operations, where appropriate;
implementation of appropriate controls to assure the availability of network services and information services using the network;
establishment of responsibilities and procedures for management of network equipment, including equipment in user areas;
special controls to safeguard the confidentiality and integrity of sensitive data passing over the organization's network and to/from public networks;
appropriate logging and monitoring of network activities, including security-relevant actions; and
management processes to ensure coordination of and consistency in the elements of the network infrastructure.

Security of network services • Security features, service levels and management requirements for all network services should be identified in reasonable detail, and included in a network services agreement, whether those services are provided in-house or outsourced. This could include:

specification of technologies for security of network services, such as authentication, encryption and connection controls;
rules for secured connection with the network; and
procedures and processes to control/restrict network access in accordance with those rules.

Client device controls • Client devices that connect to the network should be appropriately managed and controlled, in order to be protected from threats and to maintain overall security. This could include measures analogous to those for centralized and network resources, applied to client devices where technically and administratively feasible.

Security of client devices • Security features, service levels and management requirements for all client device services should be identified in reasonable detail, and included in a services agreement, whether those services are provided in-house or outsourced. This could include measures analogous to those for centralized and network resources.

Inter-connected information systems • Policies and procedures should be developed and implemented to protect information associated with the interconnection of business systems. This could include:

a risk assessment of and appropriate countermeasures for vulnerabilities associated with such interconnections;
policies and appropriate controls to manage information sharing using such interconnections; and
fallback and recovery arrangements in the event of interconnection failure.

Internet and electronic messaging • Information involved in electronic messaging should be appropriately protected. Electronic messaging includes email, IM, audio-video conferencing and any other one-to-one, one-to-many, or many-to-many personal communications. This could include:

measures to protect messages from unauthorized access, modification or diversion;
ensuring correct addressing and routing;
ensuring the general reliability and availability of messaging services;
limiting the use of less-secure messaging systems (e.g., free/commercial email and IM); and
stronger levels of authentication and message content protection when using public networks.

Electronic commerce • Information involved in electronic commerce passing over public networks should be appropriately protected from fraudulent activity, unauthorized disclosure and modification and any other activity that could lead to contractual disputes.

On-line transactions • Information involved in on-line transactions should be appropriately protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Publicly available information • The integrity of information provided on a publicly available system, such as a Web server, should be appropriately protected to prevent unauthorized modification.

Change and project management • Changes to information processing facilities and systems should be controlled using appropriate change and project management procedures. This could include:

benefit-cost assessments, weighing benefits of the change or project against required resources and other costs;
risk assessments, including an analyses of potential impacts and necessary countermeasures or mitigation controls;
processes for planning and testing of changes, including fallback (abort/recovery) measures;
managerial approval and authorization before proceeding with changes or projects that may have a significant impact on operations;
advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to persons who will or might be affected;
documentation of change steps and the success/failure of each change; and
documentation of updates to configuration or other “inventory” data about information and information processing facilities.

System acceptance criteria • Acceptance criteria for new information systems, upgrades, and new versions should be appropriately established, and suitable tests carried out during development and prior to acceptance. This could include:

clear definition and agreement on system acceptance criteria;
testing and documentation of compliance with those requirements; and
consultation with affected persons, or representatives of affected groups, at all phases of the process.

Incident and problem management • Variations from normal operations of information processing facilities should be logged and investigated using appropriate incident and problem management procedures. This could include:

standardized incident/problem reporting systems;
formal procedures for investigation of incidents/problems;
formal review processes (“lessons learned”); and
based on reviews, documented mitigation activities to prevent recurrences.

Configuration management • The configuration of information processing facilities should be recorded, and updated to reflect changes. This could include:

standardized “inventory” systems for information processing assets; and
periodic review of the accuracy of the inventory.

Service level and capacity management • Service level expectations should be formally defined for all major service components, both for the current environment and projected future requirements. This could include:

on-going monitoring of the use of information and information facility resources;
identification of capacity requirements for each new and ongoing system/service;
projection of future capacity requirements, taking into account current use, projected trends, and anticipated changes in business requirements; and
system monitoring and tuning to ensure and, where possible, improve availability and effectiveness of current systems consistent with service level agreements.

Third-party service contracts • Security controls, service definitions and service level specifications should be included in third-party service delivery agreements.

Monitoring and review of third-party services • Services, reports and records provided by the third party should be regularly monitored and reviewed, and appropriate audits conducted.

Managing changes to third-party services • Changes to the agreements for provision of services by third parties, including maintaining and improving existing information security policies, procedures and controls, should be appropriately managed. This could include:

taking into account the criticality of the particular systems and associated business processes;
considering changes to the business environment, legal-regulatory-certificatory controls, or the risk/threat landscape;
using appropriate change management procedures, similar to those applied to internal service changes, when alterations are necessary.

SOURCES: ISO 27001/27002:2005 sects. 10.1 – 10.9.