Chapter 32 – |
Operations Security and Production Controls |
Myles Walsh
M. E. Kabay, PhD, CISSP
Chapter Contents:
|
32.1 |
|
Introduction
|
|
32.1.1 |
|
What Are Production Systems?
|
|
32.1.2 |
|
What Are Operations?
|
|
32.1.3 |
|
What Are Computer Programs?
|
|
32.1.4 |
|
What Are Procedures?
|
|
32.1.5 |
|
What Are Data Files?
|
|
32.2 |
|
Operations Management
|
|
32.2.1 |
|
Separation of Duties
|
|
32.2.2 |
|
Security Officer or Security Administrator
|
|
32.2.3 |
|
Limit Access to Operations Center
|
|
32.2.3.1 |
|
Need, not status, determines access
|
|
32.2.3.2 |
|
Basic methods of access control
|
|
32.2.3.3 |
|
Log in and badge visitors
|
|
32.2.3.4 |
|
Accompany visitors
|
|
32.2.4 |
|
Change-control Procedures from the Operations Perspective
|
|
32.2.4.1 |
|
Moving new versions of software into production
|
|
32.4.1.6 |
|
Backout and recovery
|
|
32.2.4.2 |
|
Using digital signatures to validate production programs
|
|
32.2.5 |
|
Using Externally Supplied Software
|
|
32.2.5.1 |
|
Verify digital signatures on source code if possible
|
|
32.2.5.2 |
|
Compile from source when possible
|
|
32.2.6 |
|
Quality Control versus Quality Assurance
|
|
32.2.6.1 |
|
Service-level agreements
|
|
32.2.6.2 |
|
Monitoring performance
|
|
32.2.6.3 |
|
Monitoring resources
|
|
32.2.6.4 |
|
Monitoring output quality
|
|
32.3 |
|
Providing a Trusted Operating System
|
|
32.3.1 |
|
Creating Known-Good Boot Medium
|
|
32.3.2 |
|
Installing a New Version of the Operating System
|
|
32.3.3 |
|
Patching the Operating System
|
|
32.4 |
|
Protection of Data
|
|
32.4.1 |
|
Access to Production Programs and Control Data
|
|
32.4.1.1 |
|
Users
|
|
32.4.1.2 |
|
Programming staff
|
|
32.4.1.3 |
|
Operations staff
|
|
32.4.2 |
|
Separating Production, Development, and Test Data
|
|
32.4.3 |
|
Controlling User Access to Files and Databases
|
|
32.5 |
|
Data Validation
|
|
32.5.1 |
|
Edit Checks
|
|
32.5.2 |
|
Check Digits and Log Files
|
|
32.5.3 |
|
Handling External Data
|
|
|
|