Operations Security 12.1 Operational procedures and responsibilities 12.2 Protection from malware 12.3 Backup Arthur Paixã culdade dos Guararapes
Operations Security
12.1 Operational procedures and responsibilities12.2 Protection from malware
12.3 Backup
Arthur PaixãoFaculdade dos Guararapes
Operational procedures and responsibilities
• Objective: To ensure correct and secure operations of information
processing facilities.
Operational procedures and responsibilities
• Divided into subsections:o 12.1.1 - Documented operating procedureso 12.1.2 - Change managemento 12.1.3 - Capacity managemento 12.1.4 - Separation of development, testing and
operational environments
Operational procedures and responsibilities
12.1.1 - Documented operating procedures• The installation and configuration of systems;• Processing and handling of information both automated
and manual;• Instructions for handling errors or other exceptional
conditions, which might arise during job execution, including restrictions on the use of system utilities;
Operational procedures and responsibilities
12.1.2 - Change management• Identification and recording of significant changes;• Planning and testing of changes;• Assessment of the potential impacts, including
information security impacts, of such changes;
Operational procedures and responsibilities
12.1.3 - Capacity management• Deletion of obsolete data (disk space);• Decommissioning of applications, systems, databases or
environments;• Optimising batch processes and schedules;
Operational procedures and responsibilities
12.1.4 - Separation of development, testing and operational environments• Rules for the transfer of software from development to
operational status should be defined and documented;• Development and operational software should run on
different systems or computer processors and in different domains or directories;
• Changes to operational systems and applications should be tested in a testing or staging environment prior to being applied to operational systems;
Protection from malware• Objective:
To ensure that information and information processing facilities are protected against malware.
Protection from malware• Divided into unique subsection:
o 12.2.1 Controls against malware
Protection from malware12.2.1 Controls against malware• Establishing a formal policy prohibiting the use of
unauthorized software;• Implementing controls that prevent or detect the use of
unauthorized software (e.g. application whitelisting);• Implementing controls that prevent or detect the use of
known or suspected malicious websites (e.g. blacklisting);
Backup• Objective:
To protect against loss of data.
Backup• Divided into unique subsection:
o 12.3.1 Information backup
Backup12.3.1 Information backup• Accurate and complete records of the backup copies and
documented restoration procedures should be produced;• The backups should be stored in a remote location, at a
sufficient distance to escape any damage from a disaster at the main site;
• In situations where confidentiality is of importance, backups should be protected by means of encryption;
Arthur PaixãoFaculdade dos Guararapes