Wk-1 D2
nrvamcni143
Q-2.docxQuestion:2
Operations security definition
According to Jason Andress (2014), Operations security is not limited to the process of identification of sensitive & critical information but extends to identify ways to protect them and thereby preventing them to be used by the adversaries. Operations Security was a field which was primarily introduced and practiced by US government for handling the sensitive information. But due to the exponential growth in the use of smart phones and internet, all of our regular day-to-day activities have pretty much moved to the virtual environments. This has forced many of the organizations to look for ways to protect the information and take countermeasures as and when required.
Importance for operations security
· It helps the businesses to protect their informational assets from insider threats, where the employees can gain access to the sensitive information regarding the practices and security controls of the organizations.
· It helps the business is protecting them against the various STRIDE related threats (STRIDE- Spoofing, Tampering, Repudiation, information Disclosure, Denial of Service, Elevation of privilege)
· It provides the management with controlling ability over the changes made to the IT infrastructure and the physical security by which the business operates.
· It also enables the businesses to define and set controls over protecting sensitive data that are at rest and are in transit (Rountree, 2011).
Application of Operations security at work
I am currently working at an Insurance firm on a Billing and Collections Project, which deals with a lot of sensitive and private financial data of the customers. Here is how the company is practicing operations security principles at work.
1. Closely monitored change control principles.According to Johnson (2015), security at work environment can be bolstered by the use of appropriate change management policies and apt physical security access control guidelines. Every change that is made to the IT infrastructure is closely monitored and requires various levels of authorization before it can be deployed permanently. This way the management is able to have control over the architecture and design of their Information asset.
2. Network access governance and restriction.Tea-leaves policies, Splunk and a dedicated audit team are present to monitor the various activities performed by the employees and also to regulate network traffic. The organization also has specialized access instructions that limits them from connecting from unsecured networks.
3. Risk management practices:The employees are given training regarding the current cyber security threats and phishing. They are also given quizzes and various team activities that encourage better risk management within departments.
4. Reducing human interference.Since employees are considered the weakest link through which the outsiders can gain access to protected information, most of the processes within the organization are now automated and thereby reducing need for manual work-around. Such activities reduce the need for employees to have access to all the customer data.
5. Business continuity plans and Disaster recovery plans.The organization also strictly adheres to the practice of developing disaster recovery plans for every tiny IT infrastructure change that is being deployed in order to ensure the authenticity and integrity of the overall IT asset.
6. Limited access.People who develop the IT asset are usually not provided with access to the Production data and thereby limiting the access only to processors who would be needing in on the daily basis. Business Ops people who work closely with the customer data do not have the thorough knowledge of the back end integration of the data base structures and data, which again minimizes the risks caused by the insiders (Johnson, 2015).
I want 100 words explanation on above paragraph. you must include at least two citations and 3 references., your sentence must be start from, I like your post, I would like to add some more details on your discussion….
