|
Booklet:
Operations Section: Risk Mitigation and Control Implementation Subsection: Security |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
PHYSICAL
SECURITY
The personnel, equipment, records, and data comprising IT operations represent
a critical asset. Management should deploy adequate physical security
in a layered or zoned approach at every IT operations center commensurate
with the value, confidentiality, and criticality of the data stored or
accessible and the identified risks. This section summarizes some of the
preventive and detective controls for physical security and discusses
some minimum physical security requirements. Refer to the IT Handbook’s
“Information Security Booklet” for additional information.
An institution’s main IT operations center should have a limited
number of windows and external access points. The data center should preferably
not be identified as such. The perimeter should have adequate lighting,
and, if conditions warrant, perimeter security should have gates, fences,
video surveillance, and alarms. Management should assess whether armed
guards are suitable and should ensure they are trained, licensed, subjected
to background checks, and follow standard security industry practices.
Management should consider using video surveillance and recording equipment
in all or parts of the facility to monitor activity and deter theft. Management
should also use inventory labels, bar codes, and logging procedures to
control the inventory of critical and valuable equipment.
An institution should implement policies and procedures to prevent the
removal of sensitive electronic information and data. These policies should
address the use of laptop computers, personal digital assistants, and
portable electronic storage devices. The policies and procedures should
further address shredding of confidential paper documents and erasing
electronic media prior to disposal. In addition, policies and procedures
should delineate the circumstances under which employees’ personal
property may be subject to search.
LOGICAL SECURITY
Information security has specific implications for technology operations.
Data center operations should support and complement the financial institution’s
information security architecture and processes. Refer to the IT Handbook’s
“Information Security Booklet” for additional information.
As part of the information security program, management should implement
an information classification strategy appropriate to the complexity of
its systems. Generally, financial institutions should classify information
according to its sensitivity and implement controls based on the classifications.
IT operations staff should know the information classification policy
and handle information according to its classification.
IT operations management should implement preventive (e.g., access controls),
detective (e.g., logging), and corrective (e.g., incident response) logical
security controls. All three types of controls provide a framework for
IT operations information security. These controls can be implemented
by administrative (e.g., policy), logical (e.g., access controls), or
physical (e.g., locked room) controls.
IT operations staff should be aware of the organization's information
security program, how it relates to their job function and their role
as information custodians. As custodians, the IT operations staff has
the responsibility of protecting the information as it is processed and
stored.
Management should employ the principle of least possible privilege throughout
IT operations. The principle provides that individuals should only have
privileges on systems and access to functions that are required to perform
their job function and assigned tasks. Access privilege may include read-only,
read/write, or create/modify. Even read-only access poses risk since employees
can print or copy sensitive customer information for inappropriate use.
System administrator and security administrator level access allow an
individual to change access privileges to systems and information. Individuals
with these roles and privileges should have minimal transactional authority.
Independent employees should monitor the system and security administrator
activity logs for unauthorized activity. Smaller operations centers are
challenged in implementing separation of duties and the principle of least
privilege because they frequently do not have the resources. Management
at smaller institutions should establish compensating controls in these
circumstances.
Network and system monitoring and maintenance tools can provide IT operations
staff with inappropriate access to sensitive information. These hardware
and software monitoring and maintenance tools observe equipment for error
conditions, faulty links, or other problems. These utilities may also
allow operations staff powerful access to operations center equipment.
Because monitoring tools such as network sniffers, network diagnostics
tools, and network management utilities can circumvent traditional safeguards,
management should control access to them. Controls for such tools should
include:
|
|
Policies defining appropriate use; |
|
|
Least possible privilege; |
|
|
Usage logs; |
|
|
Reports to management and audit on use of monitoring tools; |
|
|
Password protection and lockout facilities; |
|
|
Physical protection (e.g., a locked cabinet); and |
|
|
Dual control of equipment (i.e., two individuals need to operate equipment together). |
Remote
monitoring and administration tools pose special risks to information
security. Remote tools allow operators to connect through a remote function
and perform activities they would normally perform on-site. Some financial
institutions have approved remote access technologies as a central, common
solution for all employees who require remote access. Information security
personnel should scrutinize and monitor remote access closely. Remote
access solutions that are available continuously or for extended periods
of time pose the greatest risk to a financial institution. Because remote
access solutions potentially bypass information security controls, management
should evaluate and implement appropriate user access, activity logging,
and time of day controls to minimize the risk of unauthorized access.
Other types of remote access such as modems attached to systems or special
maintenance ports may circumvent the central, approved remote access solution.
Information security personnel may overlook these remote access points,
which might allow unauthorized individuals to access sensitive equipment.
Management should routinely review the network topology and hardware inventory
to ensure the identification and control of all remote access points.
Management should also document strict policies about the consequences
of unauthorized use of modems or other access devices without implicit
approval.