Conceptualizing the Domain and an Empirical Analysis of Operations Security Management

Conceptualizing the Domain and an Empirical Analysis of Operations Security Management

Winfred Yaokumah (Pentecost University College, Ghana)
Copyright: © 2019 |Pages: 27
DOI: 10.4018/978-1-5225-6367-9.ch015

Abstract

Operations security management integrates the activities of all the information systems security controls. It ensures that the entire computing environment is adequately secured. This chapter conducts an in-depth review of scholarly and practitioner works to conceptualize the domain of operations security management. Drawing upon the existing information systems security literature, the chapter classifies operations security management into 10 domains. Following, the chapter performs an empirical analysis to investigate the state-of-practice of operations security management in organizations. The findings show that the maturity level of operations security management is at the Level 3 (well-defined). The maturity levels range from Level 0 (not performed) to Level 5 (continuously improving). The results indicate that operations security processes are documented, approved, and implemented organization-wide. Backup and malware management are the most applied operations security controls, while logging, auditing, monitoring, and reviewing are the least implemented controls.
Chapter Preview
Top

Introduction

Operations security management is the day-to-day activities involved in ensuring that people, applications, computer systems, computer networks, processes, and the entire computing environment are properly and adequately secured (Gregory, 2010). It pertains to the activities that take place while keeping computing environment up and running in a secured and protected manner (Harris, 2013; Shaqrah, 2010). Operations security management integrates the activities of all the information systems security controls (Henrya, 2011). To attain a high level of operations security organizations need to put in place appropriate measures that will ensure that the routine security activities are carried out in a controlled manner (Prabhu, 2013). These activities may include documenting operating procedures; ensuring that changes to information assets are carried out efficiently; protecting information resources from malware and other threats; performing backups and ensuring timely availability of information; and carrying out logging, auditing, monitoring, and reviewing user activities (Prabhu, 2013). In order to keep up with these tasks, operations security personnel (network administrators, system administrators, and database administrators) need in-depth understanding of the domain of operations security. This knowledge will help them to fully implement and adequately handle the day-to-day operations security challenges.

However, there seems to be varying views as to what constitutes the domain of operations security. According to Gregory (2010), operations security includes security monitoring, vulnerability management, change management, configuration management, and information handling procedures. Harris (2013) considers operations security as the activities involved in ensuring that physical and environmental security (such as temperature and humidity control, media reuse and disposal, and destruction of media containing sensitive information) concerns are addressed. Moreover, the International Information System Security Certification Consortium’s (ISC2) Body of Knowledge (CBK, 2017) extends operations security to cover operational support of highly available systems, fault tolerance, and mitigation of security-related cyber attacks. Also, ISO/IEC 27002 (2013) defines the scope of operations security as consisting of security procedures, roles and responsibilities; management of security in the third-party products and services; securing systems and data from malware activities; backup of data to safeguard against data lost and system corruption; and logging, monitoring, auditing, and reviewing of system activities.

Considering these different perspectives, there is the need to identify, classify, and clarify the domain of operations security for better implementation and management of operations security controls in organizations. Therefore, the objectives of this chapter are: (a) to conduct a review of scholarly and practitioner works to conceptualize the domain of operations security management, and (b) to perform an empirical analysis to ascertain the level of operations security management in organizations based on ISO/IEC 27002:2013 framework. Information security programs will be successful when measured with IT security maturity models (McFadzean, Ezingeard, & Birchall, 2011). These models are based on international standards and best practices. Information security maturity models consist of structured set of elements that describe levels of security improvement (maturity). They are often used as tools for measuring the performance of security programs in organizations (Stevanović, 2011).

Key Terms in this Chapter

Operation Security: The day-to-day activities that ensure that computer systems, networks, applications, and the entire computing environment are secured and protected.

Access Management: Activities organizations carry out to control users' access to computer systems, networks, and facilities (buildings, rooms, workspaces). It also includes the tasks users are permitted to perform when access is granted.

Change Management: The processes involved when changes to computing environment are formally planned and reviewed before the changes are implemented.

Vulnerability Management: The process of identifying weaknesses in systems and putting in place measures to mitigate the threats that may exploit the weaknesses.

Resource Protection: Security measures and processes that are put in place to protect information assets and resources, including facilities, hardware, software, networks, documentation, and records.

Malware Management: The use of software (known as antimalware) to block, detect, and clean malicious and unwanted software on a computer system.

Backup: The process of making a copy of important information from a computer system to another device for recovery or archival purposes.

Business Continuity Management: When an unexpected event occurs, organizations must recover and restore work to normal operations. This involves measures that are taken to reduce or prevent the effect of a disaster.

Configuration Management: Activities to monitor and set up the configuration of computer systems and software applications so that they can perform the needed functionality.

Complete Chapter List

Search this Book:
Reset