Page281

Introduction

Security Operations is concerned with threats to a production operating environment. Threat agents can be internal or external actors, and operations security must account for both of these threat sources in order to be effective. Ultimately, operations security centers on the fact that people need appropriate access to data. This data will exist on some particular media, and is accessible by means of a system. So operations security is about people, data, media, hardware, and the threats associated with each of these in a production environment.

Disaster Recovery Planning has emerged as a critical component of the Common Body of Knowledge. Our world of the past 15 years has experienced many disruptive events: terrorism, earthquakes, hurricanes, tsunamis, floods, and the COVID-19 pandemic. Business Continuity and Disaster Recovery Planning are an organization’s last line of defense: when all other controls have failed, BCP/DRP is the final control that may prevent drastic events such as injury, loss of life, or failure of an organization. As information security professionals, we must be vigilant, and protect our organizations and staff from these disruptive events.

Administrative Security

All organizations contain people, data, and means for people to use the data. A fundamental aspect of operations security is ensuring that controls are in place to inhibit people either inadvertently or intentionally compromising the confidentiality, integrity, or availability of data or the systems and media holding that data. Administrative Security provides the means to control people’s operational access to data.

Administrative Personnel Controls

Administrative Personnel Controls represent important operations security concepts that should be mastered by the CISSP® candidate. These are fundamental concepts within information security that permeate through multiple domains.

Least Privilege or Minimum Necessary Access

One of the most important concepts in all of information security is the principle of least privilege. The principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their duties. The principle of least privilege may also be referred to as the principle of minimum necessary access. Regardless of name, adherence to this principle is a fundamental tenet of security, and should serve as a starting point for administrative security controls.

Although the principle of least privilege is applicable to organizations leveraging Mandatory Access Control (MAC), the principle’s application is most obvious in Discretionary Access Control (DAC) environments. With DAC, the principle of least privilege suggests that a user will be given access to data if, and only if, a data owner determines that a business need exists for the user to have the access. With MAC, we have a further concept that helps to inform the principle of least privilege: need-to-know.

Need-to-Know

In organizations with extremely sensitive information leveraging Mandatory Access Control (MAC), basic determination of access is enforced by the system. The access determination is based upon clearance levels of subjects and classification levels of objects. Though the vetting process for someone accessing highly sensitive information is stringent, clearance level alone is insufficient when dealing with the most sensitive of information. An extension to the principle of least privilege in MAC environments is the concept of compartmentalization.

Compartmentalization, a method for enforcing need-to-know, goes beyond the mere reliance upon clearance level and necessitates simply that someone requires access to information. Compartmentalization is best understood by considering a highly sensitive military operation: while there may be a large number of individuals (some of high rank), only a subset “need-to-know” specific information. The others have no “need-to-know,” and therefore no access.