ISO 27001 Annex: 12 Operations Security
-
- 24 June 2021
This article includes operational procedures and responsibilities, Documented Operating Procedures, Change Management & Separation of Development, Testing and Operational Environments.
A.12.1 Operational procedures and responsibilities
Its purpose is to ensure that information processing facilities run smoothly and securely.
A.12.1.1 Documented Operating Procedures
Control
Operating procedures need to be documented and accessible by all users.
Implementation Guidance
Documented procedures should be developed for establishing data processing and communications systems, including starting and closing computers, backing up data, maintaining equipment, handling media, managing computer room and mail, and ensuring safety.
These operating instructions should be included in the operating procedures:
1. Installation and configuration of the system;
2. Information processing and management in an automated and manual manner;
3. Backup
4. Scheduling requirements, such as starting early and ending late, and interdependencies with other systems;
5. Instructions on how to handle errors or any other exceptions that may arise during a job’s execution, as well as restrictions on system utilities;
6. Support and escalation contacts including external support if operational or technical issues arise
7. Any specific output and medium handling guidelines, for example, requirements concerning the safe disposal of output from failed assignments, for example, the use of specific stationery or the management of confidential output;
8. Rebooting the system and resolving the system failure;
9. Management of audit trails and system logs;
10. Monitoring procedures.
Documents detailing system operations and operating procedures should be regarded as formal documents and alterations that have been authorized by the management. Whenever it is technically feasible, IT systems should be administered consistently by using the same tools, utilities, and procedures.
A.12.1.2 Change Management
Control
Organizational changes, organizational methods, and information management and security systems must be controlled.
Implementation Guidance
The following considerations will be emphasized:
1. Identify significant changes and record them;
2. Modification planning and testing;
3. An analysis of the effects of these changes on information security;
4. The formal procedure for approving proposed changes;
5. Certification that compliance with information security requirements has been met;
6. A detailed communication to all or any specific individuals regarding the changes;
7. Inability to recover from cost-increase improvements and unforeseeable events, such as abortion procedures;
8. Providing a procedure for implementing the necessary changes to resolve the emergency quickly and efficiently.
The role and procedures of management must be clearly defined to ensure adequate oversight of all changes. When changes are made, an audit log should be kept containing all relevant information.
Other Information
Poor control over improvements in information processing facilities and systems often leads to system failures or security issues. When transitioning from development to operations, changes in the operating environment can affect the reliability of applications.
A.12.1.3 Capacity Management
Control
Monitoring, adapting, and projecting future resource usage needs to be completed to ensure system performance.
Implementation Guidance
It’s important to define capability requirements based on the criticality of the business system. During the system tuning and control process, quality and reliability should be ensured, and improvements should be made. Detective audits should be implemented to detect problems early. The new business needs, system requirements, as well as current and projected trends in the processing capacity of information, should be considered when assessing future capacity needs.
The managers should pay particular attention to any resources that have long procurement lead times or are expensive; they should also monitor the usage of key system resources. It is essential to identify the trends in use, especially about business applications and information management tools.
Using the data, managers will be able to identify and remove potential bottlenecks and dependencies on key workers that could pose a risk to network security and services.
The capacity of a system can be increased by either increasing capacity or increasing demand. Among the requirements for capacity management are the following:
1. Delete obsolete data (free up disk space);
2. Decommissioning applications, programs, databases, or environments;
3. Optimize batch schedules and procedures;
4. Optimizing query logic in programs or databases
3. A refusal or limit on bandwidth if the application is not business-critical (such as video streaming).
For mission-critical systems, a recorded capacity management strategy should be considered.
Other Information
Human resources, offices, and facilities are also considered in this control.
A.12.1.4 Separation of Development, Testing and Operational Environments
Control
Separating the development, testing, and operational environments is important to minimize the risk of unauthorized access to or changes to the operational environment.
Implementation guidance
An emphasis on defining and enforcing the degree of separation between organizational, testing, and development environments is essential to prevent operational problems.
The following factors should be considered:
1. Guidelines for the transition of software from development to operational status must be described and reported;
2. Development and software should run on a variety of computer systems or processors, as well as in a variety of domains or directories;
3. All changes to operating systems and applications should be tested in a testing or staging environment before they are applied to operational systems;
4. Operating system tests should not be performed unless extraordinary circumstances exist;
5. Compilers, editors, and other tool or system development utilities should not be accessible if they are not needed;
6. While evaluating and operating a system, different user profiles should be used, and the menus should display acceptable identifying messages so that errors can be minimized as much as possible;
7. Sensitive data should not be transferred to the test system environment unless the testing environment provides equivalent controls.
Other Information
Testing and development activities can lead to serious problems such as a file, system environment, or system failure from undesirable changes. Developers need to be able to access the operating system in a well-known, secure environment to avoid unsafe access.
The operating system or its data could be untested or unauthorized if development and testing personnel have access or alter operational data. The use of fraud or untested or malicious code can severely adversely affect the operation of some systems.
In addition to operational information, the confidentiality obligation pertains to employees’ development and testing. Sharing the same computing environment for production and testing can lead to unintended software or information changes. As a result, it is advantageous to separate development and testing processes from operations to reduce the chances of incorrectly changing or exposing operational software and data.
Related Questions
1. What is the best way to secure application software?
2. What is ISO 27001 Annex: 12 Operations Security protocols and responsibilities?
3. How can vulnerabilities be protected during the application development process?
4. What is application-level security?
5. What is your strategy for managing test data?
6. Discuss ISO 27001 Annex: 12 Operations Security
