Operations Management
Communications and Operations management aims to ensure the security of information processing methods and the protection of information across telecommunication networks and technological infrastructures.
Principle
The security stakeholder must ensure the reliability, integrity and availability of the telecommunications network and information processing methods by:
- Implementing control procedures and security mechanisms;
- Installing adequate protection methods to ensure the security of operating systems and applications.
Rules and Best Practices
Operations Management
All operations relating to information processing must be documented, updated and available to all applicable users. Given this context, the responsibilities, management and usage procedures for technological infrastructures, operations and information systems, and application software must be established. Operations logs and anomaly reports must be implemented to ensure detection of problems linked to the usage of information processing methods and information security.
The security stakeholder must ensure that the following instructions are respected by informing the applicable contributors:
- User personal data must be backed up on a regular basis. In the event of a disaster (fire, flood) or hardware problem (defective hard drive, damaged server), the recovery and availability of the affected information and resources must be accomplished within a reasonable delay. To make sure this is possible; the backup copies must be tested periodically.
- If devices containing company information must be transported or shipped, the necessary measures must be taken to ensure transport security (special packaging, briefcase with security code, delivery by secure process, encryption of the information).
- Email communications over the Internet are not to be considered secure. In the event that confidential or sensitive information must be sent, an encryption mechanism agreed upon by all correspondents must be used.
A backup plan for your company data, production files, applications and operating software must be established. This plan must be defined according to:
- The volume of data to be backed up;
- The frequency of backup copies;
- Legal data retention requirements (if applicable, depending on the type of data).
The type of data to be backed up, the frequency and periodicity of backups, as well as the rotation schedule for backup copies must be defined. The transfer of copies to a different location according to a given schedule, to ensure the problem-free resumption of activities, is recommended as a precaution against major disasters (fire, flood).
Le plan de sauvegarde doit être testé de façon continue (2 fois par année) afin de s'assurer de son bon fonctionnement. La procédure de vérification doit inclure le contrôle régulier d'un journal des activités de sauvegarde.
Activities relating to application development and testing must not be conducted on production environments. This separation aims to eliminate the possibility of confusing test data with actual data, and to prevent any unauthorized access to sensitive operational data. Additionally, acceptance criteria, including a target confidence level, must be defined before new information systems, versions or upgrades are put into production. Contracts relating to assets managed by third parties must include management measures indicating sensitive security elements and the security procedures to be implemented. A designated person or team within the company must ensure that the requirements in the service agreement and those relating to security are respected, including the right to audit.
Management of Telecommunications Network Security
The telecommunications network and the technological infrastructures that support them are critical components of the information system and must protected by security and control measures that take into account all company access requirements relating to clients, partners and personnel (remote access, communications with third parties, electronic commerce and transactions, etc.).
The risks relating to the alteration or disclosure of confidential and sensitive information are multiplying an ever-increasing rate. These risks are caused by:
- Malicious software (worms, identity theft, spyware, etc.);
- Network intrusions and eavesdropping;
- The availability of wireless networks;
- New storage technologies (flash memory keys, external drives, etc.);
- Human error and the potential of malicious acts being perpetrated by company personnel.
To ensure protection against malicious acts and attacks from computer hackers, there are several protection methods available:
- Firewall: Protects the network from intrusions and prevents unauthorized internal-to-external traffic. A personal firewall may also be installed on workstations in order to protect them from network attacks;
- Antivirus software: Searches for and eliminates computer viruses and other malicious software. Antivirus software must be installed across various levels:
- On each computer in the company’s installed base;
- On the messaging server;
- On the Internet access gateway.
- Software updates: Ensuring that all software used by the company is up-to-date helps to eliminate known vulnerabilities and leverage the latest security improvements. An automatic update service (Windows Update) is available for Windows 2000 and Windows XP.
- Analysis of the technological infrastructure: The analysis of technological infrastructure (servers, routers, firewalls, etc.) vulnerabilities allows you to determine whether there are vulnerabilities that could be exploited by malicious individuals or entities. A vulnerabilities scanner is automated software designed to analyse the hardware in the installed base in order to detect vulnerabilities and weaknesses in the telecommunications network. Following the testing process, the software generates a report indicating identified vulnerabilities and the elements that require corrective measures.
