COBIT for operational security

- [Instructor] Let's look now at the second security-focused process, DSS05-Managed Security Services. The description of this process is to protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy, establish and maintain information security roles and access privileges, and perform security monitoring. Essentially, DSS05 defines the requirements of operational security. DSS05 provides operational processes to satisfy three of the five APO13 goals, support IT and business compliance, support the management of IT and enterprise risk, and ensure the security of information, infrastructure, and applications. There are seven operational security control objectives in DSS05, which provide the foundation for a defensive cybersecurity program. Let's take a look at what's in each of them. The first control objective is protect against malware. Malware is one of the main challenges in cybersecurity today, and protecting against it involves a number of activities and controls. These include antivirus, security patching, security information awareness, and in contemporary terms, cyber threat intelligence, change management, security filtering of email and web traffic, and security training. The second control objective is manage network and connectivity security. This includes establishing and enforcing policy on network connections, enforcement of password entry, the configuration and use of firewalls and intrusion detection systems, network security protocols and communications encryption, network configuration, security mechanisms to ensure trusted transmission and receipt, network security control testing and penetration testing. A critical control for this objective is network segregation. Manage endpoint security covers the security of laptops, desktops, servers, mobile devices, and network equipment. It requires that controls are put in place to ensure the endpoints are securely configured, hardened to remove unnecessary ports and protocols, and that remote access is managed. The next control objective is manage user identity and logical access. Identity and access management is a very complex issue and this one control objective can easily consume half the effort in a mature cybersecurity program. It's also the area which generates a good proportion of all audit findings, so it pays to keep a tight focus on it. This process requires that identities are managed from creation to removal, access rights are established and maintained in line with the roles and responsibilities of the organization, that access to systems and information is authorized and authenticated, that privileged access is strictly controlled, and that access rights are regularly reviewed, and that appropriate audit trails of access are kept. The fifth of these control objectives covers the management of physical access to IT assets. This includes perimeter protection, such as fences, doors, and locks, intruder detection systems, access controls for data centers and office spaces, identity cards and visitor-management procedures. Increasingly, the use of cloud-based infrastructure is reducing the effort required to manage this area but increasing the dependence on and the oversight of third-party security. Managing sensitive documents is an increasingly important aspect of security, as the focus of protective measures shrinks from the perimeter to the information itself. With employees taking laptops out of the enterprise and sending data out to mobile devices, perimeter security devices such as corporate firewalls no longer protect enterprise information. New techniques such as digital rights management and mobile email encryption need to be employed. This process also includes information and device-centric controls, such as passwords or pin-controlled printing and pin codes on mobile devices. Finally, monitor the infrastructure for security-related events provides the detective controls which are needed to identify security breaches should the enterprise's preventative controls fail. This control objective includes the operation of intrusion detection and prevention systems, logging and alerting security-related events, operating log management in security information and event-monitoring systems, delivering security incidents to the incident-management process, carrying out forensics, and managing evidence. These are all key activities for a cybersecurity operations center.