III Security Operations
Management should design policies and procedures to effectively manage security operations with the following characteristics:
- Broadly scoped to address all ongoing security-related functions.
- Guided by defined processes.
- Integrated with lines of business and third parties.
- Appropriately staffed and supplied with technology for continual incident detection and response activities.
Security operations involve a wide range of activities. Those activities may be centralized in a security operations center, distributed within the information security department and business lines, or outsourced in whole or in part. Security operations activities can include the following:
- Security software and device management (e.g., maintaining the signatures on signature-based devices and firewall rules).
- Forensics (e.g., analysis of potentially compromised systems).
- Threat identification and assessment.
- Vulnerability identification (e.g., operation or supervision of vulnerability scans, self-assessments, penetration tests, and analysis of audit results).
- Vulnerability cataloging and remediation tracking.
- Physical security management (e.g., CCTV, guards, and badge systems).
- Law enforcement interface (e.g., data retention and lawful intercepts).
- Third-party integration (e.g., managed security services and incident detection services).
- Network, host, and application activity monitoring.
- Analysis of threat intelligence from external sources.
- Engagement with information sharing groups.
- Incident detection and management.
- Enforcement of access controls.
Management should establish defined processes and appropriate governance to facilitate the performance of security operations. Policies should address the timing and extent of the security operations activities, reporting, escalation triggers, and response actions. Many institutions use an issue tracking systemAn issue tracking system (also ITS, trouble ticket system, ticketing management system, support ticket system, request management system, or incident ticket system) is a computer software package that manages and maintains lists of security issues. to record and manage requests and events. An issue tracking system can be a source of evidence, contain a variety of security information, and serve as a valuable tool to assist management when taking actions to strengthen the information security environment.
Management should coordinate security operation activities with the institution's lines of business and with third-party service providers. Regardless of how extensive the coordination is, the goal should be to maintain a sufficient security operation capability across the entire environment.
Sufficient technology and staff should be available to support continual incident detection and response activities. Some institutions may rely on or supplement their activities with third parties to gain the necessary scope and depth of coverage. Refer to the IT Handbook's "Outsourcing Technology Services" booklet for more information.
III.A Threat Identification and Assessment