Information security has specific implications for technology operations. Data center operations should support and complement the financial institution's information security architecture and processes. Refer to the IT Handbook's "Information Security Booklet" for additional information.
As part of the information security program, management should implement an information classification strategy appropriate to the complexity of its systems. Generally, financial institutions should classify information according to its sensitivity and implement controls based on the classifications. IT operations staff should know the information classification policy and handle information according to its classification.
IT operations management should implement preventive (e.g., access controls), detective (e.g., logging), and corrective (e.g., incident response) logical security controls. All three types of controls provide a framework for IT operations information security. These controls can be implemented by administrative (e.g., policy), logical (e.g., access controls), or physical (e.g., locked room) controls.
IT operations staff should be aware of the organization's information security program, how it relates to their job function and their role as information custodians. As custodians, the IT operations staff has the responsibility of protecting the information as it is processed and stored.
Management should employ the principle of least possible privilege throughout IT operations. The principle provides that individuals should only have privileges on systems and access to functions that are required to perform their job function and assigned tasks. Access privilege may include read-only, read/write, or create/modify. Even read-only access poses risk since employees can print or copy sensitive customer information for inappropriate use. System administrator and security administrator level access allow an individual to change access privileges to systems and information. Individuals with these roles and privileges should have minimal transactional authority. Independent employees should monitor the system and security administrator activity logs for unauthorized activity. Smaller operations centers are challenged in implementing separation of duties and the principle of least privilege because they frequently do not have the resources. Management at smaller institutions should establish compensating controls in these circumstances.
Network and system monitoring and maintenance tools can provide IT operations staff with inappropriate access to sensitive information. These hardware and software monitoring and maintenance tools observe equipment for error conditions, faulty links, or other problems. These utilities may also allow operations staff powerful access to operations center equipment. Because monitoring tools such as network sniffers, network diagnostics tools, and network management utilities can circumvent traditional safeguards, management should control access to them. Controls for such tools should include:
- Policies defining appropriate use;
- Least possible privilege;
- Usage logs;
- Reports to management and audit on use of monitoring tools;
- Password protection and lockout facilities;
- Physical protection (e.g., a locked cabinet); and
- Dual control of equipment (i.e., two individuals need to operate equipment together).
Remote monitoring and administration tools pose special risks to information security. Remote tools allow operators to connect through a remote function and perform activities they would normally perform on-site. Some financial institutions have approved remote access technologies as a central, common solution for all employees who require remote access. Information security personnel should scrutinize and monitor remote access closely. Remote access solutions that are available continuously or for extended periods of time pose the greatest risk to a financial institution. Because remote access solutions potentially bypass information security controls, management should evaluate and implement appropriate user access, activity logging, and time of day controls to minimize the risk of unauthorized access.
Other types of remote access such as modems attached to systems or special maintenance ports may circumvent the central, approved remote access solution. Information security personnel may overlook these remote access points, which might allow unauthorized individuals to access sensitive equipment. Management should routinely review the network topology and hardware inventory to ensure the identification and control of all remote access points. Management should also document strict policies about the consequences of unauthorized use of modems or other access devices without implicit approval.