Communications and Operations Management:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Communications and Operations Management

Planning involves preparing for future activities by defining goals and the strategies used to achieve them. Information technology is an integral part of financial institution operations. Therefore, financial institutions should integrate IT resources and investments into the overall business planning process. Major investments in IT resources have long-term implications on both the delivery and performance of the institution’s products and services. Independent data centers also should plan effectively, so they can provide quality and cost effective service to client financial institutions. Institution management should monitor any changes in the current strategies and plans of independent data centers that provide services.

Plans may vary significantly depending on the size and structure of the organization. Every organization should strive to achieve a planning process that constantly adjusts for new risks or opportunities and maximizes the value of IT to the organization. Management should always document plans, however a written plan does not guarantee an effective planning process. Management should measure specific plans by whether they meet the organization's business needs. For all plans, the examiner should evaluate the process as well as the written product. A sound plan requires the board of directors, senior management, and user involvement in the planning process. The board of directors should review and approve the plan. Senior management participates in formulating and implementing the plan. The individual departments and functional areas identify specific business needs and, ultimately, implement the plans.

ISO 17799 defines Communications and Operations Management objectives to ensure the correct and secure operation of information processing facilities; minimize the risk of systems failures; protect the integrity of software and information; maintain the integrity and availability of information processing and communication; ensure the safeguarding of information in networks and the protection of the supporting infrastructure; prevent damage to assets and interruptions to business activities; and prevent loss, modification or misuse of information exchanged between organizations. This section provides templates for Information Security standards that are required to comply with ISO Communications and Operations Management objectives and support the objectives established in the Asset Protection Policy, Asset Management Policy, Vulnerability Assessment and Management Policy, and Threat Assessment and Monitoring Policy.

1. Sample Technical Protection Standards
These technical standards are required to comply with ISO Communications and Operations Management objectives and provide detailed best practices for configuring and hardening various technologies in accordance with the Asset Protection Policy.


2. Sample ISO Availability Protection Standard
The Availability Protection Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the availability of information assets.


3. Sample ISO Integrity Protection Standard
The Integrity Protection Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the integrity of sensitive information.


4. Sample ISO Encryption Standard
The Encryption Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for encrypting sensitive information.


5. Sample ISO Information Handling Standard
This Information Handling Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored and electronically transmitted information.


6. Sample ISO Configuration Management Standard
The Configuration Management Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Management Policy by providing specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.


7. Sample ISO Change Control Standard
The Change Control Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Management Policy by providing specific instructions and requirements for following approved processes and procedures that ensure only authorized updates and changes are implemented in the production environment.


8. Sample ISO Vulnerability Assessment Standard
The Vulnerability Assessment Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Vulnerability Assessment and Management Policy by providing specific instructions and requirements for assessing and prioritizing vulnerabilities.


9. Sample ISO Vulnerability Management Standard
The Vulnerability Management Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Vulnerability Assessment and Management Policy by providing specific instructions and requirements for "closed-loop" vulnerability management activities including vulnerability mitigation, information review and analysis, as well as metrics tracking and reporting.


10. Sample ISO Threat Assessment Standard
The Threat Assessment Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for periodically identifying, analyzing and prioritizing threats to information assets.


11. Sample ISO Incident Response Standard
The Incident Response Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.