Operations security and production controls - Essay Example

Operations security and production controls The organization that I work for has well defined rules to regulate operational security and production controls. Each rule is well defined and the system ensures that each rule is well audited by the superseding rule. (M. E. Kabay and Myles Walsh). The concept of security should encompass both the concepts of physical as well as intangible materials like information which can be orally compromised. The operational security in the firm is maintained by both uniformed personnel members of the staff who are directly associated with ongoing projects. From the security perspective, operations can be divided into tangible and operational security measures. Tangible security aspects involve the security personnel in the organization who ensure the security of the organization by serving as a barrier between the outside world and the production department, by preventing any material being taken outside. It also involves prevention of any hazardous material being brought inside, apart from ruling out the entry of unauthorized people inside the premises of the company. Roles of the security personnel: One of the most important instructions that the security personnel adhere to, is that access to specific areas of the company is need based rather than designation based. This is intended to ensure that people who are unrelated with a specific project will have least access to the systems that are managed by that project team. For example, the project manager of Project A will not have unrestrained access to the operational facilities that are being operated and managed by the project manager of project B. This ensures that intra-official interference is brought down to the barest minimum. The security personnel also make routine checks to ensure that data sensitive material is not transported inside or outside the company. For example, security personnel in the company if deemed necessary have the right to stop and frisk officials who may be suspected of compromising the security of the organization. Every employee in the organization has a definite security role. The programmers have the minimum security privileges while the project manager has the maximum security privileges within the company. For example, a programmer will need special permission from the project manager to access specific data and to copy or distribute it. Similarly, access to specific network resources is also controlled. Members of the team are also prevented from brining in or taking out media like floppy discs, CDs, pen drives, thumb drives etc into which data may be copied for later distribution to any sources other than to whom it is intended. Authorization for any temporary breach of security norms has to come from the project manager, or the technical head if the project manager is not available for the day. Security measures are implemented in a cascading manner and the lowest positions have very less leeway in terms of bypassing established security norms prescribed by the company and its management. Operational security measures: The operational security measures are those in which the operational staff has a vital role to play than the uniformed personnel who guard the exterior or specific interior areas in the context of physical security. Here the operational strategy of the company with respect to security measures is overseen by the project manager who makes a security plan after discussions with the technical officer of the project. Some of the security measures that are implemented in the company are as follows: 1. With regard to operational security, it is mandatory that all data be checked into Microsoft VSS at the end of working hours. This is intended to ensure that the latest version of the code is available to the members of the team when they resume operations during the next day. Checking in data to VSS also ensures that data is not lost and is not dependent on the availability of a particular person or a group of people who may be working on a particular module and have access to codes. At the end of each working day, code that has been created for the day will be checked into VSS using appropriate and agreed upon naming conventions. The data will be checked out the next day to resume work. This will ensure that fresh code is always available to other members of the team apart from ensuring that code that is old by a maximum of a day is readily available for rework if any 9. (Alan Schwartz, et al.). 2. The company also has a system of backup and recovery in place to avoid total loss of data. Data is backed up into tapes or CDs every third day to ensure their safety and to facilitate availability of vital information in case the system that stores the data crashes or sustains other kinds of physical damage. The backed up data is safely stored in vaults which can be accessed only by the project manager or the technical head of the project. (Douglas Schweitzer). 3. All forms of data and media that may be needed to be transferred between departments have to be approved by the project manager. Fresh or certified media is to be used to transport data across departments when the need arises. This will ensure that data stored in the system doesn’t become corrupt by the presence of virus. Rules also have been introduced to prevent unauthorized copying of data by employees, who may hand it over to unauthorized persons, which may compromise the interests of the company. 4. The company also has a strict network usage system in place. Each member has the privilege of sharing some of his or her work to members of other department, but they will not be able to share any resources that are classified, with members of other departments. This is ensured by checking in members to specific domains that prevents the sharing of unauthorized data. Access to other network resources such as the Internet is also strictly controlled. Only the project leader and designations above the project leader are provided Internet access that will allow them to send mails through the Internet or surf the net. This is primary intended to avoid exposure to risks such as lacking or attack by viruses as well as to prevent data being sent to unauthorized person through the medium of emails or internet/website uploads. Other positions will not need to send mails and they will only be allowed to use internal mails. (Whitman, M. E. and Mattord, H. J., 2005). Works cited Whitman, M. E. and Mattord, H. J. (2005). Principles of Information Security. 2nd ed. Boston: Thomson Course Technology. Kabay, M. E. and Walsh, Myles. CISSP. Operations Security and Production Controls. 4th ed. Schwartz, Alan et al. Practical UNIX and Internet Security. Oreilly & Associates Inc. Schweitzer, Douglas. Incident Response. John Wiley & Sons Inc. Read More