In order to support continuous operations, the following principles should be adopted as part of the security operations policies.
Audit logging: Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory, or regulatory compliance obligations. Audit logging also provides unique user access accountability that can detect potentially suspicious network behaviors and/or file integrity anomalies, as well as forensic investigative capabilities in the event of a security breach.
The continuous operation of audit logging comprises three important processes:
- New events detection: The goal of audit logging is to detect information security events. Policies should be in place to define what a security event is and how to address each type of event.
- Adding new rules: Rules are built in order to allow detection of new events. Rules consist of the mapping of expected values to log files in order to detect events. In continuous operation mode, rules must be updated to address new risks.
- Reduction of false positives: The quality of the continuous operations audit logging is dependent on the ability to reduce over time the number of false positives in order to maintain operational efficiency. This requires constant improvement of the rule set.
Contract/authority maintenance: Points of contact for applicable regulatory authorities, national and local law enforcement, and other legal jurisdictional authorities shall be maintained and regularly updated as per the business need (e.g., change in impacted scope and/or a change in any compliance obligation) to ensure direct compliance liaisons have been established and to be prepared for a forensic investigation requiring rapid engagement with law enforcement.
Data governance (secure disposal): Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.
Incident response legal preparation: In the event a follow-up action concerning a person or organization after an information security incident requires legal action, proper forensic procedures, including chain of custody, shall be required for preservation and presentation of evidence to support potential legal action subject to the relevant jurisdictions. Upon notification of a security breach, impacted customers (tenants) and/or other external business relationships shall be given the opportunity to participate as is legally permissible in the forensic investigation.
Information/Data Governance Types
The following lists a sample of information/data governance types. Note that this may vary depending on your organization, geographic location, risk appetite, etc.
