All articles

Building Effective Security Programmes: Part 7 – The IT Operations Domain

Author:

Greg Van Der Gaast

Security

•  Apr 02, 2024

We’re finally getting into the technical meat and potatoes of our framework.

The IT Operations domain is where I put all IT operations and related/supporting processes, standards, and guidelines relevant to or needed for ensuring security.

I’ll list some of the components I’d put here, in no order, without going into detail as these will vary significantly.

  • Risk Management
  • Change Management
  • SDLC Security
  • Asset Management
  • Procurement Standards
  • Systems/Instances Provisioning
  • Data Retention
  • Systems & Cloud Architectural Standards
  • JML Process
  • Configuration Management & Enforcement
  • Patch Management
  • Event Logging
  • Email & Phishing
  • Endpoint Security
  • Backup & Recovery
  • Network Security
  • Vulnerability Assessments
  • Guidelines for Cloud Services
  • Mobile Device Management
  • Disaster Recovery/BCP
  • Incident Response & Notification
  • Authentication Standards
  • Media Sanitation & Disposal
  • Supply Chain Security Standards
  • Reporting Guidelines
  • User Provisioning
  • Documentation Standards

Hopefully that gives a general impression. Essentially, it’s to document any process, policy, and standards around running IT Operations (or anything that has a bearing on IT Operations like architecture) that are relevant to information security.

It tends to be, by far, the largest part of the framework. That said, most of the actions, once defined, should be the responsibility of IT Operations and Engineering departments.

The main point is that it’s important for operations (how we build and run things) to be well-defined to ensure both security and consistency (a key element of quality) and not allow the kind of entropy that leads to vulnerabilities, unknowns, and even runaway or shadow environments.

Despite the importance of this, such operations are often not documented, documented poorly, or with lacking detail and granularity. They also often don’t include security considerations.

Populating this domain is a great familiarisation exercise to better understand all our IT processes, mature their documentation, and insert security considerations so that they produce more repeatable, consistent, and secure outputs.

It's also probably the part of the framework that will take the longest to build out. It has the most components and requires the most outside assistance of all the framework’s domains. It’s worth noting however, that it can also be the most delegated.

Make sure to prioritise wisely.

Naturally, if we at CDW can help advise or provide the best solutions to maximise your success in any of these areas, we’d love to hear from you.

Join us for our next instalment where we take a closer look at managing the security of SaaS and Business applications.

Contributors
Share
Subscribe to email updates

Related insights

Building Effective Security Programmes Part 8 The Saas And Business Applications Domain
  • Security

Building Effective Security Programmes: Part 8 – The SaaS & Business Applications Domain

Greg Van Der Gaast, Security Advisor to CDW, looks at how to build effective security programmes, and how to ensure SaaS business applications are effectively covered by your security framework.

Read article
Building Effective Security Programmes Part 6 The Interdepartmental Integration Domain
  • Security

Building Effective Security Programmes: Part 6 – The Interdepartmental Integration Domain

Greg Van Der Gaast, Security Advisor to CDW, looks at how to build effective security programmes, and how to implement effective interdepartmental integration in your security programme.

Read article
Building Effective Security Programmes Part 1 Introduction
  • Security

Building Effective Security Programmes: Part 1 – Introduction

Greg Van Der Gaast, Security Advisor to CDW, looks at how to build effective security programmes, and identifies common issues organisation face when designing and building their own security programmes.

Read article