Information Technology Reference
In-Depth Information
13.7.3
Monitor
The IA operations cycle
monitor
phase is to keep watch or observe people, pro-
cesses, policy enforcement, systems, applications, information, and infrastructure,
including IA defenses against anomalous behavior. With safeguards in place, moni-
toring the activity of the safeguards demonstrates they are working as intended.
Monitoring activity logs may show signs of probing, a lesser activity that tests the
environment prior to attack in earnest. Monitoring also provides insight into secu-
rity awareness and understanding, e.g., ensure people are following security policy.
Monitoring the effectiveness of operations, including IA operations, is the starting
point to obtain the raw data.
Operational effectiveness reports
are the first set of reports that show the value
of IA. Operations reports may show number of intercepted attacks on the firewall,
number and type of intrusion detections, number of probes on an E-commerce
server, etc.
Management reports
refine operations reports into business function
goals or tactical objectives, e.g., performance levels or SLAs.
Executive level reports
refine management reports in terms of revenue and costs. Although this is an over-
simplified transition from operational data to executive reports, the goal is to pro-
vide the appropriate information and justification to the appropriate audience.
13.7.4
Respond
The IA operations cycle
respond
phase covers actions in response to a potential
or verified security event or security incident. Responses may include standard
responses to predictable events (e.g., help desk assistance on removing a known
virus) and specialized responses, including tiger teams, subject matter experts, and
digital forensics. Response is part of the larger computer security incident response
center (CSIRC) activities: monitor, detect, notify, triage, escalate, isolate, resolve,
restore, root cause analysis, and organizational feedback. The final response step is
a review and modification of existing procedures in light of lessons learned through
the root cause analysis. This completes the IA operation cycle, with response feed-
ing information into more proactive anticipation, defense, and monitoring.
13.8
empirical eidence
Nothing speaks louder than empirical evidence, those lessons learned from personal
experience, as well as vicarious lessons learned from the experiences of others.
13.8.1
Surveys
Empirical evidence regarding computer crime is found in a variety of surveys found
worldwide:
