7.4 Apply foundational security operations concepts

  • Need-to-know/least privileges
  • Separation of duties and responsibilities
  • Privileged account management
  • Job rotation
  • Service Level Agreements (SLA)

A Job Responsibility is a list of tasks that an employee performs.  We use these responsibilities to determine the resources that the employee can access.  The employee should only be granted access to the resources that he requires.  This is known as the principle of least privilege.  An employee should only have access to the data that he needs in order to perform his job.  This is known as the need to know basis.

We can also perform Job Rotation.  An employee is not permitted to remain at a specific role for an extended period.  Each employee must rotate at a different time.  This allows the organization to investigate and detect potential security breaches.  An employee who stays at the same role for an extended period has an opportunity to abuse his position without being detected.  If a new employee fills his role, he will detect the breach.  Job Rotation has the added benefit of allowing multiple employees to train in each role, so that they can be replaced if one is sick or quits.

Separation of Duties is an idea that we require multiple employees to perform a task.  That way, a single employee cannot bypass security controls.  For example, a user who approves an invoice can’t also be the user who issued the purchase order. 

A privileged account is also known as an admin account or an elevated account.  The privileged account will have more access than the user account.  In a large organization, there can be different levels of privilege/access, or groups of privilege/access (for example, domain administrator, email administrator, etc.).

  • A privileged account should be tied to a specific user.

  • The user should only be assigned the privileges that he requires to do his job.

  • The user should use a standard account for day to day tasks.  The user should only log in to the privileged account when required. 

  • Even better, the user should never log in to his privileged account.  He should log in to his standard account and then run privileged tasks as an administrator.

  • A manager should approve the creation of a privileged account, and its purpose should be well documented.

 A Service Level Agreement (SLA) details the required level of performance and penalties for not meeting those levels.  We negotiate an SLA with a service provider.

If we are buying a service such as internet, WAN, web hosting, or telecommunications, then the SLA might tell us how reliable we can expect the service to be.  For example, if an organization purchases web hosting services, the hosting company may guarantee that services will operate 99.99% of the time.  If the web hosting is available less than 99.99% of the time, the organization may be entitled to a refund.  The SLA holds the service provider accountable because downtime costs the organization money. 

If we are buying a service such as a repair of network hardware, or other type of break/fix service, then the SLA might tell us how quickly we can expect a response to an incident.

The SLA terms could include

  • Uptime guarantee for web hosting, servers, internet connections, and other services

    • Response time for different issues, depending on their impact and priority.  For example, two business day response for non-critical issues, one-hour response time for critical issues

    • Geographical location where the SLA applies.  For example, urban locations may have a two-hour response time, while rural/remote locations could have a two-day response time

    • With respect to break/fix services, the specific devices that are to be covered under the agreement.

    • Penalty for not meeting the response time or uptime guarantee.  The penalty could be structured as

      • A refund of 10%, 25%, or 100% of the monthly fee paid for a service outage exceeding 1%, 2%, or 5%.  This structure is common for web hosting and cloud compute service providers.

      • A penalty for each violation.  The service provider could be required to pay a penalty for each violation.

  • The service provider could be required to reimburse the customer for actual damages caused by the outage.  This not a typical structure because most agreements prohibit indirect or consequential damages.  The service provider’s liability is typically limited to the fees paid by the customer.

When we enforce a break/fix SLA, the service provider will be expected to stock replacement parts for any device that they cover.  This will ensure that spare components are always available to repair the device within the SLA time.