1.) Three primary operations security functions that an organization should implement are employee background checks and screenings, vulnerability testing, and access management. Background checks are fundamental because no matter how secure an organization’s operations may be, it can always be circumvented by a person with access. Edward Snowden is an illustrative example. Accordingly, background check insure that any threat confronted will be the result of an internal issue. Vulnerability testing is necessary because it provides information on where there are weaknesses in the system so that appropriate steps can be taken to resolve the insecurity. For instance, the spread of Stuxnet computer virus was because Microsoft and Siemens failed to properly check the vulnerabilities of their software and machines (Zetter, 2014). An earlier understanding might have allowed them to eliminate the issue. Lastly, by limiting access to certain devices, networks, or rooms to specific personal, an organization greatly limits the chance that protected assets will be accessed without authorization.
2.) Perhaps the most basic procedural activity used to secure facilities folding sensitive data is to control access to those facilities through physical barriers such as a locked door with a limited set of keys held by specific personnel whose integrity has been verified. In addition, access to the sensitive information can further be protected with passcodes/passwords/pass phrases as well as two-step authorization (Cristafano et al., 2014). Consequently, every time someone enters the facility, the need the assistance of a person with the key. Once access has been granted they need a password and external verification through two-step authorization.
3.) Classifying data is important because it limits who cannot access the contents without specific authorization. The growing simplicity of hacking tools is important to realize so that operations security managers maintain vigilance. Clipping levels provides a warning system of unusual and perhaps threatening behavior (Fabro & Maio, 2007). Marking sensitive information provides warning to what can and cannot be accessed. Most systems eventually “crash” fault-tolerant mechanism or a safeguard allow the system to recover in quickest possible time. Phishing is one of the easier ways to gain access to a network, accordingly, staff need to be trained on what to look out for and avoid. Improper mail server configurations may allow criminals to exploit mail servers for their own purposes.
References
Cristafano, E., Du, H., Freudiger, J. & Norcie, G. (2014). A comparative usability study of two-factor authentication. Retrieved from http://www.internetsociety.org/sites/deafualt/files/01_5-paper.pdf
Fabro, M. & Maio, V. (2007, Feb.). Using operational security (OPSEC) to support cyber security culture in control systems environments. Retrieved from http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/OpSec_Recommended_Practice.pdf
Zetter, K. (2014, Nov. 03). An unprecedented look at Stuxnet, the world’s first digital weapon. Retrieved from https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/