OPERATIONAL SECURITY IN PRACTICE

Operational Security in Practice

Operational Security is a very key concept in modern business and information

technology world. The executives and the managers are responsible to protect the sensitive

information of the organization with the risk management process. The knowledge we gain from

studying the Operational Security course helps us to identify what sensitive data are, why they

need to be protected from unauthorized access, what risks, vulnerabilities and attacks are, how

those risks can be mitigated, and what are the rules or policies or guidelines that an organization

should follow to run their business and achieve their goals. Also, how the security policies are

defined based on different industry standards and government regulatory policies.

My manager took me to the IT commons, a department in my office to implement and

monitor the organizational IT policies, on the first day in my office to complete the information

and privacy security training for my onboarding process in the company. After completing the

training, I was provided the network access and I was able to use my laptop and other hardware

and software devices. This process helps the employees understand about the security and

privacy policies of the organization from the starting day of work. My manager sends an email to

the team every six months as a remainder to complete the compliance on the security and privacy

training, and the information security training. By taking the course, I got a detailed explanation

about how those trainings are helpful for the organization to make the employees aware and

responsible for all the policies, standards, procedures, and guidelines. Also, the security policies

are designed in such that we can identify the possible threats, analyze the vulnerabilities and

security holes, and appraise the risks based on the level of vulnerability. If there are any

weakness or vulnerabilities are present, the policies are updated so that the unauthorized people

can not get access to the company’s sensitive information.

OPERATIONAL SECURITY IN PRACTICE

The IT commons in my office has setup multi-factor authorization mechanism to install

any software or hardware components. All the installation requests go through the approval

process, i.e. an employee must order any software or hardware component from the

organization’s software center, which after approval from the manager is handled by the IT team

based on the business justification provided. The IT team completes the order as individual

employee does not have the administrative access to install those requested components. In this

way, the policies are set in place to minimize the risks, vulnerabilities and threats. Also, they

have filtered the junk emails sent by the outsiders with an intention to hack the system or steal

the information. Sometimes the security team themselves send the suspicious email to check if

the employees are aware of the email policy or not. There are guidelines to secure the personal

identifiable information (PII) while storing and transmitting the data. Trainings are provided to

the employees to help them understand about the PII, HIPAA guidelines. The individuals whose

data is collected should be made aware that how the data will be used, and limitations are set on

how much information should be collected based on the requirements. Also, proper encryption

mechanisms are followed when they are transmitted through email. The security team monitors

and tests the security control and regulatory. In this way the policies guide the employees to

detect, prevent and correct errors and help in the risk-free organization culture.

Although we have been familiar with all the terms, standards, policies, and guidelines in

our workplace, the research from this course helped us gain a better understanding about the

importance of those standards, policies and guidelines. I am now more aware about the formal

security guidelines and measures that I can apply if the unexpected situation arises. I am also

more aware about handling the customer’s personal privacy and information and became more

familiar about the industry and US government standards.