Standard for Operations Security

I. Purpose

The purpose of this standard is to ensure the correct and secure operations of any UNC Charlotte-hosted system, service, infrastructure, or any physical location that houses these items.

II. Scope

All owners of UNC Charlotte-hosted systems and services, as well as those individuals managing the supporting infrastructure and physical locations, should ensure that measures are in place to maintain operational security.

III. Contacts

Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@charlotte.edu.

IV. Standard

Protocols to ensure and maintain operational security of systems, services, infrastructure or physical locations should include:

• Operational procedures and responsibilities
  • Procedures and responsibilities should be defined for the operation of systems, services, infrastructure or physical locations;
  • Changes should be controlled through a formalized change management process;
  • Capacity management should be implemented; monitoring, tuning, and evaluating the use of resources to project and respond to future capacity requirements and ensure required performance levels;
  • Production, test, and development environments should be separated to reduce the risk of unauthorized access or changes to the production environment.
• Protection from malware
  • Controls should be implemented to detect, prevent, and recover from malware;
• Information backup
  • Backup copies of information, software and system images should be taken and tested regularly.
• Logging and monitoring
  • Event logs recording activities, exceptions, faults and information security events should be maintained and appropriately reviewed;
  • Log data should be protected from tampering and unauthorized access;
  • Logs of privileged account holder (system administrators and system operators) activity should be securely maintained and appropriately reviewed;
  • To assure a single reference time, clocks of relevant information processing systems should be synchronized.
• Control of production software
  • Procedures should be in place to control the installation of software on production systems.
• Technical vulnerability management
  • Current information about technical vulnerabilities should be evaluated to assess the organization’s exposure and to determine the appropriate measures needed to address the related risk.
• Information systems audit considerations
  • Audit activities should be planned to minimize the impact on operational systems.

Related Resources

• University Policy 311 Information Security
• Guideline for Security of Endpoints
• Guideline for Security of Applications
• Guideline for Security of Systems
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by the Information Assurance Committee 4/2/15
Updated 1/5/23