Headquarters888-732-9406
Security Operations Center 888-732-9407
Security Policies for GSA S2S & G2S

Security Policies & Standards for GSA S2S & G2S Systems

Sometimes it’s easy to lose the overall security picture when trying to get the latest gaming systems, protocols and networking standards incorporated into your environment. While your company may be primarily focused on getting GSA S2S, G2S and BOB systems integrated, don’t forget to keep the overall system security management in mind as well.

You achieve this via Security Systems Management: documenting your policies, standards, procedures and processes. I know, you’re thinking you don’t have time to deal with it now. But it’s actually easier to do it now -- while you’re architecting or implementing these standards -- then after the fact. Security Systems Management should be an integral part of your overall security operations that will make sure security is ready-built into your new environment and keep it secure through its daily operations.

Systems Management

The goal of Systems Management is simple: to ensure your organization’s systems, and the data they hold, are secure and can efficiently and effectively operate. At a high level, it’s focused on providing and documenting how you operate.

  • Policies – They are what drive why you do what you do. They might reflect your organization’s view on security or IT management or both. Policies help define how you manage all the items below. Having documented policies enables an organization to function with the same goals in mind.
  • Standards
    • Standards provide a way to ensure your company isn’t duplicating its efforts, and to ensure you don’t have conflicting systems, protocols or security standards. Documented standards provide an efficient, cost-effective way to run your IT organization.
      • Systems standards can define the products you allow.
      • Standards may define “gold” builds or application protocol standards.
      • Standards can define what level of encryption is required in your organization, or how your company has implemented G2S and/or S2S.
  • Processes
    • Standardized, repeatable, documented processes ensure that your team understands how things are done in your organization and everyone will produce the same results. These processes also document what to do in those “exception” cases. For example:
      • Does your team understand what to do if there is an incident in your organization?
      • What’s the process for change management? Who is allowed to approve a change to the architecture or to a firewall?
      • What’s the process for ensuring access controls are in place and up-to-date?
  • Procedures
    • These are actual activities, actions or work instructions for your team members and are the support for the processes you have in place.
      • For incident management, it may be the call list for response team members of who calls whom. It may be the actual steps the CIRT personnel must take if the incident is based on loss of player data or a malicious compromise to a system
      • For change management, it would define who is responsible for approving changes to systems or integrating new systems into your network. It could even be how you need to securely decommission and dispose of systems or drives.
  • Defined Roles & Responsibilities
    • Don’t forget to define roles and responsibilities for key activities and communicate them. For example, this would be the place where you’d define specific system security-related duties that might outline:
      • Separation of firewall duties (system firewall management from firewall rule management)
      • What roles can approve, test and apply system-level patching?
      • Incident management roles and responsibilities (e.g., Who responds to a server going down versus a virus outbreak?)

So where do you start? At a minimum, identify the critical G2S, S2S and BOB systems and then make sure you have the following:

  • An overall security policy
  • Security standards (to include any compliance mandates)
  • Architecture: standards and change policies
  • Systems Configuration: standards and processes (be sure to include router, firewall, IPS/IDS, Wireless, logging/monitoring and other security- and non-security-related supporting infrastructure)
  • Incident Management: standards, processes and roles/responsibilities
  • Access Control: standards and processes
  • Change Control: standards, processes, procedures and roles
  • Patch Management: standards, processes, procedures and procedures

Author



Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.