•  Isolate production and programming
                       environments
                   •  Keep purchased software in escrow (in case
                       they go out of business).
                   •  Heuristic scanning – watching for small but
                       suspicious code strings.
                   •  Change detection software = tripwire.
                   •  Edit controls = entering in invalid data.
                   •  Do not use production data in testing
                       systems.
                   •  Sanitize test data (clean out confidential
                       information). This is the responsibility of the
                       information owner.



               Operations Security

               Terms / Foundations
                   •  Directive control = type of administrative
                       control that is management related.
                       Typically consists of policies and procedures
                       to mandate actions to reduce risk.
                   •  D.A.D. = disclosure (confidentiality attack),
                       alteration (integrity attack), and destruction
                       (availability attack).
                   •  Resources can be sensitive (confidential,
                       secret) and/or critical (operational needs,
                       availability issue)
                   •  Keeping track of the licensing of software is
                       important.  This can be an automated or
                       manual process.