Running head: Practical Connection Paper 1 Practical Connection Paper Gaurav Venkatesh Over the last four weeks with the course Operation Security planning and disaster recovery by Dr. Jacquelyne Lewis. I had a chance to learn about the importance of implementing Operations Security in any IT organization. I work as an Enterprise Technology developer in a banking institution out of Raleigh, NC, and could see how a lot of the things I learned in this class apply to my work. Concepts that I learned in the class were always available at my work but I never realized the importance of the concepts till I took this course. For instance, the concept of separation of duties is something that I deal with every day at work, but I never realized the importance of its implementation. Separation of duties is an internal control to ensure that one individual does not have access to multiple entities that would allow him to commit fraud in any manner. Before this course, I always found the concept of SoD to hinder the speed at which my team and I develop applications and push them out to production. Now I understand why some of these checks are required and how without the lack of these checks, an organization becomes vulnerable to attacks especially insider attacks. I also learned that this ensures that even if my account is compromised by an attacker, there is only so much that can be done due to the separation of duties. An attacker would have to also hack other accounts, in order to complete a full transaction. I would like to move into the security division in my organization, one of the key concepts that I learned was implementing the NIST and PCI DSS rules strictly. The incident where the company in the private sector were breached due to their lack of implementing segmentation speaks volumes about the importance of rules. Breaches like that can damage the reputation of the organization immensely. According to PCI DSS, Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entitys network is a PCI DSS requirement. As mentioned in the article along with the suggestions they had mentioned I would also like to organize and implement a pen test after every release, to ensure that changes or improvements like these are captured ahead of time and not caught for the first time in a production environment. Lastly, I would like to talk about the different types of compliance that I learned about and why it is essential and not just a rule that must be followed. For instance, I learned about the workstation domain policies and one which I could co-relate to was the malicious code protection standard. The standard was not well implemented in the last organization that I worked at. The security did not update, test, and release last patch of the antivirus software used by the organization, and this caused the organization to be vulnerable to a zero-day attack. From this past experience and the science behind it mentioned in the book and in the class, as I move into the cybersecurity industry, I would ensure that this is implemented.