Security Management Practices

we enter the domain of Security Management.  you will see that many Information Systems Security (InfoSec) domains  have  several  elements  and  concepts  that  overlap.  While  all  other security  domains  are  clearly  focused,  this  domain,  for  example,  introduces concepts  that  we  extensively  touch  upon  in  both  the  Operations  Security
 ﾍOperations Securityﾎ) and Physical Security  ﾍPhysi- cal  Securityﾎ)  domains.  We  will  try  to  point  out  those  occasions  where  the material  is  repetitive,  but  be  aware  that  if  we  describe  a  concept  in  several domains, you need to understand it.

From the published (ISC)2  goals for the Certified Information Systems Secu- rity Professional candidate:
ﾍThe candidate will be expected to understand the planning, organization, and roles of individuals in identifying and securing an organizationﾐs information assets; the devel- opment and use of policies stating managementﾐs views and position on particular topics and  the  use  of  guidelines  standards,  and  procedures  to  support  the  polices;  security awareness training to make employees aware of the importance of information security, its significance, and the specific security-related requirements relative to their position; the  importance  of  confidentiality,  proprietary  and  private  information;  employment

 

 

agreements; employee hiring and termination practices; and the risk management prac- tices and tools to identify, rate, and reduce the risk to specific resources.ﾎ

A professional will be expected to know the following:

■■       Basic information about security management concepts

■■       The difference between policies, standards, guidelines, and procedures

■■       Security awareness concepts

■■       Risk management (RM) practices

■■       Basic information on classification levels

Our Goals

 

We will examine the InfoSec domain of Security Management by using the fol- lowing elements:

 

■■   Concepts of Information Security Management

 

■■   The Information Classification process

 

■■   Security Policy implementation

 

■■   The roles and responsibilities of Security Administration

 

■■   Risk Management Assessment tools (including Valuation Rationale)

 

■■   Security Awareness training

Domain Definition

 

The InfoSec domain of Security Management incorporates the identification of the information data assets with the development and implementation of poli- cies, standards, guidelines, and procedures. It defines the management practices

of  data  classification  and  risk  management.  It  also  addresses  confidentiality, integrity, and availability by identifying threats, classifying the organizationﾐs assets, and rating their vulnerabilities so that effective security controls can be implemented.

 

Management Concepts

 

Under  the  heading  of  Information  Security  Management  concepts,  we  will discuss the following:

 

■■   The big three: Confidentiality, Integrity, and Availability

 

■■   The concepts of identification, authentication, accountability, authorization, and privacy

■■   The objective of security controls ﾅ(to reduce the impact of threats and the likelihood of their occurrence)

 

Confidentiality

 

 

 

 

 

 

 

 

Integrity

 

Figure 1.1  The C.I.A. triad.

Availability