CISSP Security-Management Practices
For more information on Security, visit our Security Reference Guide or sign up for our Security Newsletter
Terms you'll need to understand:
-
Confidentiality
-
Integrity
-
Availability
-
Threat
-
Vulnerability
-
Public/private data classification
-
Government data classification
-
Risk
-
SLE
-
Residual risk
-
ALE
Techniques you'll need to master:
-
Risk management
-
Qualitative analysis
-
Quantitative analysis
-
Data-classification criteria
-
Security roles
-
Risk calculations
Introduction
This chapter helps the reader prepare for the security-management domain. Security management addresses the identification of the organization’s information assets. The security-management domain also introduces some critical documents, such as policies, procedures, and guidelines. These documents are of great importance because they spell out how the organization manages its security practices and details what is most important to the organization.
These documents are not developed in a void. Senior management helps point out the general direction, and risk-assessment and risk-analysis activities are used to determine where protective mechanisms should be placed. This chapter also introduces the two ways to calculate risk: qualitatively and quantitatively.
Finally, it’s important to not forget the employees. Employees need to be trained on what good security is and what they can do to ensure that good security is always practiced in the workplace. The goal here, as in other domains, is to ensure confidentiality, integrity, and availability of the organization’s assets and information. This chapter divides security-management practices into five broad categories:
Risk assessment
Policy
Implementation
Training and education
Auditing the security infrastructure
Before we jump into these topics and look at the ways in which informational assets are protected, let’s talk briefly about the risks of poor security management and the role of confidentiality, integrity, and availability.